As we become more and more reliant on active, implanted biotechnology the opportunities for malicious manipulation of such rise. The hacking of medical devices isn’t a new threat. I’ve commented on it, as have publications more prominent than this blog. The issue has taken on enough of intellectual seriousness that it has prompted the creation of a multi-institutional center, the Medical Device Security Center. In 2008 that group published a method of wirelessly accessing information from some models of pacemakers and then injecting active attacks to change the performance of the pacemakers. After publication they presented the same at Defcon.
At the Black Hat Conference last year an independent researcher presented a theoretical method of wirelessly changing the serum glucose readings of an implanted diabetic pump.
An attacker could intercept wireless signals and then broadcast a stronger signal to change the blood-sugar level readout on an insulin pump so that the person wearing the pump would adjust their insulin dosage. If done repeatedly, it could kill a person. Radcliffe suggested scenarios where an attacker could be within a couple hundred feet of a victim, like being on the same airplane or on the same hospital floor, and then launch a wireless attack against the medical device. He added that with a powerful enough antenna, the malicious party could launch an attack from up to a half mile away.
The most recent, highly publicized hack devised by researchers is one concerning implantable cardiac defibrillators. At the Breakpoint conference in Australia this year,
In a video demonstration, [researcher Barnaby] Jack showed how he could remotely cause a pacemaker to suddenly deliver an 830-volt shock, which could be heard with a crisp audible pop.
In 2006, the U.S. Food and Drug Administration approved full radio-frequency based implantable devices operating in the 400MHz range, Jack said.
With that wide transmitting range, remote attacks against the software become more feasible, Jack said. Upon studying the transmitters, Jack found the devices would give up their serial number and model number after he wirelessly contacted one with a special command.
With the serial and model numbers, Jack could then reprogram the firmware of a transmitter, which would allow reprogramming of a pacemaker or ICD in a person’s body.
Any attacks on medical devices requires more than a common level of expertise but to one dedicated probably something within the ability to be self taught. There are much bigger public health issues, even within the biotechnology sphere, including the function and operating safety of such but this remains a scary prospect and one that deserves more attention. Medical device makers need to put more into the security of these devices and the FDA needs to place a focus on making sure device makers are doing such.