A team of computer security researchers have remotely hacked Medtronic’s Maximo – a stopwatch-sized implantable cardiac defibrillator.
Armed with an antenna, radio hardware and a PC, the team was able to shut down and manipulate the device – and even deliver potentially lethal jolts of electricity.
The investigation was led by The Medical Device Security Center, a cross-disciplinary partnership between researchers at Harvard Medical School, UMass, and the University of Washington.
The study (available here in .pdf) evaluated the security and privacy properties of wireless implantable devices used in hundreds of thousands of patients worldwide.
The Wireless Age
Using wireless technology, physicians are better able to monitor patients and adjust devices without the need for additional surgeries. Many pacemakers, implantable defibrillators and drug pumps now incorporate computers and radios.
Researchers found that the security of these devices may be lacking, opening the door to potentially murderous attacks, “Our investigation shows that an implantable cardioverter defibrillator (1) is potentially susceptible to malicious attacks that violate the privacy of patient information and medical telemetry, and (2) may experience malicious alteration to the integrity of information or state, including patient data and therapy settings for when and how shocks are administered.”
While I have difficulty imagining a scenario where the techniques would be used to harm or kill, I also have difficulty imagining why a hacker would create a computer virus for no other reason than to annoy or impact economic hardship.
“No Cause for Concern”
A Medtronic spokesperson, Robert Clark, quickly dismissed any fears in a statement released yesterday, “To our knowledge there has not been a single reported incident of [ICD hacking] in more than 30 years of device telemetry use, which includes millions of implants worldwide.”
The researchers also said there is no need for public concern: the experiment required some $30,000 worth of gear and a sustained effort by a team of specialists; the ICD was placed within two inches of the team’s equipment.
