I always hoped this day would never come....
However, after reading the articles by Wired, The NY Times, CNET and Slashdot, I knew that this day had arrived.
The day that hacking had branched out into an area that was murderously evil.
As a former career hacker, I am able to understand the illegality and unethical nature of my past. Although, having never physically hurt anyone, acted violently or demonstrated malicious intent (unless truly deserving), I am able to live with my past, by rationalizing my actions as intangible, digital, and/or virtual. To a degree, I think all former black-hats, myself included, adopt the childish and naïve justification --"How much harm could I have done, by just typing on a keyboard?"
This is no longer true. Hacking cardiac pacemakers crosses the line of intellectual curiosity, into that of unquestionable and unthinkable criminal behavior. I am aware that the researchers who performed the study, used a standalone device, and that their intent is to address the security needs of implanted medical devices. Furthermore, there have been no known cases of medical device hacking. However, I had always hoped that we would never have to address these types of security issues.
One of the few factoids left out of my brief biography, is that I am obsessed with knowing how everything works. As a result, I have spent a bit of time in academia, and subsequently collected several degrees. The one machine that is more complex than any computing equipment to date, is the human body. Therefore, I studied medicine, and became a doctor. Not a practicing one, but I do have a medical degree, and I did play "doctor" for a couple of years. So let me remove my grey hat, for a moment, and put on my white coat, to talk about why I found this news so disturbing.
The heart is a four chambered structure, which serves as the motor that drives the cardiopulmonary system. This life-sustaining organ is essentially a large muscle, composed of cardiac muscle fibers. The chambers consist of two atria, receiving returning blood flow, and two ventricles, which pump the outbound circulatory blood supply. These atrioventricular (AV) pairs, and adjoining valves, are responsible for arterial circulation (carrying oxygen rich blood through your body) and pulmonary circulation (moving oxygen depleted blood around the lungs for oxygen repletion). Throughout the average lifespan, the human heart beats about 2.5 billion times, delivering approximately 1 million barrels of blood.
When referring to a heart "beating", we are actually talking about the synchronized muscular contraction of the chambers, and the blood movement through its valves. We are all familiar with the voluntary contraction of skeletal muscle, which provides conscious control of our movements. Our motor control is achieved by the conduction of electrical impulses, through nerve pathways, ending in muscle stimulation. All muscle tissue responds in this way to an electrophysiological stimulus. Even though it is not consciously controlled, cardiac muscle is no exception.
Instead of receiving electrical signals of cerebral origin, the heart contains its own system for electrical stimulation. The sinoatrial (SA) node acts as the body's natural pacemaker, regulating the rate of conduction, better known as our heart rate. In cases where the SA node is not able to generate the life sustaining electrical impulses compatible with life, an artificial pacemaker is used. (For simplicity, I will not go into the roles played by AV or ventricular conduction systems, and the effects of autonomic innervations)
Now back to the world of computer science.
We have a self contained, battery-operated device, generating electrical impulses. Additionally, this device will need to be monitored, reconfigured, or updated, at regular intervals. Since it can't be directly accessed, some form of telemetry or remote analysis must be employed. A technique known as transtelephonic monitoring is primarily used to assess a pacemaker's performance. However, to reprogram or adjust settings, a computer is used in close proximity to the device.
Based on the information I just provided, anyone using a computer (which means you, since you're reading this blog) or who's completed 8th grade, should be able to figure out that some sort of radio device is involved. Those who've completed high school, will note that in order to program and verify its settings, a radio transmitter and receiver is required. Finally, unless you're a cardiologist or a pacemaker recipient, you probably don't (need to) know much more about pacemaker telecommunications.
Hacking was always been centered on intellectual curiosity, the need to know how things work, and the desire to modify and rebuild technology in new and different ways (and of course, voiding the warranty). Wireless technology has been an attractive medium for hackers; providing a challenge with varying bands and protocols, and communication speeds and distances. It is the "few bad apples" of malicious hackers (crackers), which are of concern. If they feel the need to engage in wireless digital crime, I hope they remain content with setting up rogue APs and cracking WPA, as opposed to hacking pacemakers.
If there ever was a time when a proof-of-concept, needs to remain a proof-of-concept, that time is now.
I sincerely hope that we don't see the day when "cardiac arrest" becomes a legal term.
I accept medicare and medicaid. To schedule a new patient appointment call: greyhat@computer.org
With 20+ years of industry experience, Noah Schiffman is a former black-hat hacker turned security consultant. Coding at an early age, he developed one of the early text/graphic editing applications and started his first software company in 1980 when he was 11 years old. With the advent of networking technologies, he soon mastered the art of manipulating telco switching systems, known as "Phone Phreaking". This soon led to his career as a computer hacker, performing penetration testing, reverse engineering, cryptographic attacks, corporate espionage, digital surveillance and other ethically questionable projects.
His clients have consisted of Fortune 500 companies and various government agencies.
He has authored a number of articles for SearchSecurity.com, on topics ranging from kernel mode and metamorphic viruses to corporate data loss prevention.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
I think it's important that
I think it's important that this be brought to light NOW before it's usage becomes widespread. This way the security issues can be resolved.
Google on SCADA security and you should be able to understand where I'm coming from
Well, as someone who works
Well, as someone who works in the medical device field, I think the "release" of this information puts a huge burden of worry on a population that probably isnt equipped to understand the context between "showing it is possible in a lab" and having it happen to my 79 year old grandmother who is now totally freaked. We arent talking about computers, or firewalls, or web sites here. We are talking about something that is keeping millions of people alive every day - the way this was released and positioned was as if it was a computer virus. There is a right way and a wrong way - this is the wrong way in thsi context in my opinion. The number of companies that make these devices is small - they could have been notified without the big splashy press release etc - if the authors really cared about the people with these devices, they wouldnt have released the information the way they did. They dont really care about these people - they are trying to get ink and make money. FT
What we can learn from the cardiac hack
We could all learn from this, presuming that what we could learn is something we don't already know. The lesson is that security is important in everything we do. No matter how obscure the application you are working on, someone out there somewhere will find a reason to hack it, so you should be thinking about security all the time in everything you do. Of course, we really do all know that already, so the real lesson here is how to argue with your boss that there might be some economic or legal reason to do the job right, rather than doing it quickly and (short term) cheaply. Keep a copy of some articles on this hack around, and pull them out when you need them.
Companies need pressure like this to do the right thing
On the contrary; these people do care about the users. Most companies don't do things they don't have to. Making this announcement does scare people, and that in turn puts pressure on the device manufacturers to do something about it. It is very unlikely the device manufacturers would do anything about this if they were notified privately. They would probably think that this is not a likely threat and they would put it on their work list at a low priority to do "someday". Do you really think that this never occurred to anybody in their engineering department? The vulnerability is obvious. Solving it just wasn't a priority for the company because nobody was complaining. Now maybe it will be.
Post new comment