Nov. 29, 2012

Warning issued over dangers from medical devices

Imagine a person typing on a laptop in an airport. A common sight in today’s world of telecomputing.

Across the way at a gate, a passenger getting ready to board a plane suddenly grabs his chest and collapses.

The businessman closes his laptop and walks away, disappearing down the concourse as a crowd starts to surround the dying man.

What sounds like something out of a spy movie is very possible in real life.

IT experts have reported recently that implanted medical devices could be endangering the lives of the people who have them. They say that the devices are not properly secured and are vulnerable to attack by hackers armed with only a laptop and easily available computer components.

The Sydney Morning Herald reports that Barnaby Jack, a hacker and director of embedded device security at IOActive Inc., gave a demonstration at the Breakpoint Security Conference in Melbourne, Australia, on how to hack into a pacemaker and disrupt its operation.

Jack became famous for his demonstration of “jackpotting” an ATM — making money fly out the machine — at the Las Vegas DefCon security conference in 2010.

In the demonstration, Jack showed how he could remotely cause a pacemaker to suddenly deliver an 830-volt shock, which could be heard with an audible pop. He was able to do it by breaching the security of the wireless device and reprogramming it using a laptop.

The demonstration was given to show how insecure the devices are.

Pacemakers and other implanted medical devices were designed with little regard to security. The primary consideration in the design of the devices telemetry is to allow a doctor to make rapid changes to its programming in an emergency.

Most modern implanted devices communicate with diagnostic equipment using security authentication consisting of a username and password. In many cases, the username and password is the serial number of the device and the model number.

The “hack” consisted of sending a stream of data wirelessly to the implanted device at a specific frequency and having it respond with its identification code, i.e. the serial and model numbers. Armed with this information, the hacker can log into the device to read the data and issue it commands.

The hacker can conduct the attack from up to 40 feet away, meaning it can be done at most public places without raising suspicion.

Jack found other problems. The devices he tested contain personal data about patients as well as the name of their doctor.

“The new implementation is flawed in so many ways,” Jack said. “It really needs to be reworked.”

Approximately 400,000 devices are implanted each year in the United States and as many as 4.6 million pacemakers and ICDs were sold between 2006 and 2011 in the U.S.

In the past, implanted devices were reprogrammed by medical staff using a wand that had to pass within a couple of feet of the patient, but now the trend is to go wireless. Medical device manufacturers are marketing wireless transmitters to do the programming that have a range of up to 30 to 50 feet.

“People with these devices should be very concerned,” Patrick Gray, a specialist security journalist who produces podcasts and writes for risky.biz told the Herald. “I can’t think of a good reason why an implantable medical device needs to be wirelessly readable at 10 meters, but hey, maybe that’s just me.”

The U.S. Government Accountability Office released a report highlighting the vulnerabilities of the devices. The GAO called on the Food and Drug Administration to issue regulations to ensure implanted devices are secured from hacking attacks.

The report concluded that as implanted medical devices take advantage of newer technologies, such as wireless capabilities, they become more susceptible to cyberattack. Although the risks resulting from unintentional threats have long been known, threats from an intentional attack have recently been verified.

The report also stated that while the FDA has considered unintentional threats, such as microwave use, during its pre-market approval process, it has not considered the directed attack. The GAO also noted that the FDA has not consulted with other government agencies, such as DHS and the National Institute of Standards and Technology in identifying threats and possible risk remediation. The GAO also stated that it was unclear whether or not the FDA could even identify security problems in the devices on their own. Furthermore, FDA has not established specific milestones, including when it will implement any changes.

Barnaby Jack is not the only security expert who is concerned about the security of implanted medical devices.

Jay Radcliffe, a senior security analyst at InGuardians Inc. showed how a hacker could break into implanted devices used to treat diabetes and cause them to malfunction with potentially disastrous results.

At last summer’s Black Hat Conference in Las Vegas, Radcliffe, a diabetic himself who wears an insulin pump, developed a hack on a continuous glucose meter, an implanted wireless sensor that analyzes blood sugar every few minutes and sends the information to a monitoring device carried by the patient. He also hacked into the insulin pump that delivers insulin to a patient via a tube inserted in to the diabetic’s body.

“Wireless communication with insulin pumps is not secure, they’re not designed to be updated and there’s no way of patching them,” he told the audience at the conference.

In his hack on the insulin pump, Radcliffe wrote a small computer program called a script and, using a computer part he bought on eBay for about $20, remotely turned off the insulin pump.

Shutting off the supply of insulin to the body, causing hyperglycemia, can result in blurred vision and eventual kidney damage while too much insulin, causing hypoglycemia, can result in respiratory failure and, eventually, death.

Radcliffe said his hardware hacking highlights just how insecure modern, everyday devices are.

“There is always a threat lurking, we can’t just ignore it and think that, ‘Oh it’s just an insulin pump, nobody’s going to hack that.’ That’s what we said 15 years ago about the Web,” Radcliffe said. “We need to look ahead of the curve. Just because it can’t be done easily, doesn’t mean it can’t be done. There are way too many smart people out there.”

Unfortunately, there’s not much the average person can do about the vulnerability. Implanted devices can be over 10 years old, meaning they were programmed with Windows 98 software and haven’t been updated since. There typically is no update for the devices if they work properly.

Even more problematic is the fact that it is possible, according to Jack, to write computer code that can be uploaded to a medical device’s company servers and infect many pacemakers with a virus that can wreak havoc on the devices and the patients who use them.

“We are potentially looking at a worm with the ability to commit mass murder,” Jack said.

In his remarks, Patrick Gray summed up the current situation succinctly, “There’s no simple solution here, but until these [medical] companies accept that there’s a legitimate problem here, then zero progress will be made.”

Andrew McGavigan, the chairman of the Cardiac Society of Australia and New Zealand, does caution, however, that people must remember that “millions of patients have benefited from implantable cardiac devices over the last few decades.”

There has never been a reported case of a person being harmed by someone maliciously altering their implantable medical device, McGavigan told the Herald.

What needs to be considered though is that in any risk analysis, risk is defined in the equation: Risk = Threat x Vulnerability x Consequence.

The three components of the risk equation are evaluated separately and then the overall risk factor is determined. For example, in the case of nuclear weapons, the threat of stealing a nuclear weapon is high, the vulnerability of the firing mechanism is low, but the consequence of successfully setting off a nuclear device is extremely high. In this case, the risk would also be extremely high and the security of these weapons is treated accordingly.

For implanted medical devices, while the current threat may be low, the vulnerability of the device is high and the consequence, possible death, is also very high, so the risk associated with implanted medical devices is also high.

Today, while the threat of an individual building a device to hack into an implanted device is rather small, it is not beyond the capability of a nation-state or well-financed terrorist group. Targeted assassinations by these groups are also not unheard of.

Hacking has a long history of putting ever more sophisticated tools in the hands of ever less sophisticated users. Standard hacking tools that were once only used by one country against another are now being downloaded off the Internet by amateurs called “script kiddies.”

Nation-states and terrorists already have the will to commit murder and have exercised it many times. Using a laptop as the weapon of choice in an assassination attempt also has the added benefit of looking innocuous.

As one audience member of the Breakpoint Conference put it, “There’s no muzzle flash with a laptop.”

http://www.wnd.com/2012/11/death-by-pacemaker-scary-possibility/print/