Wednesday, October 17, 2012

Remote attack turns off pacemakers

This is pretty bad:
IOActive researcher Barnaby Jack has reverse-engineered a pacemaker transmitter to make it possible to deliver deadly electric shocks to pacemakers within 30 feet and rewrite their firmware.

The effect of the wireless attacks could not be overstated — in a speech at the BreakPoint security conference in Melbourne today, Jack said such attacks were tantamount to “anonymous assassination”, and in a realistic but worse-case scenario, “mass murder”.

In a video demonstration, which Jack declined to release publicly because it may reveal the name of the manufacturer, he issued a series of 830 volt shocks to the pacemaker using a laptop.
Of course, the wireless interfaces to the pacemaker were never designed to be secure.  Hey, what could possibly go wrong?


Posted by

4 comments:

drjim said...

Well....like a lot of network protocols it wasn't designed to be secure as nobody ever thought of malicious attacks.
But then we both already knew that, didn't we?
:-)

October 17, 2012 at 4:02 PM
Old NFO said...

Yeah, yet one MORE thing that is not secure because 'nobody' thought about it... So to speak...

October 17, 2012 at 5:18 PM
Dave H said...

I'm less inclined to believe nobody thought about it, and more inclined to believe that management said "We've got a deadline and it's a low probability anyone would try to exploit it. We'll close the hole in version 2."

Don't ask me why I think that.

October 17, 2012 at 6:18 PM
lelnet said...

You had me at "wireless interface" and "pacemaker" being in the same sentence.

I mean seriously...WTF, people?

There IS NO WAY to make that as secure as it needs to be, in the real world, without dropping whatever functionality you built it for in the first place. So just DON'T DO IT!

I'm not even buying "they should have designed security into it". Show me a security architecture for that thing, and in 10 minutes I can show you a way that a determined would-be assassin could bypass the security and go back to using the remote interface for untraceably killing people.

Whereas if you build a pacemaker where firmware upgrades, if they're done at all, require direct contact, then in order to hijack the pacemaker, the assassin will need to rip his victim's clothing off and tie him down...at which point it becomes way simpler to just go back to using a gun. Or a knife. Or poison. Or...

October 18, 2012 at 2:19 PM

Post a Comment

Subscribe to: Post Comments (Atom)