An X-ray of a pacemaker in someone's chest. (Photo via)
Update: Barnaby Jack, who could hack pacemakers in order to kill patients, was confirmed dead this morning by the San Francisco Medical Examiner's office. As of now, no cause of death has been reported. He was scheduled to speak next week at a Las Vegas hacker conference about how to hack implantable medical devices in humans. Here is our interview with Barnaby that was originally published on June 25.
Having your heart wirelessly hacked and set to explode at 830 volts could be viewed as a bit of a setback if you're considering getting a pacemaker fitted. It could also be viewed as the kind of thing that would only happen in a Jason Statham movie about a serial killer with an irrational hatred of severe arrhythmia sufferers. But it's not.
Earlier this month, the FDA sent a report to medical tech manufacturers warning against backdoors in their devices' computer systems. They were told that these flaws in security could allow hackers to access life-saving heart and kidney equipment, tamper with it and potentially kill the patient. Which I'd imagine is the last thing you'd want on your mind when your heart and kidneys are already so bad that you need special technology to keep them going.
Barnaby Jack, the director of embedded device security for computer security firm IOActive, developed software that allowed him to remotely send an electric shock to anyone wearing a pacemaker within a 50-foot radius. He also came up with a system that scans for any insulin pumps that communicate wirelessly within 300 feet, allowing you to hack into them without needing to know the identification numbers and then set them to dish out more or less insulin than necessary, sending patients into hypoglycemic shock.
Also slightly worrying is the software used in rudimentary hospital equipment. Relatively important medical devices—such as heart and blood pressure monitors, for example—use old software that is incredibly vulnerable to malware. Meaning anyone inclined to do so could corrupt the software, make it display the wrong vital signs and fool doctors into administering unnecessary medical procedures.
Of course, none of this is that likely to happen, unless a very niche brand of dickhead decides to take an interest in the hacking of specialist medical devices. But I thought I'd give Barnaby a call to settle my nerves anyway.
Barnaby Jack. (Photo courtesy of Barnaby Jack)
VICE: Hi Barnaby. So, why did you decide to reverse engineer the pacemaker?
Barnaby Jack: I was intrigued by the fact that these critical life devices communicate wirelessly. I decided to look at pacemakers and ICDs (implantable cardioverter defibrillators) to see if they communicated securely and if it would be possible for an attacker to remotely control these devices.
And you found it was possible?
Yeah, the software I developed allows the shutting off of the pacemaker or ICD, reading and writing to the memory of the device, and in the case of ICDs it allows the delivering of a high voltage shock of up to 830 volts. I wanted to look at these devices with the aim of demonstrating and raising awareness of the issues I found, then hopefully spark the manufacturers into implementing a more secure design.
Is it difficult to hack into these devices?
It does take a specialized skill, but with more and more security researchers concentrating on embedded devices, the skill set required is becoming more common. It probably took me around six months, from reverse engineering and finding the flaws through to developing software to exploit the vulnerabilities.
If, say, a government official used a pacemaker, would they be vulnerable to assassination from hackers, like in that episode of Homeland? Or do they use better defended devices?
I wouldn't feel comfortable speculating about such a scenario, but as far as I'm aware there are no differences in the implantable devices issued to officials as there are to the general public.
OK. Were there any other medical devices you worked out how to hack into?
Yeah, we had previously looked at insulin pumps and we found a severe vulnerability in the most popular model.
Is anything being done about that?
We notified the manufacturer of the vulnerability and it will be fixed with the next insulin pump revision. As for our work regarding the implants, we are actively engaging the manufacturers to discuss solutions.
Do you think, in the future, devices like bionic arms or legs could also be hacked and tampered with?
If the devices can be accessed remotely, there's always a potential for abuse.
So why are these devices designed with back doors that can lead to tampering?
There's valid reasoning behind having emergency methods to interrogate these devices. After all, these devices are implanted, and forgetting credentials would require cutting someone open [so they're made wirelessly-accessible so that doctors don't need to cut people open to make changes]. Our main concern is the distance in which these devices can be reprogrammed.
I've heard that many hospitals use out of date software that could potentially be full of malware. Does that pose a potential risk to people's health?
Yes, many hospitals are using out of date software, and malware is known to be rampant on hospital networks. Hospitals often don't update their software as they're afraid of running afoul of FDA regulations. I think there is certainly a potential health risk, particularly if malware infects critical machines.
Some stories about slightly more conventional weapons: