When Norwegian security researcher Marie Moe was diagnosed with a heart problem she, like many thousands of others, had a wireless-enabled pacemaker implanted. This small embedded computer, which keeps her alive, meant her heart was now part of the fast-growing Internet of Things (IoT).
The security researcher, who’s previously worked with the Norwegian Computer Emergency Response Team, told the BBC how she soon began wondering how secure this new piece of critical, personal infrastructure was from cyberattacks and coding errors.
After downloading the manuals for her pacemaker, Moe discovered that she now had two wireless interfaces: a short-range one for adjusting her pacemaker’s settings and a long-range one for sharing data logs over the internet.
Wireless interfaces are an increasingly common feature of personal medical devices because they make it easier for doctors or patients to monitor and control the devices.
Back in 2007, former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless capabilities to thwart possible assassination attempts.
The following year, researchers at the University of Massachusetts released a paper demonstrating how an Implantable Cardioverter Defibrillator could be attacked from very short range using a software radio.
Other more practical attacks have been demonstrated against pacemakers and other medical devices since, prompting the US Government Accountability Office (GAO) to recommend in late 2013 that the FDA start taking the threat seriously.
Cardiologist Simon Hansom from Papworth Hospital in Cambridge provided some reassurance in the BBC’s interview with Marie Moe:
To the lay person, they probably think the pacemaker has the same wireless you have at home … It’s not the same – it’s very different … The only significant effort I’ve seen took a team of people two days, being within 20cm of the device, and cost around $30,000.
It seems that Moe concurs. It’s not so much hacking, but programming errors that she worries most about, as the BBC describes:
Not long after having her pacemaker fitted, she was climbing the stairs of a London Underground station when she started to feel extremely tired. After lengthy investigations, Marie says, a problem was found with the machine used to alter the settings of her device.
She’d like to be able to take a look at the code controlling her pacemaker to make sure it’s secure and bug-free, but the pacemaker vendors have not shared it with her.
And so Moe hasn’t been able to confirm for herself that the computer her heart depends upon is secure and bug-free.
Over the coming months and years many more everyday ‘things’ will start running executable code and acquiring wireless internet or radio interfaces like Moe’s heart.
Turning ‘dumb’ devices ‘smart’, and making them remotely controllable or attaching them to the internet makes them vulnerable to cybercriminals in a way they never were before.
Luckily, many of the technologies and practices that could provide protection for these devices aren’t new. They’re already out there, protecting businesses, government, defence and other organizational assets.
We just need to start using them.
No matter which market they’re in, companies that attach their products to the IoT need to understand that their products are now computers, and therefore vulnerable to similar issues.
From a technology point of view, a device joining the IoT should be nothing extraordinary – it’s just another computer joining the internet after all. It’s just that the stakes, as Mary Moe knows, can be considerably higher.