A couple of days ago I was reading Cory Doctorow’s blog post I Can’t Let You Do That, Dave: What it means to design our computers and devices to disobey us and stumbled across the following paragraph:
In November 2012, a security researcher in Australia, Barnaby Jack, presented research showing that he could wirelessly reprogram implanted defibrillators so that they could deliver lethal shocks to their owners. Not knowing what your device is doing isn’t just inconvenient. Now that we put computers into our bodies, it’s potentially lethal.
Why hadn’t I heard about this before? Did I miss a bulletin somewhere? This is really important stuff.
My Dad had a pacemaker fitted in August 1989. Over the first few months he attended the pacing clinic at the local hospital where they wirelessly adjusted the settings of it to ensure that it wasn’t firing when it needn’t - it turned out Dad had a lower resting heart rate than they’d anticipated so he’d occasionally get jolted awake. It never occurred to me at any point between then and reading this article to explore what security mechanisms were in place. I knew that it was sensitive to strong magnets, and one of the instructions on the piece of paper that Dad carried in his wallet was a notification to security authorities to prevent him from having to go through the security control at airports. I guess I assumed (yes, I know) that there was some form of security built in - I remember Dad being really impressed that it contained data about him, his name, and pertinent facts about his health. I think he quite liked that it meant that, in an emergency, it could act as a method of identification.
Because of Dad’s pacemaker, it has always been one of the things I’ve tended to notice amongst headlines etc, so I’m kind of surprised I hadn’t heard anything about it, and I’m a bit disappointed with myself for not even giving this any form of consideration before. What is somewhat concerning is that I can’t find much more about this in the media beyond the fact that it can happen. There doesn’t seem to be a fuss being made that the security protocols on implanted technology is woefully outdated. From the register article:
They key problem is the devices rely solely on the device’s serial and device numbers for authentication. Unfortunately it’s trivial to enumerate these numbers wirelessly, authenticate to the device and reprogram them with malicious code.
And then from threatpost
It’s not often that the malware attacks that compromise medical devices make their way into the news or onto the desks of regulators in Washington. Part of the problem is that no one is entirely sure who is responsible for the security of the devices: the manufacturers or the customers. Each group believes the other should be responsible, and as a result, no one is, and there are obstacles for each of the parties involved to take serious action.
“There’s kind of the perfect storm of disincentives to make sure the right thing doesn’t happen,” Fu said. “No stakeholder is singularly to blame. The manufacturer who doesn’t regularly issue updates isn’t helpful to the hospital. Hospitals that don’t report problems that could lead to patient harm are complicit. Regulators have guidance on security and say manufacturers should keep these devices up to date, but the problem is patches don’t require further FDA review unless there’s a safety issue. And that causes manufacturers to make decisions that aren’t in the best interest of patients. It’s common for manufacturers not to issue patches because they could require review.”
When I worked at a large pharmaceutical company 15 years or so ago, getting regulatory approval in every country in which you planned to operate was a massive job. If the software formed part of the product definition (by which I mean things like drug dispersal mechanism - i.e. tablet, spray, gel etc, as well as active ingredients, strength etc) and any update to the software required re-submission/re-licensing/re-evaluating I can only imagine how big a headache this could cause. No wonder they’re not rushing to take responsibility.
But someone should be. Some sensible, global, strategy needs to be being worked on. But I can’t find anything to this affect. Maybe I’m having a google fail. Hope so!