Exploiting Implanted Medical Devices

by Dr Nick

Hollywood Future Predictions

Spoiler Alert – for anyone who has not watched the Showtime series “Homeland” or not got past Season 2

 

Hacking Medical Devices – Homeland Broken Heart; Picture from Seriesandtv.com

In the Episode titled “Broken Heart” (December 2, 2012) we watch a hacker gain remote unauthorized access to the Vice Presidents Pacemaker and induces a tachycardia (increase in the heart rate) causing him to succumb to a heart attack. Abu Nazir kills the vice president by accessing his pacemaker remotely:

 

 

While the whole operation seemed almost too simple, it was not an implausible tactic. We saw this in October when Darren Pauli wrote about a researcher in Australia who

“reverse-engineered a pacemaker transmitter to make it possible to deliver deadly electric shocks to pacemakers within 30 feet and rewrite their firmware.”

The risk was real enough that Dick Cheney revealed his fear of this hack to have the wireless function turned off in 2007 and it was covered in this piece in the NY Times A Heart Device Is Found Vulnerable to Hacker Attacks but was discounted based on the high cots and need for sophisticated equipment.

Billy Rios – Security Researcher

Enter a security manager and researcher – Billy Rios who, thanks to an unplanned extended visit to a hospital surrounded by a slew of unsecured access points in his hotel room and devices connecting via WiFi connected to him went on an 18-month journey to study the risks.

 

This presentation is the culmination of an 18-month independent case study in implanted medical devices. The presenters will provide detailed technical findings on remote exploitation of a pacemaker systems, pacemaker infrastructure, and a neurostimulator system. Exploitation of these vulnerabilities allow for the disruption of therapy as well as the ability to execute shocks to a patient.

He presented his findings at BlackHat 2018: Understanding and Exploiting Implanted Medical Devices

Here’s the video of the hack demonstrated at the event:


I was fortunate to speak to him to discuss the journey, his findings and thoughts on incremental steps to mitigate this

As Billy points out – it is essential for the clinical team to focus on these risks, understand the concerns raised by the security researchers and others and provide the essential clinical perspective missing from healthcare security discussions

Here is the live stream of their presentation and demo:


 


You can also follow me here on medium, on twitter, or on facebook or Sign up to receive my posts each week


Leave a comment

*

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.