Norton & McAfee Are Pending Release of a ‘Warning’
Implantable medical devices are often programed by radio frequency from outside the body. We’re talking about things like pacemakers, internal defibrillators, spinal cord simulators amongst other devices.
The example devices I cited above send little electrical shocks to various parts of your body (the heart in the case of the first two and the cord in the case of the latter). The generators that send the electricity can be programed to send various energy levels or to send at various frequencies or to send to various electrodes. There are a whole host of ‘options’ which can be customized. When you need to customize those options you don’t want to have to open up the patient and physically fiddle with the implanted generator.
Instead, these devices come with little (often wand shaped) computers, which you can put over the site of the generator on the external skin. The computer sends radio signals to reprogram (or even turn on or off) the generator.
Turns out that communication between the computer and the generator for the pacemaker or defibrillator or SCS is in no way encrypted.
Hopefully you see where this is leading. A team of computer scientists from the University of Massachusetts – Amherst and the University of Washington built their own little computer to talk to a commercial pacemaker and successfully reprogrammed it (including turning it on and off) inside a simulated human body. They hacked a pacemaker.
Fu and Halperin said they used a cheap $1,000 system to mimic the control mechanism. It included a software radio, GNU radio software, and other electronics. They could use that to eavesdrop on private data such as the identity of the patient, the doctor, the diagnosis, and the pacemaker instructions. They figured out how to control the pacemaker with their device.
“You can induce the test mode, drain the device battery, and turn off therapies,” Halperin said.
This type of disclosure of ‘security holes’ by computer scientists on the good side of the aisle is common practice. The idea being they want to discover it, disclose it, force someone to fix it before someone malicious discovers the hack and does something bad with it.
Although they disclose the details of their endeavor entirely in their published paper and make their feat reproducible, it isn’t time to freak out. The hack is a complex and limited thing. It isn’t like someone on a NYC subway is going to have their pacemaker turned off tomorrow from across the car. Still, it is something serious which poses a small but real risk for patients and a liability for device makers.