Vulnerability in Networked Prosthetics Exploited
This is a Printer Friendly News Article on the Virtual Worldlets Network.
Return to the web-view version.
Date posted: 23/10/2012
Posted by: Site Administration
This story is from the category
Augmenting Organics

At the breakpoint 2012 cybersecurity conference on the 18th of October, Barnaby Jack, a Research Architect with the TRACE research team at McAfee, demonstrated a critical weakness in pacemakers. Specifically, he was able to reverse-engineer the specs of the transmitter contained in every modern pacemaker – used to update firmware without requiring additional open heart surgeries – with lethal consequences.

Specifically, he was able to demonstrate how the firmware could be rewritten with malicious intent, to trigger a single massive discharge of the pacemaker's power supply all in one burst. The result was a 830 volt electrical shock, more than enough to permanently stop the person's heart.

Assassination via the internet, in essence.

Worse, he found each device was happy to return its model and serial numbers when he probed them, and even the details of the update server they receive normal updates from. Upon probing those servers, he found no attempts to place obsfucation security on the firmware update process – largely because nobody had anticipated a human trying to gain entry that way – and even managed to gain superuser access on the server via that method – giving him the ability if he so wished, to send the kill-code to every pacemaker in communication with that server, and commit mass-murder.

He refuses to divulge the name of the manufacturer he probed in this manner, for obvious reasons. However, the lack of security in general is an incredibly dangerous oversight in an increasingly interconnected world.

As we grow ever closer to an Internet of Things, and as we continue to implant more of those intelligent things inside our own bodies in the form of prosthtics, it becomes ever more critical to ensure a high standard of security on these devices. To do otherwise is to invite harm to the users of prosthetic devices, up to and including their deaths when – when, not if – those devices are ultimately hacked into.

“The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in range,” Jack said.

He was developing a graphical adminstration platform dubbed “Electric Feel” which could scan for medical devices in range and with no more than a right-click, could enable shocking of the device, and reading and writing firmware and patient data.

“With a max voltage of 830 volts, it's not hard to see why this is a fairly deadly feature. Not only could you induce cardiac arrest, but you could continually recharge the device and deliver shocks on loop," he said.

Needless to say, something has to be done to correct this major security hole. As it stands, our intelligent technological web, is endangering life, through the same method it saves those very same individuals.

See the full Story via external site: www.scmagazine.com.au