The next frontier of computer hacking could be lifesaving medical devices: at a recent developer conference, a pacemaker was wirelessly hacked to send deadly 830 volt shocks. Even worse, IOActive researcher Barnaby Jack says that it would be “100 percent possible” that virus could spread to other devices in a wave of “mass murder”. The transparently over-the-top scenario was performed in the convenience of a controlled conference setting, but it does come on the heels of a National Institute of Standards and Technology conference where panelists warned of common computer malware infecting hospital devices.
At the BreakPoint security conference in Melbourne Jack demonstrated that he could reverse engineer a pacemaker to deliver fatal shocks from within 30 feet and rewrite the devices onboard software (firmware). The pacemaker also contained a “secret function” that could activate other cardiac devices within a 30 foot-plus vicinity.
“The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or ICD [implantable cardioverter-defibrillators] and then each would subsequently infect all others in range.”
Jack said that he was developing a graphical platform, “Electric Feel,” which could activate the deadly protocol with a mere right-click. This is not the first time hacking vulnerabilities to pacemakers have been exposed; in 2008, researchers from the University of Washington and Massachusetts assumed control of a pacemaker and stole data.
Hacking devices in the world may prove to be considerably more difficult, but it highlights the an overlooked field in need of security: healthcare.
“Imagine you have a heart monitor that’s running Windows and it gets infected by a computer virus and slows down,” University of Michigan computer scientist, Kevin Fu, warned the BBC. Fu, who was speaking a medical conference, said that the Food and Drug Administration needed to require security protocols in addition to safety regulation.
While there have been no documented criminal attempts at infiltration, his panel agreed that precaution should be a priority.