Medical devices allow an amazing recovery to injured people, returning to them abilities they’ve lost. As technology advances so do medical device complexity and versatility. Even now doctors and scientists are looking at creating biomechanical hearts to replace damaged ones, as well as other organs that can be difficult to transplant. Pacemakers are a tried and true piece of technology that has been in use for decades, they regulate the heartbeat of the person they’re implanted in. They deal with irregular patterns and speeds, allowing someone with a palpatation or other heart condition to survive. Modern pacemakers have software running in them, with the ability to transmit data to hospitals and other nearby devices. This of course means that they’re vulnerable to having data sent to them, meaning they can be hacked. While disabling a life saving device might be unthinkable to you or I, it isn’t to everyone. Medical devices that can be wirelessly reprogrammed or transmit anything need the best security they can have, to avoid the horror of having someone else control a part of your body.
The FDA has ordered a recall of some 465,000 pacemakers produced by St. Jude Medical Equipment, due to a vulnerability discovered by MedSec Holdings. These pacemakers can be remotely accessed by attackers, if the attacker knows the radio frequency necessary to communicate with the pacemaker. This would allow the hacker to get the data stored in the pacemaker, or drain the battery remotely. Sadly, premature battery emptying has already been linked to two deaths in Europe. Feeding faulty code into the device can also cause it to malfunction or fail completely, again potentially resulting in fatal consequences for the owner.
In other news Arris routers have been revealed to be vulnerable to cyber attacks, due to a bug introduced to the firmware at an unknown point. The origin of the vulnerability is currently unknown, because the distributor (AT&T) has access to the code of the routers as well. It’s possible the routers leave the factory secure, but are then opened to attack when loaded with the code AT&T wants them to use. Arris is currently looking into the problem but they have not announced either way whether or not the problem originates from them or not. The bug allows for the routers to be accessed externally and gives the hacker far-reaching control over the router. They can upload ad traffic to your network, change the firmware completely or alter passwords remotely. The attacker can move devices on the hijacked router into a botnet, for use in future attacks. They can also control all traffic heading in and out of the device, and can store any data transmitted as well. Experts believe that around a quarter of a million devices are vulnerable to this attack.
Max is a Data Privacy Coordinator at a major global law firm and a science fiction author residing in the Philadelphia area. He has been writing for https://www.askcybersecurity.com since early 2017.
