New concern over the cyber-security of medical implantsTue 10 Apr, 2012 // Briony Williams
Information security researchers have demonstrated that some medical implants using a wireless connection may be vulnerable to cyber-threats, leading to injury or even death.
Many patients nowadays are fitted with medical implants, such as a heart pacemaker or defibrillator, or an insulin pump for diabetics. Increasingly, these devices are capable of communication via radio waves (similarly to wireless Internet connections). Two separate security researchers have discovered that wireless-capable devices may be vulnerable to attack using radio waves.
A researcher at the prominent security firm McAfee, Barnaby Jack, has discovered after a mere two weeks of work that some insulin pumps could be manipulated using wireless connections, in a way that caused the pumps to dispense their entire stock of insulin at once. This could potentially be fatal to the patient. Jack was able to scan for vulnerable insulin pumps within a range of 300 feet, and then used wireless signals to cause them to dump up to 300 units – their entire insulin charge – into the patient’s bloodstream (normally, only a maximum of 10 units is used at any time). He was able to do this without even the need to discover the ID number of the pump.
A similar conclusion is drawn by another researcher, Prof Kevin Fu, at the University of Massachusetts, Amherst, USA. He found that it is possible to capture and then re-broadcast a radio signal that turns off a heart defibrillator, with potentially fatal consequences for affected patients. The particular signal in question is used for testing the devices at the time of implantation in the patient, when they are used to turn the device on and off. Prof Fu, however, was able to capture this signal and use it to turn off a defibrillator that was nearby.
Defibrillators, even modern ones, have a limited battery life and processing capacity, and hence they are unable to carry out the encryption and authentication procedures needed to ensure security when receiving wireless signals of this kind. This makes them particularly vulnerable to attack.
Prof. Fu was eager for manufacturers to design security features into their devices from the start, to harden them against attacks of this kind. He stressed that there is no “silver bullet” that will solve these problems at a stroke, but pointed out that the technology already exists to reduce the risks significantly.
It is true that carrying out this type of attack against medical implants currently requires a high level of expertise and equipment, and the reported results have the status of laboratory demonstrations only. However, given sufficient funding and motivation, it is only a matter of time before this kind of attack becomes possible for e.g. agents of a state, or organised crime. It is in everyone’s interests for manufacturers to address these vulnerabilities before there is an incident, and in that regard it is to be hoped that the reported research results will help to motivate the industry to address these risks promptly and fully.
“We have been pleased to work with commissum who have provided us with services to address our Security Assurance requirements. commissum met our demands, as an organisation operating within the Legal Services sector, with the highest level of integrity, commitment and excellent level of service. We would have no hesitation in recommending commissum.”
Mr Kenneth P, IT Manager, National Legal Services
"commissum recently provided us with services to assess a web application and supporting infrastructure. I was impressed with the consultants throughout the project, by their technical knowledge, flexibility, open communication and willingness to go that extra mile. Of particular benefit was the sound advice given both during and after the engagement. By identifying vulnerabilities promptly, accompanied with practical recommendations on how to address them. We were able to implement improvements quickly. Good value, a job well done.”
JM, Infosec Analyst, International Investment Bank
"We engaged with commissum for the first time this year and found them highly professional and a pleasure to do business with. We were particularly pleased with the report provided which was of excellent quality, with an appropriate level of detail and clarity in its recommendations. I would happily refer others to commissum.”
Mr Billy K, IT Director, National Law Firm
"We are extremely pleased with the work carried out by the commissum team. All of the commissum staff were a pleasure to work with and maintained a high level of professionalism at all times. They were able to provide us with sound advice and guidance to make sure that we got the best value for money from our test and provided excellent communication and recommendations before, during and after the tests. I would strongly recommend commissum to other companies that are looking for peace of mind in relation to their IT security and I can say that we will use commissum again for future testing.”
Chris S, IT Officer - UK Housing Association
"commissum understood exactly what we needed and delivered excellent service on time, and on budget. Why can't all companies be like them!"
Mr Duncan M, Information Security Manager - National Building Society
Get in touch with one of our security consultants today
- No obligation
- Expert advice
- Tailored solutions
"commissum was particularly responsive and the project was well managed under demanding conditions. I was very happy with the technical standard. Very good value for money as well”
Mr Kenneth Y, Head of IT Risk & Compliance, International Retail Bank
"I was very pleased with the work delivered by commissum from start to finish. The quality of reporting was excellent and the consultants very helpful with clear communication throughout the engagement. I would happily recommend commissum to others.”
Ms Louisa L, IT Manager, National Building Society
"commissum provided us with a high quality service. We found the project team helpful and flexible in responding to changes in requirement; the technical staff in particular were excellent. All commitments including deliverable timescales were met and I would have no hesitation in recommending commissum.”
Mr A Moretti, Executive Director for IT Security Risk Management, Global Investment Bank
"From the start the project went very smoothly despite the short notice. commissum maintained excellent communication throughout ........ their flexibility and responsiveness right up to the end of the project was of great value to us.”
Mr Keith H, Senior Business Manager - UK Local Government