Someone, Call Grandpa! Pacemakers Susceptible to Hackers Could Open Door to Mass Murder
Since pacemakers' arrival onto the medical scene, they have been heralded as a miracle for patients who would have few other options. Pacemakers are used for people who have irregular heartbeats and spark the heart to beat in a normal rhythm. But researchers have found that, as pacemakers have become more technologically advanced, they have also made themselves more vulnerable. An expert has found that a pacemaker hack could be achieved just using a laptop and, if hacked correctly, could provide an 830 volt shock or even commit mass murder.
Barnaby Jack, from security retailer IOActive, has previously made headlines by analyzing possible cyber-attacks to pacemakers and insulin pumps. Jack says that the main flaw is in the programming behind the wireless transmitters that instruct wireless pacemakers and implantable cardioverter-defibrillators (ICDs).
Previously, pacemakers were adjusted using wands that medical staff would wave directly in front of the device to change its software's instructions. But now, the trend is to go wireless, using wireless transmitters that can work from bedside and send instructions up to 50 meters (164 feet) away.
Since they work remotely now, Jack says that these new transmitters make it much easier to hack into their programming. He demonstrated in a lecture given at Breakpoint a possible shock, which consisted of 830 volts and created an audible pop.
The transmitters would also give their serial and model numbers if so commanded. Changing those numbers could reprogram the commands given to its controlled pacemakers and ICDs.
And, Jack said, the transmitters also give up personal information of patients, like their names and the names of their doctors.
Worst of all, the transmitter could give up access to the server. Jack said that it would be possible to hack into medical device companies' servers and upload special malware that could infect many ICDs and pacemakers.
"We are potentially looking at a worm with the ability to commit mass murder," Jack said, according to Computer World. "It's kind of scary."
Both ICDs and pacemakers could use AES (Advance Encryption Standard) encryption. Often, though, devices leave the feature off in favor of using methods that could allow programmers to gain access to the device without serial or model numbers because, without such a way in, doctors would need to perform surgery to gain access to the pacemaker or ICD. However, Jack says that they should be embedded deeper into the machines' code to make it more difficult for hackers to access them.
Jack did not release the names of the susceptible companies.
The FDA regulates the efficacy of devices, but does not look at the code.
About 4.6 million pacemakers were sold in the United States between 2006 and 2011 alone.