Hacking Pacemakers For Fun

When Dick Cheney was Veep, stories kept popping up that the Secret Service had made sure that his pacemaker was not remotely controllable.  Some people weren’t sure that it was a problem – not because they didn’t like Cheney, but because they didn’t think they were hackable.

Well now we have a different story.

Researchers bought used pacemaker programmers on eBay, some costing as little as $15.  Apparently, if you have a programmer for manufacturer X’s pacemaker, you can program any pacemaker from that manufacturer.  Apparently, there is no authentication.

The manufacturers have said that they control the distribution of the pacemakers, but if you can buy them on eBay for $15, that obviously is not working.

Whitescope researchers analyzed 4 programmers from 4 manufacturers and discovered more than 8,000 vulnerabilities.  Now doesn’t that make you feel good.

In two cases the used pacemakers came patient data that had not been wiped.  The data was not encrypted.

As medical devices become more sophisticated, they become more dangerous too.  If someone knows that you have a pacemaker from vendor X and can figure out how to hack it, that person could kill you – literally.

This is, in some sense, similar to the drug infusion pump scandal from a few years ago.  The FDA attempted to sweep the issue under the rug for a year or more until the researcher went public with the hack.  Then, all of a sudden, the FDA decided it was a problem.

Some people might say that if researchers just didn’t discover these bugs then all would be well.  Not really.  The bad guys will discover the bugs also, but they won’t be so kind and disclose them.

Obviously these manufacturers need to rethink their security programs.  Security by obscurity (such as by trying to control the distribution of pacemaker programmers) just isn’t going to work in the long run.

As the author of the article said, it is a bit disconcerting that your iPhone is more secure than your pacemaker.

Information for this post came from Ars Technica.

Leave a Reply

Your email address will not be published.