August 14, 2013

Hacking Humans


Go ahead and add insulin pumps and pacemakers to the ever-expanding list of computer-like-devices that contain bugs and are therefore vulnerable to exploit. That’s right, that little metal thing inside grandpa’s chest that shoots out electrical impulses to keep the old man’s heart beating correctly is vulnerable to a remote hack involving nothing more than a laptop. So too are the insulin pumps that have replaced syringes and daily injections for many diabetics seeking to regulate the high blood sugar levels at the root of that disease.


The bad news is that many of the millions of embedded medical devices many millions of people rely on are vulnerable to attack. The good news is that I don’t know of any circumstances where anyone has actually attacked one of these devices in real life. The hard truth about cybercriminals is that they, unlike a lot of these lofty-minded researchers, don’t hack for fun- they hack for profit. So until we find a way to make consistent money from poisoning a person with insulin or delivering a heavy shock to their pacemaker, I just don’t see much incentive for these kinds of attacks.

I admit, it’s pretty flashy to imagine some hacker-assassin preying on wearers of embedded medical devices, but it’s also incredibly silly. The barrier of entry to perform one of these attacks, the technical ability, testing environments, and knowledge of vulnerable systems needed, is so high, that almost no one could exploit a pacemaker or insulin pump. And even if they could, why would they? For murder? If you think that someone is trying to kill you, then I assure you embedded medical device attacks should be the least of your worries.


Nevertheless, if a potential security issue exists, it should be addressed.  Sadly, Barnaby Jack, one of the vanguards of implantable medical device research, died last month, just a week before he was scheduled to present a briefing on the subject at the Black Hat security conference in Las Vegas.However, Jack, who worked as a security researcher at the application security firm IOActive, released a bunch of research on the topic in late 2012. His findings were grim to say the least.


At the Breakpoint conference in Australia last year, Jack demonstrated that he could wirelessly send a signal from his laptop to a pacemaker and advise the device to deliver a potentially fatal shock from inside a patient’s body. The attack arose from a programming error whereby the researcher could send a special command to the pacemaker and the pacemaker would respond with its model and serial number. Once he determined the type of device he was working with, he was able to deliver an 830-volt – potentially fatal – shock to the body in which the pacemaker rested. Moreover, Jack demonstrated that it’s possible to program pacemakers to spread malicious code to other similar devices of the same vendor. Quite luckily, this scenario might be gladly accepted by Hollywood, but for real-life criminals or terrorists, it’s more effective to use good old bombs and guns.

Jack demonstrated that he could wirelessly send a signal from his laptop to a pacemaker and advise the device to deliver a potentially fatal shock from inside a patient’s body.

This wasn’t Jack’s first rodeo either. The researcher turned heads inside and outside of the security industry a year earlier at the Hacker Halted conference in Miami, Florida, when he demonstrated an attack successfully compromising an insulin pump and compelling it to deliver a fatal dose of insulin from as far away as 300 feet.

Jack modified the antennae on one of these wireless pumps and fiddled with the software that controlled it. An earlier presentation by Jerome Radcliffe at Black Hat 2011 demonstrated that insulin pump manipulation was possible if an attacker could track down the unique numeric device number of the implantable pump in question. Jack’s research went to the next level. He could compromise all the vulnerable devices without knowing their unique device identification.

Jack was just one researcher among many and pacemakers and insulin pumps are just the tip of the iceberg. Beyond those there are an inconceivably massive number of potentially vulnerable medical devices, both the implantable and the external ones. As if it weren’t scrutinized heavily enough as is, the medical device sub-topic of security is going to get a lot of attention in the years and months to follow, and we’ll write about it here whenever there is interesting research to present.

One of the problems with securing medical devices is that they are radically different from standard computers. An insulin pump delivers insulin and communicates with doctors to determine the levels of insulin it should deliver. Same for pacemakers: they deliver an electrical pulse to the heart to keep it beating normally, communicating with something outside the body to occasionally determine how big the impulse needs to be.


If these devices can communicate with sources outside the body, then they are doing it wirelessly, which presents some obvious security problems as Jack and other researchers showed. The next step, it seems, would be to make sure these things communicate over encrypted channels and maybe set up some form of authentication, limiting access to the devices. It might be very challenging because of numerous restrictions imposed by nature of these devices. Setting passwords might prevent doctors in another country from saving your life while on vacation. Encryption may quickly drain the battery of a small implanted device. These challenges are new and answers are yet to be found.

If there is one thing I am sure of, it’s that doctors and security researchers are some of the smartest people in the world. Not only that, but doctors take great pride in saving lives. Security researchers themselves are a bit over-zealous at time when it comes to protecting data and systems.

There isn’t a whole lot you can personally do to protect yourself here. No one is developing security products to protect these things and I seriously doubt there is anything in the way of user-controlled security settings. I suppose if you suffer from diabetes you could go back to the old-fashioned monitor-your-blood-sugar-and-manually-inject-insulin method. Maybe you’ll be lucky and never have to wear a pacemaker, insulin pump, or any other implantable medical device, but maybe you already wear one: the best you can do is look to the manufacturers and the doctors and hope they are paying attention to research like this, which they almost certainly are.

It may seem reckless to publish highly sensitive information in this way, but really, Jack’s and other similar work is just the kind that can push medical device manufacturers to start making and maintaining more secure equipment. These are doctors and engineers after all. They learn from their mistakes. When a researcher shows them a bug in their products, that bug probably won’t show up again.

The bottom line is this: embedded medical devices save millions of lives every year and the number of people who have died as a result of a medical device hack is somewhere around zero.