One of my readers notified me of a recent article published by the CNN website that discusses concerns regarding the capability to hack ICDs. Here's the link to the article that was published on 16 April 2010. I was also republished in the Communications of the ACM (of which I am a member) on 19 April 2010.
Much of the article appears below Before proceeding, I would like to add a little background about myself and a little bit of commentary regarding hacking. I am a co-founder of data leak security company, Salare Security (http://www.salaresecurity.com). If anyone is interested in what the company does, please do follow the link above. (As of this point, I am a silent partner in the company. My partners are currently running the business.) I mention this because I have some real-world based knowledge regarding system vulnerabilities.
From experience and research I have found that even vulnerabilities that seem unlikely to be exploited, inevitably are exploited. If something can be gained from a target and a vulnerability exists, you can be assured that the vulnerability will be exploited.
For example, specific vulnerabilities that Salare Security addresses months ago were considered unlikely to be exploited because of the lack knowledge and a lack of interest on the part of hackers. However, the vulnerabilities are of significant interest because if exploited, the damage to a government, a company or other organization could be severe. Nevertheless, the thinking in the industry has been that exploitation of the vulnerabilities over the near term were remote.
However, recently, we have received information that the system vulnerabilities that Salare Security addresses have been exploited by a government funded group of hackers. So much for "nothing happening in the near term."
In the case of the vulnerabilities that Salare Security protects ... the hackers were after information. (I do not know the details of the attack so I cannot tell you what information they stole.) But, why might hackers develop systems to exploit medical device vulnerabilities?
My sense is that the hackers most likely are not out to attack, injure or kill people with medical devices. In my estimation, these hackers would be engaged in an extortion scheme against a device manufacturer or manufacturers. This suggestion is based on some of the current trends in criminal activity. (Please see: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1510919,00.html?track=NL-102&ad=763387&asrc=EM_NLN_11442713&uid=6228713) The article references other possible motives for hacking medical devices. I would strongly side with any motivation that opens the door for extracting money from a manufacturer.
Here is the article published by CNN
Scientists work to keep hackers out of implanted medical devices
By John D. Sutter, CNN (4/16/2010)
(CNN) -- Nathanael Paul likes the convenience of the insulin pump that regulates his diabetes. It communicates with other gadgets wirelessly and adjusts his blood sugar levels automatically.
But, a few years ago, the computer scientist started to worry about the security of this setup.
What if someone hacked into that system and sent his blood sugar levels plummeting? Or skyrocketing? Those scenarios could be fatal.
Researchers say it is possible for hackers to access and remotely control medical devices like insulin pumps, pacemakers and cardiac defibrillators, all of which emit wireless signals.This article references the same IEEE article that I referenced in my blog posting.
In 2008, a coalition of researchers from the University of Washington, Harvard Medical School and the University of Massachusetts at Amherst wrote that they remotely accessed a common cardiac defibrillator using easy-to-find radio and computer equipment. In a lab, the researchers used their wireless access to steal personal information from the device and to induce fatal heart rhythms by taking control of the system.
"Medical devices have provided important health benefits for many patients, but their increasing number, automation, functionality, connectivity and remote-communication capabilities augment their security vulnerabilities," he wrote.
FDA spokeswoman Karen Riley declined to say whether the FDA is looking into new regulations of wireless medical devices; she added that the responsibility for making the devices secure falls primarily on the manufacturer.
"The FDA shares concerns about the security and privacy of medical devices and emphasizes security as a key element of device design," she said.
Wendy Dougherty, spokeswoman for Medtronic Inc., a large maker of implantable medical devices, said the company is willing to work with the FDA to establish "formal device security guidelines."
The company is aware of potential security risks to implanted medical devices, she said. "Safety is an integral part of our design and quality process. We're constantly evolving and improving our technologies."
In a written statement, Dougherty described the risk of someone hacking into a wireless medical device as "extremely low."
Wireless connections
The security concerns stem from the fact that pacemakers, defibrillators and insulin pumps emit wireless signals, somewhat like computers.
These signals vary in range and openness. Researchers who reported hacking into a defibrillator said some in-the-body devices have a wireless range of about 15 feet.
Many devices do not have encrypted signals to ward off attack, the researchers say. Encryption is a type of signal scrambling that is, for example, employed on many home Wi-Fi routers to prevent unknown people from accessing the network.
MotiveI emphasized Denning's comments because in my experience those are "famous last words." If there is a way to profit from exploiting a vulnerability, be assured, it will be exploited.
There's some question as to why a person would hack into a pacemaker or insulin pump and how the hacker would know a person uses a medical device.
Maisel listed some possible scenarios in his New England Journal article.
"Motivation for such actions might include the acquisition of private information for financial gain or competitive advantage; damage to a device manufacturer's reputation; sabotage by a disgruntled employee, dissatisfied customer or terrorist to inflict financial or personal injury; or simply the satisfaction of the attacker's ego," he wrote.
Denning, from the University of Washington, said the current risk of attack is very low, but that someone could hack into a pacemaker without apparent motive.
She referenced a case from 2008 in which a hacker reportedly tried to induce seizures in epilepsy patients by putting rapidly flashing images on an online forum run by the Epilepsy Foundation.
Additional Resources