en

The VICE Channels

    Hackers Killed a Simulated Human By Turning Off Its Pacemaker

    Written by

    Jason Koebler

    Staff Writer

    Image: CAE Healthcare

    We've wondered a couple of times what might happen if a hacker were to decide to compromise your pacemaker, your bionic arm, or maybe your brain implant. Thanks to some students at the University of South Alabama, we now have a reasonably good idea: You die!

    There are shades of gray here, of course. But a group of undergraduate students at the university recently spent a few hours hacking a medical grade human simulation to see what, exactly would happen. The results were about what you'd expect.

    iStan, the guy you see above, is "the most advanced wireless patient simulator on the market, with internal robotics that mimic human cardiovascular, respiratory, and neurological systems," according to its manufacturer, CAE Healthcare. iStan costs about $100,000 and is regularly used by hospitals to teach medical school students how to perform procedures without murdering people.

    "They sweat, they cry, they talk," Mike Jacobs, director of the simulations program at University of South Alabama, told me. "It responds to 300 different types of simulated medications and procedures, and the physiological response is identical to that of a human."

    As a robot, iStan is much more vulnerable to hacking than, say, a human with no connected devices whatsoever. But iStan is probably no more hackable than your average pacemaker, which has been shown time and time again to be vulnerable. And unlike with a real human, you can hack iStan and not worry about going to jail.

    "The simulator had a pacemaker so we could speed the heart rate up, we could slow it down. If it had a defibrillator, which most do, we could have shocked it repeatedly. If it was the intent, we could definitely cause harm to the patient," Jacobs said. "It's not just a pacemaker, we could do it with an insulin pump, a number of things that would cause life-threatening injuries or death."

    Jacobs, who is not a hacker, says he provided the iStan to a group of undergraduate students who had been taking a cybersecurity class for a semester. After a few hours, the team of students was able to gain access to most of iStan's functions, which were vulnerable to denial of service attacks, brute force attacks, and security control attacks.

    "We did this because we were wanting to beef up security on our end and put some safeguards in place. It may not be totally possible to prevent hackers, but, knowing these can easily be hacked increases your awareness of vulnerabilities," he said. "It's definitely concerning—if there's a high profile individual with a medical issue, it certainly makes them vulnerable."

    He added that the university’s hospital is looking into ways to encrypt wirelessly transmitted data sent between medical devices.

    The team published their results in the preprint journal arXiv, which means the work has not been peer reviewed yet. The team suggests that, in the future, doctors will need to be prepared to deal with hackers and cyberattacks in hospitals.

    “Future practitioners will be trained to deal with medical device failures, byzantine or otherwise,” they wrote. “[Medical schools] will reinforce the use of alternate or traditional techniques that do not rely on technology.”