This week the medical device industry received more disturbing news about the state of their technology. We tweeted that medical devices such as imaging and neonatal monitors in hospitals are infected on a large scale with computer viruses and malware. Now, a researcher has demonstrated vulnerabilities in pacemakers that allow for wireless remote attacks that could lead to a patient’s death.
Barnaby Jack, a researcher from the security firm IOActive has discovered a flaw in a series of pacemakers that expose a backdoor to the device. The flaw is related to the way pacemakers wirelessly receive defibrillator instructions designed for each patient. This flaw exposes the device serial number and id allowing an attacker to remotely connect to the device and view patients’ information or upload new firmware.
Jack demonstrated how he was able to upload new firmware to a pacemaker that configured the device to send out an 830-volt shock, enough to kill a person. In the worst case scenario instructions could be sent to every pacemaker within 50 feet to kill everyone with a deadly shock.
Fortunately Jack has not released the code for his hack as that would put live in danger. He stated, “My aim is to raise awareness of these potential malicious attacks and encourage manufacturers to act to review the security of their code and not just the traditional safety mechanisms of these devices”.
The potential for mass murder is headline grabbing but unlikely. Still, the lesson to be learned is as medical devices become more dependent on wireless technology strict secure programming standards need to be utilized at the beginning of a project to protect the device and the patient from bugs and potential deadly flaws.