Killer hackers could target cardiac implantsEmtech Researcher calls for tighter securityBy Clive AkassWednesday, 30 September 2009, 13:59A US RESEARCHER is calling for legislation to enforce tighter security on implanted cardiac devices after he hacked one wirelessly to produce a potentially fatal electric shock.The scenario may sound like something out of a detective novel or far-fetched thriller movie script but the danger is real and should be taken seriously, says Kevin Fu, an assistant professor of computer science at the University of Massachusetts, who specialises in the security of RFID systems.Judges at the EmTech conference in Boston took his work seriously enough to give him an Innovator of the Year award.Doctors can access modern pacemakers and defibrillators over the Internet via a short-range wireless link similar to those used in RFID devices. The system allows them to monitor patients remotely and install software updates.This means a hacker could access confidential medical information as well as reprogram the devices, Fu says.He wrote in a recent paper: "Manufacturers point out that IMDs (implanted medical devices) have used radio communication for decades, and that they are not aware of any unreported security problems. Spam and viruses were also not prevalent on the Internet during its many-decade childhood. Firewalls, encryption, and proprietary techniques did not stop the eventual onslaught."Fu and his team used off-the-shelf components to build a device that could write to a defibrillator and read the signals being sent to it. They deciphered the signals by exploiting the fact that they knew the patient's name.They could then reprogram the device to give an electric shock. Another possibility is that a hacker could disable the power-saving mode so that the device's battery ran down in days rather than years.The hacking device could be built into something the size of a cellphone and infect IMDs with malware randomly as the killer walked down the street. Millions of people use pacemaker-defibrillator devices.Fu points out that such random attacks are not unknown. Vandals can cause people to have seizures by implanting flashing lights on a website used by epileptics; and seven people died when a killer put cyanide-laced painkillers on supermarket shelves in Chicago.Nevertheless some doctors resisted when Fu first started making inquiries about IMD security. Has he any idea of how many of the devices in use are vulnerable? "That's the point," he said. "We just don't know." µ
