In the future, someone else might own your prosthetics.

19 March 2008

..and I don't mean the finance company.

I know this is late in coming, but real life has a better framerate sometimes. Anyway, a security research outfit called Secure Medicine, following in the footsteps of security researcher Gadi Evron raised some interesting questions about the current generation of biomedical cardiac implants in use these days, such as pacemakers and LVADs (left ventricular assist devices). Due to the fact that these devices are remotely controllable to a certain extent via wireless data link they are vulnerable to compromise by attackers and may be manipulated. This sounds asanine, but LVADs are implanted deep within the thorax and as such require major surgery to make even minor adjustments to. The main modules of pacemakers are closer to the surface of the body but still require minor surgery if they're going to be worked on. Wireless control methods make it possible to tweak the functional parameters of these devices without having to open the skin and reach inside, which I think we can all agree is a good thing. However, as with many products security was the last thing the engineers had in mind when the designs hit the manufacturing plants. Under laboratory conditions, the security researchers were able to reprogram an implantable defibrillator to deliver what would be a lethal jolt to an adult human.

Not good.

Of course, they're quick to point out that this required $30kus worth of equipment in a fully equipped laboratory, but if you've spent any time in the infosec community at all, how much money you can throw at a project doesn't necessarily define what can happen, but sheer brainpower does. Case in point: Hacking RFID chips, which you don't need a lot of equipment for, only basic tools and some freely available software like RFIDiot. It's not too difficult to find RFID developer's kits on the open market for pennies on the dollar, and it's only a matter of time before develkits for medical implants start showing up.

Two manufacturers of cardiac implants, St. Jude Medical and Boston Scientific, went on the record stating that their products incorporate certain security technologies that would preclude anyone from compromising a device, but declined to state what they were. Of course, not knowing what kind of security is in place means that the countermeasures are immediately suspect - if no one's examined them, how can you trust them? It seems reasonable to hypothesize that the infosec community will probably start performing security audits on medical devices within the next couple of years as a result, especially given to the fact that some are designed with long range communications capability so that they can be remotely monitored.