We live in an age where someone can literally hack your heart.
It’s true: pacemakers, like many electronic devices, have the potential to be hacked. That potential is so great, in fact, that the FDA recently released new guidelines on how to prevent your pacemaker from being hacked.
The FDA decided to release those guidelines because many modern pacemakers have hard-wired passwords that can easily be hacked. With cyber-security becoming an increasingly important topic, pacemaker hacking is becoming a risk.
How Vulnerable Are Pacemakers?
Millions of people around the world rely on pacemakers to survive. Pacemakers literally keep their heart pumping.
This is where things get scary: in an interview on Good Morning America, former FBI special agent Brad Garrett explained that pacemakers are “extremely vulnerable” to hacking.
Brad went on to explain that white hat hackers (i.e. hackers who work for the “good” guys) have been hired by hospitals to look at pacemakers.
This is where things get even scarier: these white hat hackers “were able to hack virtually every device they looked at”.
What is the FDA Doing?
The FDA has issued recommendations to the medical device companies to change their security apparatus.
As mentioned above, many of these devices have hard-wired passwords. The FDA is encouraging hospitals and other health care providers to be pickier about pacemaker security. Hospitals should stop buying pacemakers from device manufacturers who don’t care about security, like the manufacturers who continue to use hard-wired passwords.
Can You Kill Someone By Hacking a Pacemaker?
Yes, you can kill someone by hacking a pacemaker. After gaining access to the electronic device, you can simply shut it off, or speed it up. For someone with a delicate cardiovascular system, this can have fatal effects.
Researchers at the University of South Alabama recently demonstrated this ability. Fortunately, they did it on a virtual patient and not a real human being.
Those researchers hacked a pacemaker and killed a patient in virtual testing, then did the same with an insulin pump. Here’s how researchers explained what they did:
“The simulator had a pacemaker so we could speed the heart rate up, we could slow it down. If it had a defibrillator, which most do, we could have shocked it repeatedly. If it was the intent, we could definitely cause harm to the patient,” Mike Jacobs, professor and the director of the human simulation program at the university, told Motherboard in an interview.
In an episode of Homeland, we saw a hacker kill the vice president by activating the defibrillator. In real life, pacemaker hacking could work in a similar way.
Researchers at the University of South Alabama added that any student “with basic information te4chnology and computer science background” could follow their steps to hack a pacemaker and kill someone.
How to Hack a Pacemaker
Want to kill your grandpa? Hopefully not. But if you do have some homicidal tendencies, putting together a pacemaker hacking system isn’t as hard as you may think.
Kaspersky Lab’s ThreatPost.com did a good writeup on it here. They explained that many cardiac devices in a hospital’s device catalog are “riddled” with security flaws that expose the ecosystem to attack.
As an example, the report stated that you can buy a Merlin@home system for $35 from eBay. Merlin@home is the home monitoring unit used throughout the St. Jude Medical network:
“These units (Merlin@home) are readily available on Ebay, usually for no more than $35. Merlin@homes generally lack even the most basic forms of security, and as this report shows, can be exploited at every level of the technology stack of St. Jude’s Cardiac Devices”, explains the report.
Those devices included more than just pacemakers: they included implantable cardioverter defibrillators and cardiac resynchronization therapy devices – you know, the crucial devices that help keep people with heart problems alive.
After buying the Merlin@home unit from eBay for $35, you can “easily reverse engineer the communications protocol and mimic parts of St. Jude Medical ecosystem and manipulate the company’s cardiac devices”, explains the report.
Compounding security issues even further was that there’s a 50 foot RF range for Merlin@home units used to interact with devices like pacemakers. That means someone could potentially stand across the street from a home and interact with the patient’s pacemaker.
Root Access Attacks Lead to Crashes
In a test, attackers were able to gain root access to the Merlin@home devices “thanks to sloppy security”. After getting root access, an attacker could launch a “crash” attack that caused all nearby cardiac devices to malfunction.
Battery Drain Attacks
Another theoretical type of attack was called a battery drain attack, which involves overloading the pacemaker to a point where it battery life plummets. In a test, researchers were able to drop the pacemaker to 3% battery life in just a 24 hour period.
Ultimately, researchers summed up their study by saying that the security flaws were “appalling”.
Fortunately, St. Jude Medical was an outlier in the medical community, and researchers found better security at other medical organizations.
Should You Be Worried?
Ultimately, there’s no evidence that anybody has ever hacked a pacemaker to kill another individual. However, researchers have repeatedly demonstrated its possible using basic IT knowledge and $35 worth of equipment.
Thanks to lackluster security from device manufacturers, hacking a pacemaker isn’t even that advanced.
If you have a pacemaker, and someone with IT skills wants you to die, then it’s certainly possible for a pacemaker attack to take place. However, most people have nothing to worry about.
