Heart pacemakers can be hacked into, controlled remotely
A hack can turn a pacemaker from a lifesaver into a silent killer, a researcher has disclosed.
Barnaby Jack, a researcher from security vendor IOActive, said a hacker with a laptop can command a pacemaker to deliver a fatal 830-volt shock, TechHive.com reported.
TechHive.com said Jack made the disclosure at the Breakpoint security conference in Melbourne last Wednesday.
"(Such an attack exploiting the security flaw in many pacemakers) could definitely result in fatalities," TechHive.com quoted him as saying, adding he has notified the manufacturers concerned.
"My aim is to raise awareness of these potential malicious attacks and encourage manufacturers to act to review the security of their code and not just the traditional safety mechanisms of these devices," he added.
Jack is developing "Electric Feel," an application that would allow a user to scan for a medical device in range, and shut it off or configure it to deliver a shock.
Also, Jack said it is possible to upload maliciously modified firmware to a company's servers that can infect multiple pacemakers and ICDs like a virus.
"We are potentially looking at a worm with the ability to commit mass murder. It's kind of scary," he said.
He also said it is ironic the implants and the wireless transmitters can use Advance Encryption Standard (AES) encryption, but it is not enabled.
He said the security flaw is with the wireless transmitters that send instructions to pacemakers and implantable cardioverter-defibrillators (ICDs).
ICDs detect irregular heart contractions and deliver an electric shock to prevent a heart attack.
TechHive.com said Jack demonstrated how he could remotely cause a pacemaker to deliver an 830-volt shock. The shock caused a crisp audible pop.
TechHive.com quoted Jack as saying some 4.6 million pacemakers and ICDs were sold between 2006 and 2011 in the U.S. alone.
He said pacemakers and ICDs were reprogrammed in the past by medical staff using a wand that had to pass a few meters of a patient.
But with the trend turning to wireless, many manufacturers sell bedside transmitters that replace the wand, with the devices having a wireless range of up to 50 feet.
Jack also said he found the devices can give their serial number and model number after he wirelessly contacted one with a special command.
With this data, he could reprogram the device's firmware, and eventually the device.
On the other hand, Jack said the devices, once hacked, can also yield personal data about patients, such as their name and their doctor.
"The new implementation is flawed in so many ways. It really needs to be reworked," Jack said. — TJD, GMA News