back to article Fatal flaws in ten pacemakers make for Denial of Life attacks

A global research team has hacked 10 different types of implantable medical devices and pacemakers finding exploits that could allow wireless remote attackers to kill victims. Eduard Marin and Dave Singelée, researchers with KU Leuven University, Belgium, began examining the pacemakers under black box testing conditions in …

  1. John Smith 19 Gold badge
    Holmes

    "Security by obscurity is a dangerous design approach"

    Indeed

    But very cheap.

    Although it's quite surprising medical devices are just as stupid about it as the usual IoS webcam and thermostat makers.

    1. Version 1.0 Silver badge

      Re: "Security by obscurity is a dangerous design approach"

      I don't find it very surprising at all - the designers simply never considered security to be important because that's not the way that they think, they are building a device that has to get through FDA software testing which is much more concerned about reliability and ensuring that things can not go wrong. Adding security simply increases the complexity and requires additional testing/verification that offers no commercial benefit so the KISS principle rules.

      Realistically this is "silly" at a basic level but assuming that you have a fail-safe design without external malevolent actors I think it's quite low risk on any individual basis. Given the cost and complexity of the attack vector, if you've really got a beef with the target it's much cheaper and easier to shoot them.

      1. Charles 9

        Re: "Security by obscurity is a dangerous design approach"

        UNLESS you're trying to make it look like a heart attack, in which case money may not be an object because life insurance and a large inheritance may be at stake. People will pay to make death look like an accident since it means they get away with it.

    2. You aint sin me, roit

      Re: "Security by obscurity is a dangerous design approach"

      Compounding the failure of security by obscurity was the "proprietary communication protocol".

      What are the thought processes that lead to "Let's make it up ourselves", instead of "I wonder if someone has done this before."?

      When is someone going to realize that in the IoT world security is a USP - something they can make money out of!

      "It's wifi-enabled, and we did it securely, following open security standards"

      1. Anonymous Coward
        Anonymous Coward

        Re: "Security by obscurity is a dangerous design approach"

        "It's wifi-enabled, and we did it securely, following open security standards"

        That's the marketing spin, but we all know that the reality is "our junior programmers tell us they did it securely, after reading the open security standards on the way home from the pub"

  2. Dwarf

    I see a market here

    Time to go off and start making 'faraday vests' for the folks who have to use these devices.

    I'm thinking 50% cotton and 50% steel wool. Due to the use of steel, you can't wash them as they will rust, so I'll adopt the razor blade approach of requiring a new one every week.

    Profit !!!!

    Seriously though when are manufacturers going to realise that there is an expected minimum in the products that they design ?

    1. Raumkraut

      Re: I see a market here

      Seriously though when are manufacturers going to realise that there is an expected minimum in the products that they design ?

      As soon as there is a legally enforcible expected minimum, which won't happen until someone in power is affected. Fortunately, people in power tend to be older, so are more likely to have a need for such devices, and so be affected by these vulnerabilities.

    2. DNTP

      Re: I see a market here

      Under a strict interpretation of local weapons laws, in my area this would count as "defensive clothing" and would be illegal to wear without somehow magically getting the police to issue you a concealed firearms permit (hint: they don't unless you're wealthy and famous).

  3. Pen-y-gors

    Nice paper title

    Although maybe "Wifi considered harmful." might be more appropriate.

    Another source of profit - take one over, trigger a few blips just to warn the wearer, and then walk with them to the nearest cash machine. Would that count as ransomware? blackmailware?

    1. Charles 9

      Re: Nice paper title

      Trouble is the blips may overshoot and KILL the wearer instead. Plus if they're old they may be war veterans meaning they'd likely fight back, preferring death to submission.

  4. Anonymous Coward
    Anonymous Coward

    With no consequenses to killing people is it any surprise?

    Without consequences greater than the profit being made, and the profit is huge, there will always be security problems.

    Worst yet in this case the whole health industry, at least in Canada, is designed to hide and not report problems. If someone was to die as a result of the medical equipment failing to protect them from mistakes, information gathering, or even an attack the death would be blamed on the health of the patient. Finding out otherwise takes considerable effort, power and money.

    Once you've seen this first hand you will know that those telling you there are systems in place to track and record such causes of death are at best misinformed or at worst complicit.

    1. This post has been deleted by its author

  5. td0s

    I'm amazed there aren't strict audit requirements on the security of these devices considering how much testing and trailling has to be done for medicine, how are these things any different?

    1. Charles 9

      Simple. Given the costs it's cheaper to bribe everyone and cover each other's kiesters when a problem DOES arise. Any attempt to use a third party (including the government itself) can have the same result because it could be THEIR turn in the hot seat next.

      IOW, it's a cartel. No one wants to play by the rules because it saves mucho dinero to cheat. And with the money involved, they can play the lawyers, judges, and lawmakers to smooth over any issues.

  6. Alan Johnson

    Need a sense of proportion

    To summarise a technically sophisticated attacker can cause serious consequences possibly death to a patient up to 5 metres away.

    So what? A technically sophisticated attacker within 5 meters can kill anyone at all.

    Why is this considered surprising or concerning?

    A pacemaker is in the highes trisk category of medical devices (class III) and the design, risk management and testing will have been looked at in detail. The risk management will have included hacking scenarios but it was probably considered that if an attacker needed to be within 5 metres, needed special equipment and needed to be technically sophisticated the risk was acceptable. At the end of the day if any of us are targeted by a determined and sophisticated attacker who has physical access to us then we are in trouble.

    1. Charles 9

      Re: Need a sense of proportion

      "So what? A technically sophisticated attacker within 5 meters can kill anyone at all."

      AND make it look like an accident? Consider inheritances and life insurance payouts.

      1. Starace

        Re: Need a sense of proportion

        They're going to have a hard job making it look like an accident when the evidence of tampering is all over the device logs.

        This is one of those lovely security scares where yes, you could do something but it's complicated, specialist and expensive and leaves a lot of evidence behind.

        And they fail to mention that they could use a strong magnetic field (or strong RF source) in similar conditions and obtain similar results without the evidence trail or the same complexity.

        But to security researchers every problem is a security problem.

        1. Charles 9

          Re: Need a sense of proportion

          "They're going to have a hard job making it look like an accident when the evidence of tampering is all over the device logs."

          Pretty sure a clever git could construe the incident and spread it out over time to hide the tampering and slip it under the radar. Or perhaps find a way to pwn the device and tamper with the logs.

    2. Fungus Bob

      Re: Need a sense of proportion

      "To summarise a technically sophisticated attacker can cause serious consequences possibly death to a patient up to 5 metres away."

      Given that pacemakers are completely enclosed in a meatbag during normal operation, the actual range may be a bit less.

      1. Charles 9

        Re: Need a sense of proportion

        "Given that pacemakers are completely enclosed in a meatbag during normal operation, the actual range may be a bit less."

        Given the equipment is both a bit exotic and pretty powerful, not to mention the receptors for these things are usually just under the skin to facilitate transmission, I'm inclined to believe the range is such INSIDE a person. Outside, I think the range would be much greater.

  7. rototype

    Brings new meaning to the term 'Hack & Slay'

    Just makes me wonder if this is the reason for the government wanting these back doors in everything - so the secret security services can assassinate a target without going anywhere near them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like