Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Pacemaker hacker says worm could possibly 'commit mass murder'

Darlene Storm | Oct. 18, 2012
Barnaby Jack showed how an attacker with a laptop, located up to 50 feet from a victim, could remotely hack a pacemaker and deliver an 830-volt shock.

It seems like something is very wrong with the picture when you read the news and it sounds more like a science fiction novel than a newsflash. For example, Barnaby Jack showed how an attacker with a laptop, located up to 50 feet from a victim, could remotely hack a pacemaker and deliver an 830-volt shock.

Ruxcon BreakPoint security conference in Melbourne must have been the place to be, as RiskyBiz said it kicked off with a bang featuring “mass murder, Windows exploits, hacking Apple and owning spy agencies.” Jack was just one presenter and he showed a video that he doesn’t want released to the public since the manufacturer would be named. Maybe it’s time to name and blame, cause this is some seriously scary stuff!

Jack is trying to raise awareness, so embedded medical device manufacturers will beef up security. If he doesn’t have their, or your, attention yet, then know that we are headed towards malware that can murder. Besides reverse engineering a pacemaker to deliver a deadly shock from 30 - 50 feet away, he demonstrated how he could rewrite the devices' onboard firmware. Jack also said it possible to upload malicious firmware to servers that would be capable of infecting pacemakers and ICDs. “We are potentially looking at a worm with the ability to commit mass murder," Jack said. "It's kind of scary."

SC Magazine reported, that Jack said these attacks would be like an “anonymous assassination.” The killer would need no weapon other than a laptop and the assassination would leave no smoking gun. Jack added, “The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in range.”

The FDA may be looking at the effectiveness of medical devices, but it doesn’t audit the code, Jack said. Maliciously crafted code has previously tainted software updates for lifesaving medical devices and reporting on the malware really ticked off the manufacturer. But hey, that seems miniscule in comparison since Technology Review reported that medical equipment is “riddled” with malware and government officials found “computer viruses are ‘rampant’ on medical devices in hospitals.” Hospitals run older Windows operating systems that are not patched or protected with antivirus programs because officials fear the modifications will “run afoul” of FDA regulations.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.