It seems like something is very wrong with the picture when you read the news and it sounds more like a science fiction novel than a newsflash. For example, Barnaby Jack showed how an attacker with a laptop, located up to 50 feet from a victim, could remotely hack a pacemaker and deliver an 830-volt shock.
Ruxcon BreakPoint security conference in Melbourne must have been the place to be, as RiskyBiz said it kicked off with a bang featuring “mass murder, Windows exploits, hacking Apple and owning spy agencies.” Jack was just one presenter and he showed a video that he doesn’t want released to the public since the manufacturer would be named. Maybe it’s time to name and blame, cause this is some seriously scary stuff!
Jack is trying to raise awareness, so embedded medical device manufacturers will beef up security. If he doesn’t have their, or your, attention yet, then know that we are headed towards malware that can murder. Besides reverse engineering a pacemaker to deliver a deadly shock from 30 - 50 feet away, he demonstrated how he could rewrite the devices' onboard firmware. Jack also said it possible to upload malicious firmware to servers that would be capable of infecting pacemakers and ICDs. “We are potentially looking at a worm with the ability to commit mass murder," Jack said. "It's kind of scary."
SC Magazine reported, that Jack said these attacks would be like an “anonymous assassination.” The killer would need no weapon other than a laptop and the assassination would leave no smoking gun. Jack added, “The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in range.”
The FDA may be looking at the effectiveness of medical devices, but it doesn’t audit the code, Jack said. Maliciously crafted code has previously tainted software updates for lifesaving medical devices and reporting on the malware really ticked off the manufacturer. But hey, that seems miniscule in comparison since Technology Review reported that medical equipment is “riddled” with malware and government officials found “computer viruses are ‘rampant’ on medical devices in hospitals.” Hospitals run older Windows operating systems that are not patched or protected with antivirus programs because officials fear the modifications will “run afoul” of FDA regulations.
"I find this mind-boggling," said embedded medical device security guru Kevin Fu. Running an old OS, perhaps as old as Windows 95 to protect critical medical apps, may be the reason why these systems can be infected by worms that are 5 – 10 years old, but manufacturers are also a big part of the problem. Fu told Technology Review, "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."
Here’s a scary thought gleaned from the same article, considering a system “new” when it’s been upgraded to be “based on Windows XP.” One expert said it would take “more than 200 firewalls” to protect a hospital’s software-controlled equipment. For starters, it seems like the medical equipment could be taken off the Internet, such as was done after the “Conficker worm caused problems with a Philips obstetrical care workstation, a GE radiology workstation, and nuclear medical applications that ‘could not be patched due to [regulatory] restrictions’.”
The FDA put out guidelines in 2009, but malware problems are “rarely reported to state or federal regulators.” When talking about the 664 pieces of medical equipment running on old OS at Beth Israel Deaconess Medical Center in Boston, FDA deputy director Brian Fitzgerald said it is a common problem. The FDA is reviewing the “regulatory stance on software,” but Fitzgerald said it would be a “gradual process.”
More than a year ago, security researcher Jay Radcliffe showed how “an attacker with a powerful antenna could be up to a half mile away from a victim yet launch a wireless hack to remotely control an insulin pump and potentially kill the victim.” Then there was a jammer developed to protect pacemakers from lethal hacks via wireless attacks. When the feds were pressed to protect wireless medical devices from hackers, we wondered if a person could be killed by code. It’s a bit of sick continuing saga when sloppy code allows each wireless hack of medical devices to potentially murder more people at one time. Add in the medical equipment infected with malware and it's just flipping peachy.