There seems to be no end to the willingness of some human beings to use technology to evil ends, as evidenced by the latest medical scare to come to the world’s attention. Hackers have discovered a way to access pacemakers and implantable cardioverter-defibrillators (ICD) and send lethal shocks to the patient or cause insulin pumps to release a fatal overdose into a person’s body.
The frightening possibilities were recently revealed by Australian white hat hacker, Barnaby Jack, during his speech to the Breakpoint Security Conference in Melbourne. Jack is a researcher for the security vendor, IOActive, and he is responsible for investigating the security risks of high tech medical devices. In a previous research project, he identified the vulnerabilities of the surgically implanted insulin pump.
Pacemakers and ICD’s are in widespread use throughout the world. In the last six years, over five million pacemakers have been sold in the United States alone with millions more purchased in other nations. Although it takes technical expertise to hack into a medical device, the threat is real and it can be quite deadly.
Mr. Jeffers, the CEO of an imaginary international conglomerate, has a pacemaker. A business rival is losing millions of dollars to the leadership skills of Mr. Jeffers and the frustrated competitor decides to hire an unscrupulous private investigator to research the make and model of the pacemaker implanted in Jeffers’ chest.
Once the information is acquired, any computer expert with a reasonable amount of skill can use the data to electronically murder Mr. Jeffers. Pacemakers are designed to be re-calibrated with a wand that accesses the device’s internal software by wireless transmission. Re-calibration is normally done by medical personal within a yard or two of the patient, but the wand has a range of 30 to 50 feet.
Jeffers has a big meeting in Tokyo, and he awaits the call to board his flight in the first class lounge at New York’s JFK International Airport. As he enjoys his diet soda and reads the Wall Street Journal, Jeffers doesn’t give the woman working on a laptop a second thought. Suddenly, Jeffers clutches his chest, his faces twists into a mask of pain and he falls over dead.
The successful businessman has just been murdered by a simple signal sent from the laptop to his pacemaker that released an 830 volt shock directly into his heart. The jolt contained enough power that an audible pop was heard by everyone sitting in the first class lounge. Panic ensued, the airline’s hostess called emergency services and the hacker nonchalantly closed her computer, walked out of the lounge and left the airport.
We will leave out any further technical details of our imaginary scenario, but readers now have a basic idea of the risks involved if a hacker decides to go after someone wearing a pacemaker or an insulin pump. Think about the possibilities in the relatively new field of cyber warfare, hacking medical devices to kill generals or overthrowing an uncooperative leader in a bloodless coup.
Some medical equipment companies wonder if revealing the existence of the security risks only makes the problem worse and they think Barnaby Jack should have privately warned the manufacturers of the devices he was able to hack. However, considering the long history of unscrupulous behavior by pharmaceutical and medical companies, making the risks public without revealing the names of the actual companies puts serious pressure on the industry to fix the problem in a prompt and responsible manner.
MIT, one of the world’s prestigious universities, published a terrifying article on the abysmal situation in American hospitals concerning the safety of implanted medical devices. Researchers discovered that hospitals are rampant with malware infections on computerized medical equipment, and many institutions are running operating systems that are years out of date. Device manufacturers lock their software into one particular build of Windows and then forbid the hospitals to install updates on their computers.
According to Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, the issue is common place in many hospitals.
“In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews.”
Barnaby Jack and Kevin Fu are modern day warriors, working quietly to protect the health and safety of patients from the murderous intentions of unsavory characters. Jack expressed his concern about the risks of hacking medical devices including the possibility of a worm or virus that could infect the wand used in a hospital to reprogram implanted medical devices, gradually killing dozens of patients.
“We are potentially looking at a worm with the ability to commit mass murder. It’s kind of scary.”
“The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in range.”
“My aim is to raise awareness of these potential malicious attacks and encourage manufacturers to act to review the security of their code and not just the traditional safety mechanisms of these devices.”
As one audience member said after hearing Barnaby Jack’s presentation on the hacking risks of implanted medical devices:
“There’s no muzzle flash with a laptop.”