Even medical pacemakers are vulnerable to hacking

Computer scientists from Beth Israel Medical Center, Harvard Medical School, the University of Massachusetts and the University of Washington demonstrated how to hack into a wireless medical device, which combines the capabilities of a pacemaker and a defibrillator, such as the Medtronic Maximo DR

Thomas Cleburne, InformationWeek

If there were those who thought that wireless medical equipment that is implanted in the body of patients is safe from hacking, then a scientific article that a group of researchers is about to publish this May proves that this is not the case: computer scientists from Beth Israel Medical Center, Harvard University Medical School, University of Massachusetts and the University of Washington demonstrated how to hack into a wireless medical device, which combines the capabilities of a pacemaker and a defibrillator, of the Medtronic Maximo DR type. The article will be published in preparation for the 2008 IEEE Symposium on Security and Privacy.

"The research shows that a pacemaker-defibrillator that is implanted in the patient's body may be exposed to attacks by hostile elements. Such parties will be able to access medical information and the results of tests that are performed remotely, and even change the settings established for the administration of an electric shock." An unnecessary electric shock can cause fibrillation of the heart chambers and even death. Pacemakers and defibrillators have already been implanted in the bodies of millions of patients in the US.

The researchers estimate that this is the first attempt of its kind to crack the communication from a pacemaker-defibrillator like this one from Medtronic. The researchers used the GNU Radio software package to develop a radio capable of handling the relevant signals. However, the researchers do not believe that patients who have had medical equipment implanted in their bodies are exposed to an immediate and significant risk, and urge patients who need such equipment not to shy away from implanting a suitable device, if the doctors recommend it.

"We believe that the risk is low and that patients should not be deterred," the researchers noted. "There is no known case in which damage was ever caused to a patient in whose body a medical device was implanted as a result of an attack by hostile elements. To carry out an attack of the type described in the study, the following conditions must be met: malicious intent, technical sophistication and the ability to place electronic equipment near the patient. Our goal in conducting the research was to improve the security, privacy, safety and efficiency of the medical equipment."

In response to the study's findings, security expert Bruce Schneier wrote in a blog post that "we have come across such cases countless times: the designers did not take security considerations into account, and therefore the device is not safe."

In response, Medtronic said that security issues related to wireless communication have been known for 30 years, and that the company pays a lot of attention to the issue of security. The company added that it welcomes every opportunity to improve security with the help of investigators and authorities, but noted that "every discussion must be done in an accurate, balanced and responsible manner. Although the programming of all medical devices must be carried out via wireless communication - usually from a very close range - the risk of intentional, hostile or unauthorized interference in the operation of the device is very low. In fact, we are not aware of any such incident that happened in the 30 years in which millions of devices were implanted around the world."