The new research comes from Barnaby Jack, a security vendor for IOActive. Jack has previously uncovered other weaknesses in medical computer security, including vulnerabilities in insulin-delivering devices. The weakness, according to Jack, centers around the wireless nature of communication with the pacemaker. Clearly, a doctor cannot conduct open heart surgery just to change a pacemaker’s settings, but with remote access, one can easily change how a pacemaker performs.
So the issue is this: when a pacemaker manufacturer skimps on security for their wireless software, they leave an opening for hackers with wireless devices to attack.
The likelihood of a hacker knowing that their target has a pacemaker and exploiting this vulnerability might be slim, but the opportunity is still there and the implications are scary indeed. We spend so much time and effort making sure that our credit card number and email password are secure, and yet, there are pacemakers that can be hacked by anybody with a two hundred-dollar laptop.
Jack demonstrated the hack in a video. The audible “pop!” noise when the 830 volt transmission hit the pacemaker was a real showstopper.
In the past, electronic implants were operated with a wand that had to be moved in very close proximity to a patient. Now, the trend is to go wireless, which means that a doctor could operate on a patient’s pacemaker from across the hospital if need be. Though this means greater convenience for medical staff and patients alike, as well as a faster response time to an emergency situation, it also leaves open a greater range of vulnerability. Someone wishing to get close enough to use a wand to stop your heart may as well want to get close enough to do the same with a knife, but the truly frightening thing about this hack is that it allows someone to end a life from across the street.
In short, while the hack might well never be used in reality, it is an opportunity for somebody to commit murder almost risk-free. A hacker sitting in a public library could send the signal towards his target and it could be days before anybody realizes that it wasn’t just a normal heart attack, and there may never be a murder investigation as it’s easy to chalk the incident up to a hardware failure on the part of the pacemaker manufacturer.
With millions of pacemakers in action right now, the potential for a serial killer virus isn’t too hard to fathom. The pressure is on pacemaker manufacturers to create devices with firmware that is harder to crack in order to keep their customers safe.
Luckily, the hack won’t work on most pacemakers, but medical device manufacturers need to bear software security in mind as we move deeper into the digital age. There was a time when the technology was too expensive and primitive for a random hacker to kill with the flip of a switch, but we’ve now officially crossed that threshold.