Hackers 'can gain access to medical implants and endanger patients' lives'
09:45 GMT, 10 April 2012
It may sound like the plot of a modern thriller movie, but security researchers say many medical implants are vulnerable to cyber attacks that could endanger their users' lives.
An increasing number of patients are being fitted with devices such as pacemakers and insulin pumps to manage chronic conditions.
Vulnerable: Barnaby Jack shows how he can hack the insulin pump fixed inside a mannequin using a laptop and antenna
An expert has now warned hackers could gain remote control of such implants because they rely on unprotected wireless links to update them.
After gaining access to the device, a cyber criminal could then switch it off or tell it to deliver a dangerous dose of medicine to the patient, potentially killing them.
Researchers said although there hadn't been any known attacks to date, far more work is needed to protect implants from malicious actions.
Barnaby Jack, an analyst at security firm McAfee, has revealed how he was able to hijack a well-known make of insulin pump within two weeks by hacking its radio signals using a small antenna. He was also able to disable security alerts that warn the user something is awry.
He told the BBC: 'We can influence any pump within a 300ft range.
'We can make that pump dispense its entire 300 unit reservoir of insulin and we can do that without requiring its ID number.'
An ordinary insulin dose would be five to 10 units after a meal to regulate blood sugar. An entire cartridge would therefore spell deep trouble for the patient.
One problem medical firms face is that the devices can't be updated at present without being recalled, unlike laptops or mobiles that regularly receive security updates.
'These are computers that are just as exploitable as your PC or Mac, but they’re not looked at as often,' Mr Jack told Bloomberg last month.
'When you actually look at these devices, the security vulnerabilities are quite shocking.'
Wireless: Pacemakers, as seen in this X-ray, could be switched off if successfully hacked
Mr Jack said medical companies had shown a complete lack of foresight into how vulnerable wireless medical devices could be.
However, the firm Medtronic, which produces one of the insulin pump models hacked by Mr Jack, said it was doing 'everything it can' to address security flaws.
'This is an evolution from having to think about security and safety as a healthcare company, and really about keeping people safe on our therapy, to this different question about keeping people safe around criminal or malicious intent,' Catherine Szyman, president of Medtronic's diabetes division, said.
Researchers from the University of Massachusetts have been working on improving the security of cardiac devices, since they discovered in 2008 that a defibrillator could be reset by a hacker to deliver a shock that might prove fatal.
Cybercriminals have yet to target medical implants, but researchers say this could happen in the near future
In August last year, Professor Kevin Fu revealed they had created a wearable 'shield' device that can emit a jamming signal when an active attacker establishes an
unauthorised wireless link between a pacemaker and a remote terminal.
If all broadcasting radio 'noise' on the implant frequency is blocked by a jamming device, it prevents the doctor as well as an attacker from receiving the data signals.
The 'shield' allows doctors to access the data but stops passive eavesdroppers and active attackers.
While it doesn't jam all signals, Professor Fu said it could block a sophisticated adversary until they were within five metres of a victim's implant.
In the UK, the Medicines and Healthcare products Regulatory Authority (MHRA) said they had yet to receive any reports of medical implant hacks.
'We closely monitor the safety and performances of all medical devices and take action to ensure the safety of patients,' a spokesman said.