Why We Should Worry About Hackable Hearts

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://motherboard.vice.com/read/why-we-should-worry-about-hackable-hearts

Sometimes, hackers make the worst patients.

A few years ago, when Marie Moe got her pacemaker, she didn’t worry too
much about the particular model her doctors chose. After all, she needed it
to survive, and trusted their judgement.

But given that Moe is a security researcher and a hacker, she got curious.
She looked up the pacemaker’s manual and found that the device she had
inside her body had wireless capabilities, something that “scares” her “a
bit.”

“That’s something that I’m very worried about,” Moe, who is in her
thirties, told Motherboard in a phone interview, “because I know a lot
about wireless security, and I know there are a lot of things that can go
wrong.”

To this day, no hacker has ever hurt anyone by hacking into someone’s
pacemaker, but several security researchers agree that it’s possible. And
yet, neither the general public, nor the medical industry, consider it a
serious threat. That’s why Moe is sharing her experience as a hacker living
with a potentially hackable pacamaker in a talk at the Hack.Lu security
conference later this month in Luxembourg.

In 2008, a team of researchers at University of Washington and University
of Massachusetts were the first to warn about such a scenario,
demonstrating how a pacemaker could be wirelessly reprogrammed to either
shut down or deliver jolts of electricity that could kill a patient. In
2012, hacker Barnaby Jack revealed that it was possible to deliver a deadly
830-volt shock to patients who had several models of pacemakers—all from a
laptop 50 feet away.

Jack died a year later, just a few days before revealing how an attacker
could remotely kill a patient who has a wirelessly-connected defibrillator
or pacemaker by hacking into the communications system connecting those
devices to bedside monitors.

This scary possibility crossed into the mainstream in 2013, when hackers in
the TV drama Homeland killed the show’s US Vice President by turning off
his heart implant over the internet. Months later, even former US Vice
President Dick Cheney admitted to being worried, revealing that he had
asked his doctor to turn off the wireless function of his pacemaker.

But Moe doesn’t lose much sleep over the possibility. “There are easier
ways to kill me, if someone wants to kill me,” she said.

Nevertheless, “we shouldn’t need evidence of harm to humans before starting
to look into the security of these devices,” Moe told me. “What worries me
is that as the pacemakers get more advanced and get more smart so to speak,
they get wireless interfaces. And all of this connectivity will add
vulnerabilities.”

And those vulnerabilities will need to be patched. Moe hasn’t tested or
investigated her device, nor does know for sure whether her model is
vulnerable. But even if it were, patching any potential vulnerabilities
isn’t easy. In her case, it would require a whole new implant, which makes
her, and other patients like her, virtually “unpatchable.”

Moe already knows what it’s like to suffer the real-world consequences of a
software bug. When she first got her implant, her doctors needed to
fine-tune it to adjust the max pulse to her needs. But due to a software
bug in the programing interface used to adjust the pacemaker’s settings,
the actual settings in the device “were not the same as the settings
displayed on the screen that the doctor was seeing,” Moe said.

“If I tried to run or climb up stairs I would get out of breath and
suddenly feel like an 80-year old. This was because the pacemaker detected
my pulse to be outside the upper heart rate limit,” she added.

Luckily, Moe said, in this case the bug was in the pacemaker’s external
programming device, so it was easier to patch. But if the bug had been the
implant itself, patching would have required surgery.

She hopes hackers and security researchers will keep investigating
vulnerabilities in pacemakers and other medical devices—and that the
medical community and the health industry will start taking cybersecurity
seriously.

Thanks to several people in the security industry, this is starting to
happen. Last summer, the Federal Drug Administration agency told hospitals
not to use a certain drug pump because it contained vulnerabilities that
could be exploited by hackers. These vulnerabilities were highlighted by
Billy Rios, a researcher who’s found bugs in several medical devices. I Am
the Cavalry, a nonprofit that wants to educate sectors that traditionally
haven’t thought about cybersecurity, has also been pushing to increase
awareness of this issue among the healthcare industry.

In the future, Moe hopes doctors will take the security of the implants
they give patients into consideration when picking a certain device over
another.

“Next time I have an implant, because it needs to be replaced in some
years,” she told me, “I hope that the doctors will feel it’s just as
natural to worry about software bugs in the device as it is to worry about
there not being any bacteria in it before they implant it.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!