According to research from Barnaby Jack of security vendor IOActive, several vendors’ pacemakers can be remotely controlled and commanded to deliver a 830-volt shock via a laptop, thanks to software programming flaws on the part of medical device companies. That is, of course, enough to kill someone, and Jack noted that the vulnerabilities open the door to “mass murder.”
Jack delivered the research at the Breakpoint security conference in Melbourne on Wednesday, according to TechCrunch, where he said the flaw lies with the programming of the wireless transmitters inside the pacemakers and ICDs.
Those transmitters monitor for irregularities in heartbeats and deliver life-saving corrective jolts of electricity on a regular basis to correct poor heart function. Unfortunately, the devices are easily tricked by a special command to give up their serial numbers and other info needed to authenticate into them and control those transmitters; and, worse, they often have backdoors that allow the wireless signals to be hijacked even without the credentials. So, either way, a hacker with a commanding laptop can take control and deliver a deadly shock, from up to 50 feet away – the range of many of these vulnerable devices.
Making things even scarier is the fact that it is possible, Jack said, to create special firmware that can be uploaded to a medical device’s company servers and used to infect multiple pacemakers and ICDs with a malicious code that can spread virally and compromise access security automatically – up to the point of delivering a deadly payload. "We are potentially looking at a worm with the ability to commit mass murder," Jack said.
The researcher did not identify the companies that are building in the fatal weaknesses, but he did note that around 4.6 million pacemakers and ICDs were sold between 2006 and 2011 in the US alone.
"My aim is to raise awareness of these potential malicious attacks and encourage manufacturers to act to review the security of their code and not just the traditional safety mechanisms of these devices," Jack said, according to TechCrunch.
The issue is not restricted to pacemakers. Computerized hospital equipment is increasingly vulnerable to malware infections, according to a government panel. Technology Review reported that malware is “rampant” in healthcare environments, because under current US law, software used to run medical devices in hospitals must remain static once approved. It’s not that manufacturers cannot install anti-virus software or provide updates to fix security flaws, it’s that they will not do so, in order to remain in compliance with the Food & drug Administration.
"I find this mind-boggling,” Kevin Fu, a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, told Technology Review. “Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."