Hacking medical implants is worrisome (and dog+cat+squid)

We <3 IT Blogwatch: in which researchers raise concerns about the security of implanted heart defibrillators. Not to mention an inspiring tale of something or other...

Robert McMillan reports:

It didn't take much to hack into the heart monitoring device and get it to administer a 137-volt shock ... a group of university researchers were able to gain access to what is known as an implantable cardioverter defibrillator (ICD), reading sensitive patient information, disrupting its operation and even programming it to repeatedly administer strong electric shocks. These tiny life-saving ICD devices are surgically implanted in the chests of heart patients, wired to the heart so they can shock it out of ventrical fibrillation. This is a heart-attack condition in which the heart muscle twitches randomly instead of pumping blood in a coordinated fashion. They've been used in the U.S. for years, but until now have never been subject to a rigorous public security review. more

John Timmer calls it, "shockingly easy": [He's fired -Ed.]

Implanted medical devices are becoming increasingly sophisticated, moving from simple pacemakers to computerized devices that can actively respond to changes in a patient's condition ... including "pacemakers, implantable cardioverter defibrillators (ICDs), neurostimulators, and implantable drug pumps." [The researchers] focused on a single model of defibrillator, but there is no reason to believe that other devices of this nature are any more secure ... information coming out of the defibrillator included ... the patient's name, date of birth, medical ID number, ... basic patient history ... the doctor's name and phone number ... If the invasion of privacy wasn't bad enough, the researchers were actually able to reprogram the device ... In effect, they hacked the device in a way that could stop a heart. more

Tom Simonite eases fears:

Those tests involved a pacemaker in a lab, not implanted in a person and required the transmitter being two inches from the Maximo model they attacked. The team from the Washington and Massachusetts Universities pulled off the trick by exploiting a radio transmitter in the device used by doctors to monitor a patient or change the pacemaker's settings without surgery. The researchers were keen to stress that people shouldn't be scared of pacemakers. "If I needed a defibrillator, I'd ask for one with wireless technology," one told the NYT. more

But Daniel Cressey's not so sure:

In perhaps the weirdest computer developments of the year so far ... [they] insist there is nothing to worry about, they are merely highlighting a loophole that needs to be looked at ... [But] if I had one of these things inside me I’d want it a lot more secure than they seem to be at the moment, however low the risk. more

Bruce Schneier muses:

This could be big news ... Of course, we all know how this happened. It's a story we've seen a zillion times before: the designers didn't think about security, so the design wasn't secure ... The risks are there, but the benefits of these devices are much greater. The point of this research isn't to help people hack into pacemakers and commit murder, but to enable medical device companies to design better implantable equipment in the future. I think it's great work ... Of course, that will only happen if the medical device companies don't react like idiots ... Just because you have no knowledge of something happening does not mean it's not a risk. more

Nick Gorton agrees:

No need to fear they tell us because ... "there has not been a single reported incident" ... Um, that was until a NYTimes article described that it could be done and (more importantly) a [Slashdot] article linked to that NYTimes article so tons of geeks worldwide see the information. While security through obscurity doesn't really work, there is something to be said for people just not noticing that a thing is hackable. Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine. more

Here's I_Love_Pocky! in defense of the ICD industry:

I work for one of the competitors to Medtronic (the company whose devices were studied). We have encryption in our RF communication. We DO take security into consideration, but there are trade offs that have to be considered. Battery life is generally the most important consideration. Every time surgery needs to be performed to physically access the device (usually because of a depleted battery) there is a risk of complications. These aren't insignificant risks either. Keep in mind the people getting these devices have health problems of some sort or they wouldn't be getting them. With that in mind, security solutions in this domain have to be very well thought out so as to avoid draining the battery significantly. So please, don't for a second presume that we are a bunch of monkeys sitting around on our asses. more

And snowgen deals with the enevitable question:

Does this mean that someone can eventually kill people remotely? The technology for that already exists; it's called a "gun". It replaced an older technology called an "arrow", which in turn was the replacement for an even older technology called the "javelin". There was also an older technology called a "sling" which was a peripheral device designed to increase the effectiveness of the original technology called the "rock". more

And finally...

Buffer overflow:

Other Computerworld bloggers:

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You too can pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon