Woah!... thats a bit of a shocker...
The downside of course is that no-one will have the heart to tell the patients...
Pacemakers and implanted defibrillators are vulnerable to wireless attacks that could kill tens of thousands, says the security researcher best known for "jackpotting" an ATM on stage at the BlackHat security conference in Las Vegas in 2010. The researcher in question, Barnaby Jack, today told the Ruxcon Breakpoint security …
In the past, wireless technology was not in the reach of individuals, so companies did not even consider securing their pacemakers and such. It is sad in these days of technology, there are those who are desperate to commit heinous crimes can do so with such ease. Before, to steal millions of pounds, you had to plan a bank robbery that involved arranging getaway drivers and such. Nowadays it can be a one man job and clicks of mouse and keyboard.
In these times, it is imperative that everyone from the ground up actually learn to improve their systems to be secure. You also have to be able to maintain your system because the cracker will always want to crack the system, so be ready to update the system with better security.
I guess as a short term measure, they will have to get those wearing pacemakers and such to wear some kind of Faraday's cage around their chest area. I hope no one patents this because there is prior art here.
Karen Sandler is currently Executive Director of the Gnome Foundation and previously worked for the Software Freedom Law Center, so she has a considerable background in open source software.
She also has a heart condition and her cardiologist advised her to get an implanted defibrillator. Which contains software. She asked to see the source code to independently verify the quality of the code that purports to possibly save her life. As the original article says, this code just might kill her.
Here's her story of what happened next.
Then again, if I needed one of these and I could have the (really complex) secure one or the (really simple) reliable one and my life depends on it - not sure that the worry that someone would hack me would come into the decision process.
Remember that the probability of death by hacking is substantially lower than the probability of death by heart failure if you actually have one of these.
Can't we have a third option: nonreprogrammable and reliable, like the ones they made in the 1970s and 1980s? Nothing to be hacked, short of opening your chest cavity. Completely secure, but by being dumb not by being "secure", like the unbreakable firewall known as an air gap.
Sometimes less is more.
@Frank ly: I haven't read the talk, but I'm curious as to the whole technician can read your heart rate as soon as you walk into the room thing, because I've heard so many people who should know better insisting that NFC can work over the distance of a car park. The energy involved in transmitting a signal that far would be really quite large for a device which you don't want to be big or, ideally, store any more energy than it should.
I have read about these devices a few times though and never heard anything that suggests anything except putting a big coil onto your skin will work.
My Pacemaker (Medtronic 4194) was implanted in 2009, and, for the curious, sits just below my shoulder blade. During my annual checkup, the reader, a small PC mouse-shaped device is perched over the scar. It's positioning is quite delicate, and 1/2" out of place will see the comms drop off.
So, tor the moment, this is restricted to an attack via the hospital equipment, or a prolonged personal attack (Asleep, passed out in a bar etc)
Whilst the devices will improve their range, this will require a bigger battery. As there is no wireless charging option available yet, this requires a re-fit every 7-10 years.
Hold on, this sounds familiar...... Fixed battery, dedicated software analysis by a "technician", expensive to install, difficult to service, proprietary software, limited connectivity - damn it - I have seem to have an iPacemaker.
There are indeed changes in the industry starting to take "violent hacking" into account. That's an issue that people should push the lawmakers to accelerate - and their doctors to take into account when ordering devices: make a tender redline and it will indeed happen.
But as to her greater point: do you have the right to propriety IP in a device implanted in you? You certainly have the right not to have the device at all, and they have the right not to sell it to you (so long as that isn't in a discriminatory manner), notr withdraw your rights to use it once it's in there. But do you have the right to their IP work? Its complex stuff and doesn't get done for free. "It's going to go in me, so yes" is certainly a fair and understandable POV. But it isn't the only one.
Alas, this probably comes doen to private/public sector issues: if the private sector did the work, its theirs. If the public sector did the work, it's the publics (yours). So if you want it, get your universities to do the leg work building it and you can have it.
Private industry and medicine have a lot of issues and this is only one - a small one given what big phara gets up to.
I have an implantable pacemaker inside me and had similar discussions with my surgeon when I asked how the 'blended sensor' technology worked. I was told that although he installs several devices a day....he has no idea how they work. That of course raises the question 'if they don't know how they work how are you sure that the device they implant will do the job your require? Now ten months after surgery with no issues they are still trying to adjust it to give me back my healthy lifestyle where I want my heart rate to be able to up to 170 bps. They have finally admitted that they aren't sure how to adjust it. The teams are used to old and unhealthy clients that are pretty much just ticking over. I on the other hand am active and work my pacemaker up to the physical limitations that they pace team have set.
As for hacking I'm not too worried at this point in time. I'm happy that studies like this have appeared. http://www.secure-medicine.org/icd-study/icd-study.pdf But someone who might want to kill me will have to be so close to do it that they could shiv me in the shower! Future devices will have more security and like Karen Sandler says in her keynote address the proprietary nature of the devices and the firmware running on them is the issue. I work with hardware engineers and I see the types of bugs that arise. in my case if the pacemaker does stop working I won't die anyway so it's not too much of an issue either. But to someone that really relies on these devices I would be concerned.
819 internet scams. "Pay us $50,000 or we make your pacemaker electrocute you"
On the flip side, maybe people will be more careful about their choice of pacemaker /etc provider, and choose one with better security after some of the cheapskates drop dead after a drive by pacenuking.
Only the Difibrilator type put supply this voltage. In this case if the patients heart stops a shock has to be given like the paddles used externally except they are even higher. The voltage has to be high enough to cause a sufficient contraction of the heart muscle to stimulate the heart into pumping again.
When CPR is given the compressions often break ribs in the patient as the pressure has to be significant enough from the outside to pump the heart.