In 2008, security researchers at the US-based Medical Device Security Centre demonstrated that pacemakers and defibrillators could be wirelessly hacked.
The work brought to light a small but dramatic line of research which blew the lid on slack information security practices within the design of medical devices.
The flaws have very real and deadly consequences to those relying on some of the world's most trusted medical brands. The research has revealed attackers can cause pumps to flood bodies with insulin and pacemakers to switch off or deliver fatal shocks.
Such risks heightened after 2006 when the US Federal Drug Administration (FDA) authorised the use of wireless medical devices. Since then, the number of pacemakers and Implantable Cardioverter Defibrillators has risen from 350,000 and 173,000 to more than 3 million and 1.7 million respectively.
These risks are something that Barnaby Jack, a forefront researcher in the field has been keen to address. His recent research caused shockwaves when it was shown how a transmitter could deliver deadly 830 volt electric shocks to pacemakers at over 30 feet.
He even found attackers could rewrite the device software so that it could infect other pacemakers within wireless range via a hidden function that would ping nearby devices.
Jack points out that when implantable medical devices are “woken up” and paired, and the communication protocol is understood an attacker essentially has full control over the device. “You can read and write to memory, rewrite firmware, modify pacemaker/ICD parameters, deliver shocks, and so on,” he says.
His research has also revealed a lack of obfuscation within terminals that communicate with pacemakers and even found usernames and passwords for what appeared to be a manufacturer’s development server.
Hollywood has perhaps unsurprisingly paid attention to the line of research: Late last year, the TV series Homeland wove elements of the 2008 implantable medical device hack into its script. More surprisingly, Jack says much of the representation was on track.
Researchers at security outfit Cylance had this year discovered critical vulnerabilities in two popular medical management platforms used in a host of services including assisting surgeries and generating patient reports.
The flaws allowed researchers to gain remote root access on the devices and from there administrative access to a host of patient data stored in connected databases.
Jack and his fellow researchers are of course not out to cause harm. Indeed they brave legal threats to push the device manufacturers to fix the flaws in their products and ensure security is better considered in their design.
Recent reform efforts have seen a US Government policy group ask the FDA to set security standards for medical devices. In the subsequent Cylance research, the FDA and US Department of Homeland Security stepped in to pressure the vendor to fix the affected system.