With the potential impact from the Dyn cyberattack still making itself felt in the cybersecurity world, it's no surprise that companies and researchers are starting to consider other vectors from which a remote attack could be launched. With the vast majority of devices in the botnet that was responsible being cameras, phones and even microwaves with inadequate security, it's clear that there is an issue with security across a wide range of devices.
What if such a device was implanted inside you and monitored your vital functions? What if, for example, it was a pacemaker? Researchers from Belgium and the United Kingdom have demonstrated that it's possible to hack into various medical devices and potentially kill someone due to the manufacturer's inadequate security.
Unlike the items in the Dyn cyberattack, pacemakers and other medical devices are not controllable via the Internet — at least not yet. However, they are remotely programmable, and inadequate security means that it's possible to intercept information and even flatten the battery or send signals that cause it to malfunction or operate in a way that is detrimental to its host.
Inadequate security was noted with 10 major types of pacemakers, as the manufacturers mostly focused on the design of the pacemaker without regard to securing the data sent to and used by the device. Rather than securing it with well-understood and open security protocols, they chose to use proprietary systems that had significant security flaws. Some pacemakers had previously used open channels without any form of security. With countless experts urging people to secure their personal devices, this oversight on such a vulnerable system is unsettling.
Because the manufacturers used what the researchers described as "security by obscurity" rather than securing devices in a responsible way, the researchers were easily able to decode patient data from the individual pacemakers and alter the signals they produced. Consequently, they were also able to send repeated messages to the device to prevent it from entering sleep mode, thereby draining its battery significantly and lengthening the amount of time it was vulnerable to an attack. The team also noted it did not have access to any documentation provided by the manufacturer.
However, the devices studied required the pacemaker to be activated before it would accept commands remotely, and it required placing a magnetic programming head within an inch of the skin. Unfortunately, once that happens, the device remains active for at least two hours, so it could be reprogrammed once the patient left the doctor's office, which left open the possibility for intrusion.
Due to the inadequate security of the devices, there's also no way to adequately secure them at the moment. Consequently, the only way to defeat such an attack would be to carry a signal jammer, an option that's not particularly practical. The researchers note that it's clear that the manufacturer needs to rectify this inadequate security rapidly in order to maintain the safety of its devices.
Photo courtesy of khuruzero at FreeDigitalPhotos.net