American researchers have proven it's possible to maliciously turn off individuals' heart monitors through a wireless hacking attack. Many thousands of people across the world have the monitors, medically known as implantable cardiac defibrillators (ICDs), installed to help their hearts beat regularly. ICDs treat abnormal heart …
Scare story much?
"We do not know of a single case where an IMD patient has ever been harmed by a malicious security attack."
Then what have they proven exactly?
Not to sound harsh, but that's like saying hundreds of nursery schools around the country are open to bomb attacks as they are completely unguarded. You'd have to be a pretty sick individual to hack a heart monitor, but you'd also be the first. Oh no, wait. They were.
tell that to...
I'm sure all those bigwig political types will rest easier knowing that they're possibly carrying their own execution device... 10 meters in a crowded area is more than enough for broadcast purposes. scary.
Would this become the ultimate DoS attack??
Mine is the white one with the stethescope in the pocket...
Great plot for a novel though...
Starts with The President suffering a series of minor heart attacks at key moments. Next, he has The Big One, and dies.
Of course, it turns out that his heart was being controlled by terrorists (or maybe his jealous, twisted wife) all along!
We are almost there...
We are gradually getting to the dystopic(?) future portrayed by the anime series "Ghost in the Shell." As more and more of our daily lives becomes integrated with something that monitors, connects, controls or "enables" us and our things with actions and information, this will become an increasingly pertinent topic of discussion.
Pretty soon, I expect, we will see devices like this (http://www.dealextreme.com/details.dx/sku.8758) covering other frequency bands as well, until we are little bubbles of "broken" technology dragged along by our embarassingly pathetic fleshy bodies <grin>.
... and people wonder why I want to retire on a farm in the middle of nowhere.
Oh boy - I can see a flood of schlocky b-grade 'thriller' spy movies
so it would cost someone ~$30k to put together some kit to attempt to kill someone with a heart monitor, someone of a weak heart. surely anyone in that state will react just the same way with a knife to their throat? cheaper and simpler to do, no smarts necessary.
so what was the point of the research?
In tomorrow's news, researchers show how they can kill someone at 10 paces who has 11 toes using equipment costing 10million. scary stuff...
30k... the vice president.....? Disgraceful thought....
No sense of humour
"The Security Center demonstrated the hack on an ICD made by Medtronic using a PC, radio hardware and an antenna. The ICD was not in a patient at the time."
...Where's the fun in that?
Incidentally, have any of the board members of Phorm got dicky tickers? Just asking, no reason.
**quietly awaits the release of ineritance_now.exe **
just how close do you have to be?
can you fit some kind of cantenna to your death ray to increase the distance?
you'd have to be pretty messed up to do this, but then there are plenty of messed up people in this world.
how many politicians living a sedentary life style have this kind of device fitted? will this be the new form of revolution? what sort of security are they fitting to these, and lastly. isn't a gun a far more accurate for of assasination than rendering an ondemand heart device inactive?
surely those with the intent to kill would use a $100 gun rather than a $30,000 deathray?
Battle Royale Necklace
To those who've seen this film, doesn't it just sound like the necklace, especially if they go with the alarm idea.
You're walking along and suddenly your chest starts wailing away and you know you've got 10 seconds left... the hacker wouldn't have to do anything, that shock alone would probably kill you.
This is a security story. It should be "Lock *down* your grannies".
I'm safe if only authorized people can kill me?
If I'm wearing a machine capable of killing me, I want it to beep whenever _anyone_ capable of hitting the kill switch accesses it, not just when unauthorized personnel do.
As for feasibility - $30K to induce a heart attack is too much if the goal is assassination and the killer doesn't care about getting caught. If the killer wants not to be caught and the target has a decent life insurance policy or middling political importance... people have spent more than $30K on a few seconds of advertising time.
re: so what was the point of the research?
Well I would have thought it would be quite an effective way of killing someone and getting away with it. Once you had built the kit you could leave it somewhere the target was going to go and activate it at your leisure. By the time plod has realised someone has reprogrammed the deceased pacemaker you could have recovered your device. £30K for the kit to get away with murder seems pretty cheap to me! If I had a pacemaker and had reason to think people might want me dead I’d be worried.
/mines the one with the gauze lining and the tinfoil hat...
More a worrying symptom of so much of modern technology and it's designer's complete disregard for security. Radio networking and comms is only going to get more prevalent, after all.
Sure, it costs 30k now, but give it a couple of years and a few clever people working with software defined radios or even less complex off the shelf kit and suddenly it will be within everyone's reach.
This is infuriating; given the widespread availability of perfectly good encryption techniques there is really no excuse not to be using them. I can only assume that it will take legislation to try and discourage this sort of irresponsible design, and given the general knowledge of security found in so many governments and their agencies I'm not feeling confident.
Anyway, I'm off to the gym.
Given you can disable an ICD with a strong magnet (which I believe is a deliberate design feature), going for the wireless approach seems a little complex.
Also, things like TETRA radios are considered quite capable of inhibiting operation.
A quick look through the instruction manual supplied post-implant also suggests all kinds of other things which have a negative impact.
Whatever you did is going to show up in the internal diagnostic log anyway, so better to stick with a simple attack than going for some complex & expensive method.
Though of course that wouldn't make for such wide publication....
A manual on/off switch on the remote control parts, perhaps a subcutaneous magneticly operated reed switch?
Paris: she loves objects under her skin.
Contrary to seemingly popular opinion, this really is relevant, and the risks are not negligible. Poor design and implementation breeds more poor design and implementation. The fact that there are no known exploits in the wild does not mean that the problem should be ignored.
There have been no home robberies in my neighborhood for several years, but I still lock my front door.
The lax approach to security in the medical field is astonishing.
Paris, contrary to popular opinion.
conveinece over security
just like anything wireless, pay orders of magnitudes more than than the cabled alternatives, and get reduced service....
why on earth not have a simple cabled system would cost a lot less all you would need would be some locating lugs on the device and a couple of pin pricks as the interface gets plugged into you.
i mean if you have gone through the discomfort of having one fitted, having a hyperdermic USB connection aint gonna bother you
...christ i sound like captain cyborg :-S
mines the exo skeleton with the rfid chip in the arm
Their hacking equipment cost $30000 because of that fancy oscilloscope shown. It wouldn't surprise me if it cost $29000.
The paper states the frequency and encoding protocol. Hackers don't need the fancy oscilloscope now. Taking into account what a hacker already owns, that cuts the cost down to maybe $50 for a short-range model. Boosting the range to a few city blocks would require maybe another $100 in parts.
I bet Cheney goes in for an operation soon.
What's the Penalty
I wonder what the law has to say about this. Whats the penalty for affecting someone doing this?
Many of you keep flaunting the cost as a limiting factor.
It cost 30k in laboratory conditions, to find the exact equipment needed. Now that they know what's necessary, compacting and cheapening it is right up the market.
RE: Scary Stuff
DoS ? wouldnt that be DoL attack
Denial of Life attack :)
What protection is there against *accidental* re-programming or DoS?
Regarding the 30k price tag, it is a radio transceiver and a computer. Medtronic paid $30k for theirs. That doesn't mean someone could put something together for less.
In fact, my main worry would be someone accidentally re-programming or operating the IMD. What protection is there against that? Could it be done by a hacker with a laptop and an standard wireless NIC card? Would the wireless NIC card need to be modified? Could it be done with random noise from a faulty electric motor?
And how can we be assured nobody has ever died to their IMD being intentionally re-programmed? If the device was intentionally re-programmed, would the attacker revert the programming back once the victim had died? Would anyone even check the state of the program in the IMD?
Needs to be close by.
Having done some work for one of these companies (it was a few years ago!) my understanding is that the "controller" (actually a laptop PC) needs to be in close proximity to the "subject". They usually use "induction", not radio frequency to couple to the device implanted (at least that is what I saw).
Yes, security is not something the device vendors, or the FDA thinks about. Lots of medical devices have "unpatched" windows environments because the vendors haven't gone thru the process of verification with the latest of windows patches. Most of the time these computers are not connected to a network (they usually don't need to be!), but sometimes they do get connected, and then the malware arrives with evil intentions.
On the ICD I did some work on they used a 65C02 processor, which they needed to get certified outside the normal supply chain (look at any datasheet for ICs and it usually says "not for life critical..."). Then they need to get ALL the software to pass FDA rules (lots of time and $$$). By the time everything is done, the development cost is HUGE. Then they deploy the stuff, and the added cost of a laptop per inplantable device is "small potatoes", so they just build it into the kit.
In my book the big problem is the controlling box (laptop) used to program the implant to do its thing (parameters per subject). As usual, security isn't a big consideration since most of the development is in an isolated environment.
It was interesting how the company "solved" problems in the test environment. It ended up being 4 (yes four) Windows boxes (it was W95) and a logic analyzer to test the ICD which had a 65C02 processor (same as Apple 2). Need something, add more hardware! In order to get the timing for the network between the 4 cpu's right, they even incorporated a relay to cutoff the network from outside the 4 cpu's. Oh, well. It was windows, they didn't even try anything else.
A lot cheaper than 30K
That kit may have cost 30K, but I am betting it can be do for under 1K, probably about $400.
Well it is a dog eat dog world, I wouldn't put is past some young exec to put 1 and 1 together, and see that getting to the top may involve a bit of heartbreak.
It use to be the case that the medical world was off limits to hackers, a sort of unwritten agreement, but with governments using the medical world to build the id databases, that has sort of been rescinded. Bit like using the red cross for spying missions, they are now targets because of it.
I would imagine that EMP devices would be on the up as well, there I would blame speed cameras, people are taking axle grinders to them, how much easier would it be to just zap them. And of course EMP could be used against a slew of modern security surveillance devices, with the side effect of knocking out the cyborgs with unprotected pace makers.