Three medical schools demonstrate the wireless dangers that can disturb an implantable cardioverter defibrillator like the Medtronic Maximo DR.
Implantable medical devices like pacemakers seem secure, buried within one's body. But a team of researchers have demonstrated that's not the case.
In a newly published academic paper, computer scientists from the Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington have shown that a combination pacemaker and defibrillator with wireless capabilities, the Medtronic Maximo DR, can be hacked.
"Our investigation shows that an implantable cardioverter defibrillator (1) is potentially susceptible to malicious attacks that violate the privacy of patient information and medical telemetry, and (2) may experience malicious alteration to the integrity of information or state, including patient data and therapy settings for when and how shocks are administered," the paper states.
Such a shock could induce ventricular fibrillation, which is potentially lethal.
Several million pacemakers and defibrillators have been implanted in patients in the United States.
The researchers say they believe that their attempts to reverse-engineer the communications going to and from the Medtronic implantable cardioverter defibrillator represent the first use of software defined radios in the security community for reverse engineering wireless protocols. The group used the GNU Radio software toolkit to create a radio receiver capable of processing radio waves as defined by software.
In publishing the findings, the researchers are not suggesting that heart patients face significant imminent risk from hackers. They say in a statement published on the research group's Web site, secure-medicine.org, that their findings should not deter patients from accepting these devices if deemed appropriate by a physician.
"We believe that the risk to patients is low and that patients should not be alarmed," the researchers say. "We do not know of a single case where an IMD [implantable medical device] patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs."
Clearly, medical device makers have room for improvement. In his blog post about the findings, security expert Bruce Schneier said, "Of course, we all know how this happened. It's a story we've seen a zillion times before: The designers didn't think about security, so the design wasn't secure."
In an e-mailed statement, Medronic said, wireless security issues have been known for 30 years and that Medronic pays close attention such issues. The company said it welcomed the opportunity to address security concerns with regulators and researchers, but noted that "such dialogue must be accurate, balanced and responsible."
"While all implanted devices must use wireless telemetry for programming -- typically in very close range (several inches to several feet) -- the risk of any deliberate, malicious, or unauthorized manipulation of a device is extremely low," Medtronic said. "In fact, to our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide."
Nonetheless, Medtronic said the technology in these devices continues to improve and that the company will continue to incorporate security measures to protect patient safety.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.