Implanted Medical Devices: Killed by Your App

Thursday, May 17, 2012

Danny Lieberman

959779642e6e758563e80b5d83150a9f

Danny Lieberman talks about the dangers of implanted cardiac devices like pacemakers and considers that  it’s only a question of time before we have a drive by execution of a politician with an ICD (implanted cardiac device).

There are  hundreds of medical/healthcare applications for smartphones used by people for anything from tracking running performance to measuring heart rate and blood sugar. These apps may be vulnerable to the same kinds of malware you have on your Windows PC, but the really interesting and perhaps frightening development  though, is attacking people via implanted medical devices such as a pacemaker or defibrillator.

I’ve been talking to  medical device vendors in Israel, the US and Europe about mobile security of implanted devices for over a year now.

Last year I gave a talk about mobile medical device security at the Logtel Mobile security conference in Herzliya  and discussed proof of concept attacks on implanted cardiac devices with mobile connectivity.

Mocana, is a company with a pretty impressive line of security products for embedded devices – working at the firmware layer it appears. Mocana secures the “Internet of Things” – the 20 billion non-PC devices that are increasingly connecting to networks across every sector of our economy including Smartphones, Datacom, Smartgrid, Federal, Consumer and Medical. These devices already outnumber workstations on the Internet by about five to one, representing a $900 billion market that’s growing twice as fast as the PC market.

The Mocana Deviceline blog reports that “Alarmed by new research showing the increasing vulnerability of wireless implanted medical devices, two members of Congress have asked for hearings on the security of these devices

Mobile and medical and regulatory is a pretty sexy area and I’m not surprised that politicians are picking up on the issues. After all, there was an episode of CSI New York last year that used the concept of an EMP to kill a person with an ICD, although I imagine that a radio exploit of  an ICD or embedded insulin pump might be hard to identify unless the device itself was logging external commands.

Congress was more concerned about the regulatory issues than the patient safety and security issues:

Representatives Anna Eshoo (D-CA) and Ed Markey (D-MA), both members of the House Energy and Commerce Committee sent a letter last August asking the GAO to Study Safety, Reliability of Wireless Healthcare Tech and report on the extent to which FCC is:

  • Identifying the challenges and risks posed by the proliferation of medical implants and other devices that make use of broadband and wireless technology.
  • Taking steps to improve the efficiency of the regulatory processes applicable to broadband and wireless enabled medical devices.
  • Ensuring wireless enabled medical devices will not cause harmful interference to other equipment.
  • Overseeing such devices to ensure they are safe, reliable, and secure.Coordinating its activities with the Food and Drug Administration.

At  Black Hat August 2011, researcher Jay Radcliffe, who is also a diabetic, reported how he used his own equipment to show how attackers could compromise instructions to wireless insulin pumps.

Radcliffe found that his monitor had no verification of the remote signal. Worse, the pump broadcasts its unique ID so he was able to send the device a command that put it into SUSPEND mode (a DoS attack). That meant Radcliffe could overwrite the device configurations to inject more insulin. With insulin, you cannot remove it from the body (unless he drinks a sugary food).

The FDA position that it is sufficient for them to warn medical device makers that they are responsible for updating equipment after it’s sold and the downplaying of  the threat by industry groups like The Advanced Medical Technology Association is not constructive.

Following the proof of concept attack on ICDs by Daniel Halperin from the University of Washington, Kevin Fu from U. Mass Amherst et al “Pacemakers and Implantable Cardiac Defibrillators:Software Radio Attacks and Zero-Power Defenses”  this is a strident wakeup call to medical device vendors  to  implement more robust protocols  and tighten up software security of their devices.

Cross-posted from Pathcare

Possibly Related Articles:
10208
Webappsec->General
Healthcare Provider
Wireless malware Application Security Attacks Healthcare Network Security Medical Devices FDA Manufacturers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.