Security researcher Marie Moe.
Marie Moe is a thirty-something Norwegian security researcher with a rare heart condition that would have killed her were it not for the computerised pacemaker wired to her heart.
She’s grateful for the technology, but the former incident response manager at Norway’s computer emergency response team, NorCERT, knows that if a computer is connected to the internet it can be hacked from afar. The problem is she’s had better visibility into Norway’s critical infrastructure networks than the device in her heart.
She’s on a mission to change this by convincing ‘ethical’ or good hackers — those who find and report bugs rather than use them for personal gain — to focus on medical devices and help her and others become “informed patients”.
There are good reasons to connect a pacemaker to the internet, but there are risks as well.
“You just have to trust that the vendor has done their job when it comes to the security and the software development lifecycle,” Moe told Fairfax Media.
If the next glitch on your iPhone meant probable death, you’d understand her concerns. Independent security researchers regularly report security bugs in iPhone software to Apple, which then fixes them to keep hackers at bay. That happens less frequently for medical devices.
In 2005, a US medical implanted defibrillator maker revealed it was aware a flaw in its device affected 25 patients, but only after a young man with the faulty implant died of a cardiac arrest.
Moe is more concerned by these flaws than malicious hackers, but thinks ethical hacking will help address both risks and uncover bugs before anyone dies.
However, difficulties acquiring medical devices to test means research moves slowly.
In 2008, researcher Kevin Fu proved it was possible to reverse engineer the communication protocols between a pacemaker and a reader device to launch a short range attack.
The late Barnaby Jack, a New Zealand-born hacker, moved the dial but died in 2013 a week before he was due to reveal how to kill a person from nine metres away by hacking a pacemaker.
Two years on his research on pacemaker security remains the most current available, according to Moe.
“It’s extremely hard to acquire medical devices for testing — they’re regulated, expensive, and you need a prescription to get them,” Jay Radcliffe, a senior security consultant with Rapid 7 told Fairfax Media.
Radcliffe, a diabetic who’s had three insulin pumps during his life, refuses to wear one today. In 2011 he demonstrated that using cheap and readily available radio equipment, it was possible to wirelessly hack the pump and change its settings.
“The last two insulin pumps I had were hugely insecure and I was disappointed in the vendor response to fixing weaknesses and vulnerabilities. This means I have to manually give myself between five and 15 shots a day,” he said.
Radcliffe still uses a glucose monitor that communicates wirelessly, but that’s choice he made.
Moe didn’t have that choice four years ago. “It was an emergency situation. I needed the device because my heart was starting to beat too slow. I lost consciousness because my heart was having breaks,” she said.
Her heart rate had slowed to 30 to 40 beats per minute or about half the normal range, due to a condition called “heart block” which disturbs the electrical signals that cause a heart to beat.
After surgery Moe searched online for her pacemaker’s technical manual and only then discovered a “Home Monitoring” feature, which can connect her heart to the internet via a custom router installed at home. Patient information is transmitted to a remote server, which a doctor can retrieve from a web interface.
Her heart is, she said, exposed to a vastly wider “attack surface” — a security term to describe potential points of attack on a system, which now include a breached server, a flaw in the web interface, or a device like the one Radcliffe created to hijack the communication and tamper with her pacemaker’s settings.
And If Moe’s pacemaker is affected by a software glitch at any point in the next six years, she will need surgery to patch it. Radcliffe’s insulin pumps lacked an update mechanism too.
US law hasn’t made it easy for medical device hackers. Regulators now warn of hacking risks to medical devices, however researchers have faced criminal charges for probing medical devices.
The US Digital Millennium Copyright Act (DMCA) criminalised techniques to bypass access controls on copyrighted works but has also been used to suppress security research on vehicles and medical devices.
That changed last month after conditional exceptions were made for the two categories of security research, though they’ll take a year to come into effect.
“Before the new DMCA exception, security professionals planning to do research might have intentionally passed over medical devices because the research could be considered illegal. The exception really opens up the ability to do research without facing criminal charges,” said Radcliffe.