Hacked terminals capable of causing pacemaker deaths
IOActive researcher Barnaby Jack has reverse-engineered a pacemaker transmitter to make it possible to deliver deadly electric shocks to pacemakers within 30 feet and rewrite their firmware.
In a video demonstration, which Jack declined to release publicly because it may reveal the name of the manufacturer, he issued a series of 830 volt shocks to the pacemaker using a laptop.
The pacemakers contained a “secret function” which could be used to activate all pacemakers and implantable cardioverter-defibrillators (ICDs) in a 30 foot -plus vicinity.
Each device would return model and serial numbers.
“With that information, we have enough information to authenticate with any device in range,” Jack said.
In reverse-engineering the terminals – which communicate with the pacemakers – he discovered no obfuscation efforts and even found usernames and passwords for what appeared to be the manufacturer’s development server.
As we learned with Stuxnet, many embedded devices were never designed with security in mind. And it only takes one clever attack to raise awareness.
Hopefully our medical device, power and telecommunications companies are remediating these kinds of vulnerabilities as we speak.