Can you be killed by code? Karen Sandler of the Gnome Foundation believes so. Software has plenty of holes, why should software behind a pacemaker be any different? Sandler has an implanted medical device, a defibrillator which can deliver a shock to the heart if it stops working. Yet an induced shock to the heart when it's functioning correctly could be deadly. Sandler wanted to inspect her implant's code, but the medical device manufacturer refused and reassured her about the code's integrity. Sandler told the BBC, "Knowing what I know about software I'm sure it'll have bugs." And based on research from a University of Massachusetts professor, "her fears might be well grounded." It's not a new idea since other security researchers published Killed by Code: Software Transparency in Implantable Medical Devices back in 2010.
Now add to the big picture all the mounting evidence that embedded medical devices can be hacked wirelessly. After Black Hat where security researcher and diabetic Jay Radcliffe demonstrated a potentially lethal wireless attack on an insulin pump and how it could kill people, Congress took note and demanded answers about how an insulin pump could be remotely controlled via a $20 radio frequency transmitter. Radcliffe had said of the hack, "It's basically like having root on the device, and that's like having root on the chemistry of the human body." Other researchers concerned about the security of embedded wireless medical implants developed a jamming signal device to stop hackers from lethal pacemaker attacks.
Last year, intent upon discovering the vulnerabilities in medical devices before the bad guys do, McAfee Labs put together a hacking team to attack embedded devices. Then McAfee's threat prediction for 2012 [PDF] also listed embedded hardware as "the promise land for sophisticated hackers." Researchers expected to see proof-of-concept codes which would give high-level hackers complete control to exploit embedded systems such as medical devices.
McAfee Security Researcher Barnaby Jack wants the public to understand just how easily medical devices can be remotely hacked in a public space from 300 feet away from the victim. Check out this video about how to hack into wireless medical devices:
Do you still think it's only science fiction that malicious hackers could wirelessly attack and kill folks with medical devices?
Bloomberg reported that Jack "discovered a way to scan a public space from up to 300 feet away, find vulnerable pumps made by Minneapolis-based Medtronic Inc., and force them to dispense fatal insulin doses. Jack doesn't need to be close to the victim or do any kind of extra surveillance to acquire the serial number, as Radcliffe did. The program Jack has written is something that bad guys with enough skill could replicate and sell online, a common practice in cyber crime. The antenna and other gear is easy to acquire online."
Medtronric believes the benefits to patients far outweigh the risks of cybercriminals remotely murdering folks with insulin pumps, but the Information Security and Privacy Advisory Board is not waiting for an attacker to kill someone, to exploit a pacemaker or insulin pump, before sounding the medical device security alarm.
Security experts explained to the Board that "the lack of cybersecurity preparedness for millions of software-controlled medical devices puts patients at significant risk of harm." So the Board sent a letter [PDF] recommending a single federal entity like the FDA should be responsible for ensuring the cybersecurity of wireless medical devices. It also called up the National Institute of Standards and Technology (NIST) to determine which cybersecurity features should be enabled by default. Anti-virus software was the example cited that a medical provider should not have to download to "achieve an acceptable baseline of cybersecurity."
Furthermore the letter said the government should assign an organization such as the FDA or Health Resources and Services Administration to educate manufacturers, health care and users "about the risks associated with networked and wireless medical devices." This would include how-to "instructions for use" for users, which seems like a terrifying proposal in light of how many computer or smartphone users don't keep their devices updated with patches or antivirus. Perhaps users would be more proactive about patches if that antivirus were protecting a person's heart like in a pacemaker or their sugar levels via an insulin pump?
Since most medical devices are connected to the public Internet, the Board said it's time to bring in the United States Computer Emergency Readiness Team (US-CERT) which should "create defined reporting categories for medical device cybersecurity incidents." US-CERT should compile cybersecurity threat indicators before the "inevitable growth of device incident reports." Can such a recommendation suggest anything other than the coming flood of bad guys hacking medical devices?
What is the medical industry waiting on, command line killers who send a joule of shock to stop a heart? It's reality and not sensationalism. While remotely controlled wireless attacks that could kill people with medical devices may sound like science fiction, it's been proven numerous times that it is possible . . . and it's more than likely that murder by causing a medical device to malfunction is coming.