Lack of Security Foresight Can Cost Lives

When it comes to the security of medical technologly one might think that designers would be extremely cautious. But as it turns out that isn't always the case.

For example, it's a very dumb idea to connect a hospital network to the Internet in a way that bridges the hospital's internal network so that desktops and servers can gain Internet access. A far safer approach is to have at least two networks: One that can reach the Internet and one that cannot under any circumstances. However, some hospitals don't do that, and some of the ones do understand that much don't take into account the possibility of someone connecting a wireless access point (whether dedicated or a PC running in ad-hoc mode) to an internal isolated network.

That's a big enough problem as it is. However security issues in the medical industry are much worse. Take for example the case where Medtronic embedded a tiny wireless radio into a combination heart defibrillator and pacemaker. Having a wireless radio in the device lets doctors adjust the pacemaker and control the defibrillator without having to perform surgery. Sounds incredibly useful for a person that needs such a device in their chest, right? What that person might not realize is that the wireless device could let someone kill them.

According to a report at the New York Times, researchers from the Medical Device Security Center were able to hack into the device and control it! That implications are beyond staggering!

Granted, the researchers had to get their test equipment within inches of the device, and the equipment itself was very expensive - reportedly over $30,000. But, with a little understanding of radio technology (particularly amplification and directional antennas) one might presume that such close proximity isn't always necessary. As for the cost of the equipment, people have paid more than $30K to hire a hitman...

Anyway, head over and read the story. You can also read the researchers' related report, "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," which is available in PDF format. You surely won't forget about this information if one of your loved ones requires such a device to help their heart do its job.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish