device security

It has been demonstrated that pacemakers can be hacked. Not a good thing. The manufacturers ignore this problem. They keep the softwear secret so it can't be analysed and fixed. I could be in a room where someone else is the target and I become collateral damage. I want and deserve firmware that has been patched. Manufacturers have to stop ingnoring this problem. They say there is no problem. Perhaps they don't use their own devices.

6 Comments

Lubro - do you do any...

by donr - 2013-07-31 03:07:40

...on line banking or bill paying? How 'bout over the phone?

There are security hazards in both of those actions, moreso by telephone than by computer.

Most bill paying/banking/purchasing on line sites require 28 bit encryption, which is pretty secure. Your most serious problem w/ on line transactions is what happens w/ the data after it safely gets where it is going. OR - perhaps if you have reacted to a phony clone of your real target site.

Go by phone & security is so-so. Hard line wires can be tapped; microwaves & satellite transmissions can be intercepted - of course, it takes a potfull of equipment to find your data in the potfull of data they will intercept. That's a job NSA gets paid to do when going after bad guys. Finding you in what a bad guy would intercept is a non-trivial task.

Not so for cell phone transmissions - all they need to do is be near you & they can intercept your cell phone to tower transmission & they have you instantly. This is a "Can do, easy" sort of thing.

Dunno of Medtronic uses encryption w/ Care Link systems - they claim that the web site they use is secure. Dunno about from the device in your home that communicates w/ your PM/ICD.

So - what are they going to do w/ the data? "Who knows, what evil lurks in the hearts of men - The Shadow knows! heh,heh, heh, (That was an evil cackle)". About the only thing an evil-hearted miscreant could do is bad! For a PM host - reprogram you; turn your Pm essentially off. For an ICD host perhaps give you uncontrolled Jolts.

Yes, it is scary. But we aren't there - YET. Again, we must be vigilant. Never look at an enemy in terms of their intentions - look at them in terms of their capabilities.

So far, all the nasty things are subjects of TV shows.

Just don't think it will REALLY happen when the Hudson River flows backwards. It already does that twice a day & has for millennia - at least in the first 70 miles or so of its mouth.

Don

My husband told me the same thing!

by Acin - 2013-07-31 10:07:26

My husband is so worried that this might happen to me. I assume it's possible.Does anyone know for sure if this can or has happened?

hacking - Being paranoid...

by donr - 2013-07-31 10:07:27

...doesn't mean the *&^%$%& aren't out to get you! ElectricFrank had a saying about having his paranoids taken out when he was young that is also appropriate - unfortunately forgotten by me in detail. But Frank (& I) are (were) far less pessimistic about our PM's being hacked than the average bear. (That's NOT the one that came to my front door & tried to get in.)

Don't get me wrong - Implantable devices can - under the right conditions - be hacked. But those right conditions are not yet here - UNIVERSALLY.

Right now, F'rinstance, I host a Medtronic PM. My PM can be hacked - but not very easily. Some evil miscreant would have to catch me incapable of resisting, place a hockeypuck transducer over my PM & reprogram it. That requires that said hacker have physical control over me & be at a range of inches. Perhaps said hacker (Note that I do NOT use male pronouns here - said hackers could well be female - men do not have a corner on the "Evil" market!) Now PM's are susceptible to magnetic influence from a few feet, but the energy to create a magnetic field capable of doing that damage at that range is not easy to create & control. Mag field hacking is pretty much impractical - even for the Dr. Sivanna (Capt Marvel readers will recognize hie name) types in the world.

Few PM's have RF access capability - YET, so PM hosts need not worry about hacking via radio waves - again, YET. Medtronic has a remotely sensing Telemetry (TM) device that is readable at distances up to 16 ft. (Carelink) They cannot be reprogrammed - YET. When I was in the hosp in May for my abdominal surgery, a nurse reported to me that they had detected via their TM system that my PM did something abnormal. Other than my PM not being TM capable, it was great to know that they were on top of things!

Yes, security codes must be created & put into devices w/ RF reprogramming capability.

As I said in a previous thread on hacking just last week, given a powerful enough transmission system w/ highly directional antennas & sensitive enough receivers, hacking from 50 ft & beyond is a capability - but only if you have a vulnerable device.

I have not been able to learn what starts a PM w/ TM capability in its transmission mode - to transmit all the time would eat battery life rapidly.

This is NOT a problem only for PM/ICD hosts. It is one for the medical community as a whole. A significant number of digital devices in the hosp are operated via a Microsoft Windows environment - which is known for its many security holes & continual patching by MS. A real problem is that no hosp can indiscriminately update MS software w/o fear of problems w/ the FDA, which controls changes/modifications to medical devices. The FDA control/licensing of med devices must be attended to first.

TODAY, the greatest threat to our devices is via hacked programming computers in healthcare facilities. If they NEVER are connected to outside transmission systems - phone lines - they are almost safe. Even CD's brought into the facility to update the machines can be contaminated w/ worms, viruses, etc.

I found on the web a transcript of an interview w/ a university professor interested in medical equipment security. It is at the link listed below. It is also recent - like March 2013. The professor puts our current hacking threats i perspective. Very interesting!

http://spectrum.ieee.org/podcast/biomedical/devices/hacking-pacemakers

For now, RELAX, but be vigilant.

Don

hacking...& phone transmissions...

by lubro - 2013-07-31 12:07:06

I have always had some trepidation about using the phone in procedure for PM check up... paranioa? well, like donr said, those %$@&(*^% 's are out there, and one never knows who is lurking, and just what they might do given the chance. Probably not high on my list of concerns, but something to consider. What exactly would a hacker do with this information? Or would some malicious fool attempt to wreak havoc on the PM hosts of the world? Kinda scary when you think about it...

Thanks for the info Don

by KAG - 2013-07-31 12:07:10

I'll be on the lookout for anyone dragging around a huge power generator and antennas.

Actually interesting technology.

Hopefully the hackers out there have more interesting things to hack into, like banks, DOD, etc....

Kathy

From the Pipelines thread on 08/02/13

by donr - 2013-08-02 12:08:08

I went to Kevin's link leading to the actual FDA paper from 13 June 2013. Below is what I wrote back to Kevin. His title "Pipelines to Pacemakers" does not convey the Hacking issues that started it all off. I thought it useful to fold it into this thread.

Begin Paste:
"FDA 13 June 2013 Safety Communication
Comment posted by donr on 2013-08-02 12:07.
Kevin: I'm going to fold this comment into the other current thread on Hacking so that folks can see everything about it in one spot.

Below is the FDA communication link. Very interesting, Very interesting.

http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm"
End Paste

I learned something interesting - the FDA does NOT require FDA approval of changes to software that involves ONLY cyber security. This is contrary to my current beliefs, so have to modify my thinking. Thanks for the info.

If that is the case, it makes one wonder about the reality of the situation:
1) Is their statement REAL about the non-requirement for FDA approval?
2) When a device mfgr has actually attempted to make a cyber security change did they get the typical FDA Hassle?

FDA is a regulatory organization - similar to the IRS - look what we are going through in the House of Representatives today over over-zealous regulatory actions, never contemplated in the laws creating them.

Also, The FDA stated that they had no indications of actual threats to cyber security. Not a REAL comforting thought. Recall that I stated earlier that one must NEVER act on security issues based on intentions of bad guys - you act on capabilities & the capability is definitely out there.

Perhaps this FDA communication will jar the industry into action.

But - read the FDA paper carefully - it is GENERIC to ALL medical devices, not just IMPLANTABLE ones.

Many thanks to kmcgrath for bring this out in his post.

We all need to know this.

Don

You know you're wired when...

Intel inside is your motto.

Member Quotes

I am very happy with mine. I am in the best shape of my life. I lift weights, compete, bike, golf and swim.