At last year's Chaos Communication Camp in Germany, security expert Gadi Evron gave a talk called "Hacking the Bionic Man," painting a possible future in which devices implanted in people could be compromised as easily as today's
A team of researchers from the University of Washington and the University of Massachusetts say in the report, published as a .pdf on www.secure-medicine.org, that they were able to gain wireless access to a combination heart defibrillator and pacemaker.
Once they had access, the researchers found a way to reprogram the device to deliver electric jolts and turn it off.
"We successfully triggered command shocks via replayed commands even after turning off all of the ICD's automatic therapies," the researchers said, adding that they also figured out how to access personal data by eavesdropping on signals coming from the implant.
"We were able to find clear text representations of a wide range of what would have been patient data in captured transmissions," the researchers said, noting that they experimented with artificial patient data they stored on an ICD and did not experiment with real patient data. "Even without knowledge of the semantics of the packet format, these data are easily extractable."
The researchers were quick to point out that such attacks aren't going to happen today. Evron agrees, but said it's a real threat for the future that device makers should start preparing for today.
"One of the things I was pointing out during my talk last year is that more advanced cybernetic technologies are coming," said Evron, a prominent Israeli researcher who has, among other things, helped investigate massive cyberattacks that sent the Web-dependent nation of Estonia reeling last April. "My main concern is that we know every program written by humans has bugs. In an environment as complex as the human body, there is more vulnerability to be had."
He said that when looking at the current threat landscape, one must consider if they'd really be comfortable putting a hackable device in their body. Evron personally would not be comfortable with it, but said there are plenty of people who wouldn't necessarily have a choice.
"The software world has had 20 years to work on a better process for flaw disclosure and secure coding, but the medical world has not had this experience," he said.
Dave Aitel, chief technology officer of Immunity Inc., said Evron's concerns are not far-fetched. There's good incentive for the medical establishment to use wireless technology to connect people's internal devices to their doctors, which means it's something the information security community is will have to assess.
"There are pushes in California to have a household network that connects your power company to your air conditioner and other equipment, but having access to someone's health information is even scarier, especially if you can adjust dosages or otherwise control them," Aitel said in an interview conducted over IM.
Evron hopes recent developments will encourage medical device makers to start thinking about security now, before the theoretical becomes reality in 10 years.
"I'd like to see stricter regulation for these entities," he said. "We shouldn't wait 10 years before we start making the security demands. We should start working security into these products now."
The team behind the latest research said the goal of their work is to turn Evron's hopes into reality.
"To our knowledge, no IMD patient has ever been harmed by a malicious security attack," they wrote. "While our research demonstrates that such a scenario is possible, our goals in conducting this research are to demonstrate that IMD security and privacy vulnerabilities exist; propose solutions to the identified weaknesses; encourage the development of more robust security and privacy features for IMDs; and improve the privacy and safety of IMDs for the millions of patients who enjoy their benefits."