Pacemakers, other implanted devices, vulnerable to lethal attacks
Editor’s Note: The imperative of medical cybersecurity is discussed on Regulatory Cyber Security/FISMA Focus here, here and here.
From: Homeland Security Newswire
IT experts reported that security flaws in pacemakers and defibrillators could be putting lives at risk; the experts say that many of these devices are not properly secured and therefore are vulnerable to hackers who may want to commit an act that could lead to multiple deaths
IT experts reported that security flaws in pacemakers and defibrillators could be putting lives at risk. The experts say that many of these devices are not properly secured and therefore are vulnerable to hackers who may want to commit an act that could lead to multiple deaths.
The Sydney Morning Herald reports that Baranby Jack, a famous hacker, hacked into a pacemaker last month at the Breakpoint security conference in Melbourne, Australia and was able to deliver an 830-volt jolt to a pacemaker by logging into it remotely after hacking the device. Jack, however, did not reveal which models were vulnerable to hackers.
Jack was able to hack the device because many implanted medical devices use wireless technology and authentication which uses a name and a password, which is the serial and model number of the device. According to Jack, most medical devices are designed to be easy to access by a doctor who may need to change something quickly in case of an emergency.
Jack was able to find secret commands that doctors use in order to send a “raw packet” of data over the airwaves to find any pacemaker or defibrillator in a specific range and have it respond with its serial and model number. The information allows a hacker or terrorist to authenticate a device to receive data and perform commands.
This means they can send a command to jolt the heart of multiple devices and, in some cases, in a range of up to twelve meters, meaning that a person can send the command from a private destination such as an airport bathroom or coffee shop without being noticed.
“People with these devices should be very concerned,” Patrick Gray, a specialist security journalist told the Sydney Morning Herald.
“I can’t think of a good reason why an implantable medical device needs to be wirelessly readable at 10 meters, but hey, maybe that’s just me.”
According to Gray, the only thing preventing these sorts of attacks was the fact that people were not motivated to perpetrate them.
The U.S.Government Accountability Office(GAO) released a reportthat highlighted problems with the security of medical devices,and called upon the Food and Drug Administration(FDA), which is responsible for the safety of medical devices in the United States,to ensure devices are secure from these attacks.
“In commenting on a draft of this report, [the] FDA said it intends to reassess its approach for evaluating software used in medical devices, including an assessment of information security risks,” the GAO report said. AndrewMcGavigan, the chairman of the Cardiac Society of Australia and New Zealand, said people must remember that “millions of patients have benefited from implantable cardiac devices over the last few decades.” There has never been a reported case of a person being harmed by someone maliciously altering their implantable medical device, McGavigan told the Herald.
Print article |