Researchers from UK and Belgium have jointly conducted a research and concluded that hacking into implantable medical devices or IMDs is as easy as counting from one to three. The research was documented in a paper titled “On the (in)security of the Latest Generation Implantable Cardiac Defibrillators and How to Secure Them.”
The benefits of IMDs cannot be overlooked but at the same time it is claimed that these are very vulnerable devices and to hack them is not a big deal at all as it doesn’t even require advanced social engineering skills from cyber-criminals. As soon as the attackers get control of the device, they can perform a variety of devastating actions such as killing the patient. All that is required is pushing a button.
In their paper [Pdf], researchers identified that these compact heart devices fully rely upon a proprietary wireless communication system. In a majority of cases, this communication system utilizes a long-range Rf channel. This channel can be easily hacked by attackers/cyber-criminals without even being close enough to the device. When the attackers are able to intercept the connection between the IMDs and the monitors, they can carry out a variety of attacks such as DDoS attacks or reverse engineering.
“All these attacks can be performed without needing to be in close proximity to the patient.”
Through compromising IMDs the cybercriminals can control the device and compromise its security system altogether, which is indeed an issue to be concerned about. It hints at the fact that smart devices like the IoTs and IMDs that use a wireless network to communicate aren’t reliable at all as these can be easily compromised by even non-expert hackers.
While discussing what kind of attacks can be conducted and how poor is the security researchers said that:
“We want to emphasize that reverse-engineering was possible by only using a black-box approach. Our results demonstrated that security-by-obscurity is a dangerous design approach that often conceals negligent designs,” the researchers stated in the paper. Our first attack consisted of keeping the ICD alive while the ICD is in ‘standby’ mode by repeatedly sending a message over the long-range communication channel. The goal of this attack was to drain the ICD’s battery life, or to enlarge this time window to send the necessary malicious messages to compromise the patient’s safety.”
The researchers recommended that to mitigate such threats, it is a wise idea to jam the signal. But it is a short-term remedy. To implement a more powerful security system, it is advised to enable standby mode when the communication isn’t taking place.
This is not the first time when researchers have demonstrated how life-saving medical devices can be life-threatening for patients. In 2015, it was revealed that hackers can take over drug pumps and remotely deliver a fatal dose of the medication to a patient.
That’s not all, about two months ago, researchers presented a video demonstration of how Johnson & Johnson’s insulin pumps are vulnerable to cyber attacks. One can only hope that experts will learn from this research and fix these vulnerabilities.