Sometimes, hackers make the worst patients.
A few years ago, when Marie Moe got her pacemaker, she didn’t worry too much about the particular model her doctors chose. After all, she needed it to survive, and trusted their judgement.
But given that Moe is a security researcher and a hacker, she got curious. She looked up the pacemaker’s manual and found that the device she had inside her body had wireless capabilities, something that “scares” her “a bit.”
“That’s something that I’m very worried about,” Moe, who is in her thirties, told Motherboard in a phone interview, “because I know a lot about wireless security, and I know there are a lot of things that can go wrong.”
”I know a lot about wireless security, and I know there are a lot of things that can go wrong.”
To this day, no hacker has ever hurt anyone by hacking into someone’s pacemaker, but several security researchers agree that it’s possible. And yet, neither the general public, nor the medical industry, consider it a serious threat. That’s why Moe is sharing her experience as a hacker living with a potentially hackable pacamaker in a talk at the Hack.Lu security conference later this month in Luxembourg.
In 2008, a team of researchers at University of Washington and University of Massachusetts were the first to warn about such a scenario, demonstrating how a pacemaker could be wirelessly reprogrammed to either shut down or deliver jolts of electricity that could kill a patient. In 2012, hacker Barnaby Jack revealed that it was possible to deliver a deadly 830-volt shock to patients who had several models of pacemakers—all from a laptop 50 feet away.
Jack died a year later, just a few days before revealing how an attacker could remotely kill a patient who has a wirelessly-connected defibrillator or pacemaker by hacking into the communications system connecting those devices to bedside monitors.
This scary possibility crossed into the mainstream in 2013, when hackers in the TV drama Homeland killed the show’s US Vice President by turning off his heart implant over the internet. Months later, even former US Vice President Dick Cheney admitted to being worried, revealing that he had asked his doctor to turn off the wireless function of his pacemaker.
“There are easier ways to kill me, if someone wants to kill me.”
But Moe doesn’t lose much sleep over the possibility. “There are easier ways to kill me, if someone wants to kill me,” she said.
Nevertheless, “we shouldn’t need evidence of harm to humans before starting to look into the security of these devices,” Moe told me. “What worries me is that as the pacemakers get more advanced and get more smart so to speak, they get wireless interfaces. And all of this connectivity will add vulnerabilities.”
And those vulnerabilities will need to be patched. Moe hasn’t tested or investigated her device, nor does know for sure whether her model is vulnerable. But even if it were, patching any potential vulnerabilities isn’t easy. In her case, it would require a whole new implant, which makes her, and other patients like her, virtually “unpatchable.”
Moe already knows what it’s like to suffer the real-world consequences of a software bug. When she first got her implant, her doctors needed to fine-tune it to adjust the max pulse to her needs. But due to a software bug in the programing interface used to adjust the pacemaker’s settings, the actual settings in the device “were not the same as the settings displayed on the screen that the doctor was seeing,” Moe said.
“If I tried to run or climb up stairs I would get out of breath and suddenly feel like an 80-year old. This was because the pacemaker detected my pulse to be outside the upper heart rate limit,” she added.
Luckily, Moe said, in this case the bug was in the pacemaker’s external programming device, so it was easier to patch. But if the bug had been the implant itself, patching would have required surgery.
She hopes hackers and security researchers will keep investigating vulnerabilities in pacemakers and other medical devices—and that the medical community and the health industry will start taking cybersecurity seriously.
“I hope that the doctors will feel it’s just as natural to worry about software bugs in the [implant] as it is to worry about there not being any bacteria.“
Thanks to several people in the security industry, this is starting to happen. Last summer, the Federal Drug Administration agency told hospitals not to use a certain drug pump because it contained vulnerabilities that could be exploited by hackers. These vulnerabilities were highlighted by Billy Rios, a researcher who’s found bugs in several medical devices. I Am the Cavalry, a nonprofit that wants to educate sectors that traditionally haven’t thought about cybersecurity, has also been pushing to increase awareness of this issue among the healthcare industry.
In the future, Moe hopes doctors will take the security of the implants they give patients into consideration when picking a certain device over another.
“Next time I have an implant, because it needs to be replaced in some years,” she told me, “I hope that the doctors will feel it’s just as natural to worry about software bugs in the device as it is to worry about there not being any bacteria in it before they implant it.”
Lead illustration: Che Saitta