Thursday, August 4, 2011

Aw crap

A few weeks ago, I put up a little rant about the lack of security on the Roku device I use to access online entertainment content.

Now, a security researcher has published findings that indicate that implantable medical devices have little to no security protection.  Basically, if you can access an insulin pump, you can change settings to allow someone other than the doctor or its owner to control it, with possibly catastrophic consequences to the owner's health.

Think about all of the wonder gadgets that doctors implant into people now.  A lot of them have some remote communication capability, and now it's been confirmed that at least some of them can be modified to the detriment of the patient. 

Why would someone do something so horrific?  It could be someone who's pissed at the company that makes them and wants to tarnish their reputation. It could be someone who wants money, and uses a demonstrated ability to kill patients to extort the pharmaceutical company.  Or it could be some script kiddy that wants nothing more than to prove that he's the baddest mother in the valley today.

I'm not sure what can be done about this due to the relative primitiveness of the computers in the implanted devices.  By necessity, embedded systems like this need to be small, so a trade off of computing power for size happens.  The processors on these things probably just can't handle any kind of encryption or sophisticated access controls. 

So grandma's pace maker, the lady at the office with an insulin pump, and the little kid with a brain stimulator are at some risk.  Whether or not this becomes as big a problem as it could be remains to be seen.  Hopefully the manufacturers will listen to this research and work towards better locking down their future products.


Anonymous said...

Hm. I see a market for a hand-carried electronic blocking device for medical implants, something similar to the gadget you can install in your teenager's car that blocks cell signals while the vehicle is in motion.

Old NFO said...

That is scary... in a LOT of ways...

Jay G said...

There's an even simpler solution. We catch you fucking with one of these devices, you're shot dead on the spot.

Word would get around pretty quick, I think...

DaddyBear said...

Jay, there is an entire industry worth of people who would line up to take part in that act of retribution. The ridiculously light sentences handed down for acts that cause millions of dollars worth of damage and endanger the lives and livelihoods of people are an insult.

North said...

I used to design the software for a major manufacturer.

Keep in mind that an implanted device is meant to have an 80 year life span, and they are not iPods where you download firmware updates to them.

Also: Communication is short-distance.

DaddyBear said...

North, I'd be really interested to read your take on this security study as someone who has actual experience in this type of technology. My IT security experience is at the system and network level, not the embedded device level, so I'm going off of what I read in the article and the study, as well as what I've read over the past few years about medical implants. Is this the "low risk, but huge impact kind of thing" or is it something that we should truly be worried about?

Creative Commons License
DaddyBear's Den by DaddyBear is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 United States License.
Based on a work at