[Infowarrior] - Hackers could target cardiac implants

Richard Forno rforno at infowarrior.org
Wed Sep 30 14:31:44 UTC 2009 

Killer hackers could target cardiac implants
Emtech Researcher calls for tighter security
By Clive Akass
Wednesday, 30 September 2009, 13:59

http://www.theinquirer.net/inquirer/news/1556846/killer-hackers-target-cardiac-implants

A US RESEARCHER is calling for legislation to enforce tighter security  
on implanted cardiac devices after he hacked one wirelessly to produce  
a potentially fatal electric shock.

The scenario may sound like something out of a detective novel or far- 
fetched thriller movie script but the danger is real and should be  
taken seriously, says Kevin Fu, an assistant professor of computer  
science at the University of Massachusetts, who specialises in the  
security of RFID systems.

Judges at the EmTech conference in Boston took his work seriously  
enough to give him an Innovator of the Year award.

Doctors can access modern pacemakers and defibrillators over the  
Internet via a short-range wireless link similar to those used in RFID  
devices. The system allows them to monitor patients remotely and  
install software updates.

This means a hacker could access confidential medical information as  
well as reprogram the devices, Fu says.

He wrote in a recent paper: "Manufacturers point out that IMDs  
(implanted medical devices) have used radio communication for decades,  
and that they are not aware of any unreported security problems. Spam  
and viruses were also not prevalent on the Internet during its many- 
decade childhood. Firewalls, encryption, and proprietary techniques  
did not stop the eventual onslaught."

Fu and his team used off-the-shelf components to build a device that  
could write to a defibrillator and read the signals being sent to it.  
They deciphered the signals by exploiting the fact that they knew the  
patient's name.

They could then reprogram the device to give an electric shock.  
Another possibility is that a hacker could disable the power-saving  
mode so that the device's battery ran down in days rather than years.

The hacking device could be built into something the size of a  
cellphone and infect IMDs with malware randomly as the killer walked  
down the street. Millions of people use pacemaker-defibrillator devices.

Fu points out that such random attacks are not unknown. Vandals can  
cause people to have seizures by implanting flashing lights on a  
website used by epileptics; and seven people died when a killer put  
cyanide-laced painkillers on supermarket shelves in Chicago.

Nevertheless some doctors resisted when Fu first started making  
inquiries about IMD security. Has he any idea of how many of the  
devices in use are vulnerable? "That's the point," he said. "We just  
don't know." µ

More information about the Infowarrior mailing list