New frontier for cybersecurity: your body

Jun 23, 2013 by Rob Lever

So far, the idea of hacking into medical devices has been limited to fiction and hacker demonstrations.

But US regulators and security experts say the threat is real: malicious actors can gain access to devices ranging from pacemakers to , with potentially fatal results.

The US Food and Drug Administration this month warned manufacturers to step up their vigilance, saying it has learned of "cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations."

Officials say they know of no deliberate hacking of medical devices. But on the television drama "Homeland," the vice president of the United States is assassinated by hackers who gain access to his pacemaker and deliver a fatal electric shock.

"The good news is that we are not aware of any incidents in the real world. But the bad news there is no science behind looking for it," said Kevin Fu, a University of Michigan professor of computer science specializing in .

"It takes just a blink of the eye for malware to get in."

Fu co-authored a 2008 research paper highlighting the risks of like cardiac defibrillators, which could be reprogrammed by hackers who get into system's wireless network.

"My opinion is that the greater risk is from malware that accidentally gets into a device rather than the attacks in fictionalized programs," Fu said.

"Malware will often slow down a computer, and when you slow down a medical device it no longer gives the integrity needed to perform as it should."

Barnaby Jack at the security firm IOActive, said the "Homeland" scenario was "fairly realistic," and that he would demonstrate a similar attack at an upcoming hacker gathering.

"In 'Homeland,' they required a serial number, my demonstration doesn't," he said.

Jack has been researching implantable medical devices such as and defibrillators from a major manufacturer, and said he has found the devices "to be particularly vulnerable."

He said that from a range of 10 to 15 meters (30 to 50 feet) "I can retrieve the credentials needed to interrogate the individual implants remotely."

In another publicized incident, security specialist Jay Radcliffe, who is diabetic, demonstrated in 2011 the potential to hack into an insulin pump to change dosage levels.

Security specialists say that in addition to implanted devices, hospital equipment such as monitoring systems, scanners and radiation equipment are connected to networks which could have lax security, creating similar security holes. Some heart and drug monitoring systems use open Wi-Fi connections that can be hacked.

"The vast majority of medical devices in hospitals I've been to use Windows XP or Windows 95. These are extremely vulnerable to computer malware," Fu said.

Attacks or insertion of could affect things like radiation therapy, or devices which mix nutrients for intravenous delivery, he said.

and equipment may have passwords, but these can be hacked as well, as shown in a recent report by the security firm Cylance, which obtained passwords to 300 different devices.

"We could have reported 1,000 different backdoor passwords, we could have even gone all the way to 10,000," said a blog post from Cylance's Billy Rios and Terry McCorkle. "We stopped at 300 because we felt 300 was sufficient to get our point across."

This finding prompted a warning from the Department of Homeland Security's Cyber Emergency Response Team for industrial systems, which said security should be stepped up for surgical devices, ventilators, drug infusion pumps and other equipment.

A number of computer security firms are working to help the industry, but Fu said these solutions are often the equivalent of a Band-Aid.

"Most cybersecurity problems can be traced back to the design," he said

"I have doubts that a strategy just based on antivirus or firewalls can be effective."

Experts say that despite all the risks, people still are better off with than without these devices.

"The chance of a targeted malicious attack against someone's medical device is extremely low, and the last thing we want is for people to lose faith in these life saving devices," Jack said.

"We think that any risk, no matter how low, still needs to be eliminated. We hope by raising awareness of these issues and bringing the threats to the attention of the manufacturers, that they can take steps to improve the of these devices."

Explore further: US warns of cyber attacks on medical devices

add to favorites email to friend print save as pdf

Related Stories

Security experts sound medical device malware alarm

Oct 19, 2012

(Phys.org)—Speakers at a government gathering revealed more reasons for nervous patients to get out their worry beads over future hospital stays. Besides staph infections, wrong-side surgeries and inaccurate ...

After insulin pump hacking, lawmakers seek review

Aug 20, 2011

(AP) -- Two lawmakers are requesting a review of the government's security standards for wireless medical devices after a diabetic discovered how to remotely reprogram his and other people's insulin pumps.

HTC settles US charges of security flaws on devices

Feb 22, 2013

Taiwan-based electronics maker HTC settled charges with US regulators that it failed to provide adequate security for smartphones and tablet computers sold to Americans, officials said Friday.

Recommended for you

Freight train industry to miss safety deadline

5 hours ago

The U.S. freight railroad industry says only one-fifth of its track will be equipped with mandatory safety technology to prevent most collisions and derailments by the deadline set by Congress.

Gaza cops trade bullets for laser-tech in training

Apr 14, 2014

Security forces in the Hamas-ruled Gaza Strip are using technology to practice shooting on laser simulators, saving money spent on ammunition in the cash-strapped Palestinian territory.

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

Stephen_Crowley
1 / 5 (3) Jun 23, 2013
stop hiring idiot programmers and this wouldn't happen

More news stories

Microsoft CEO is driving data-culture mindset

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

Floating nuclear plants could ride out tsunamis

When an earthquake and tsunami struck the Fukushima Daiichi nuclear plant complex in 2011, neither the quake nor the inundation caused the ensuing contamination. Rather, it was the aftereffects—specifically, ...

Patent talk: Google sharpens contact lens vision

(Phys.org) —A report from Patent Bolt brings us one step closer to what Google may have in mind in developing smart contact lenses. According to the discussion Google is interested in the concept of contact ...

Quantenna promises 10-gigabit Wi-Fi by next year

(Phys.org) —Quantenna Communications has announced that it has plans for releasing a chipset that will be capable of delivering 10Gbps WiFi to/from routers, bridges and computers by sometime next year. ...