Hackers from all over the world came together recently for two major security conferences in Las Vegas and revealed how a vulnerability in a medical device could put someone’s life at risk. BBC reporter Dave Lee met researcher Billy Rios who shed some more light on the very serious security issues related to the medical device.
Network security or security, in general, is becoming a huge problem as technology progresses further. Almost everything is connected to the internet nowadays including some household appliances too. Having everything connected to the web has its benefits, but it comes with a lot of risks too. Unless proper security protocols are put into place, one can easily hack and extract a lot of info from just little things. For example, if a hacker can get access to your Skype, they can play around and find your entire torrent download history; it’s a scary world out there online!
Hack attacks such as ransomware attacks and hacks, in general, are also very common nowadays which is why the issue of security is really important. Hackers are usually thought of in a bad way, but not all hackers are bad. There are ethical hackers as well, who hack into systems to point out flaws in it and report them to the owners of the said system.
One researcher in security is Billy Rios who spoke to BBC North America technology reporter Dave Lee about the serious security vulnerability in a machine made by Medtronic, a global leader in medical technology. The machine in question is used to program pacemakers, which are placed under the skin to control abnormal heartbeats.
Rios explained through a live demo how anyone could take over the machine a programmer would be using and plant a virus on a pacemaker which would give the hacker total control over the device. According to Rios, it’s really easy and anyone with a laptop can do it, no high-end hardware is required to do such a thing. In fact, he uses a laptop in his demo to prove it, all he does is send an infected software update which then allows him to take control.
Once you have control over the machine, Rios said that the hacker will be able to determine how the patient’s device behaves or even disable it. Considering how important pacemakers are for heart patients, this could really put many lives at risk and give rise to a new wave of ransomware attacks. Hackers could hack into these devices and demand ransom or else, it’s a scary reality.
In the demo, for simplicity’s sake, Mr. Rios made the machine display a simple message “do you want to die?” , However, that was enough to show how vulnerable the device really was. Also, keep in mind that this was a demo in which everything shown was done in a simple way. As Rios pointed out, if such a hack would happen in the real world, the doctor using the device would likely never find out that their device has been compromised, which is scary.
Medtronic, the company behind the device issued a statement:
“All devices carry some associated risk, and we continuously strive to balance the risks against the benefits our devices provide“
The company, even after researchers demonstrated how easy it was to hack into a pacemaker, has chosen not to issue a software update to fix the issue. The company believes it to be a “low threat”, but given that the information about the vulnerability is out now, it’s no longer a small threat. Even if the researchers did not directly specify what vulnerability they exploited, someone will find it out eventually unless something is done to fix it.
Rios told BBC:
“The Fix is what we call ‘code signing’. It’s very straightforward, Apple already does it for their phones, Windows and Microsoft already does this for their software so this is kind of a standard practice for software updates and for some reason this manufacturer just chooses not to do it“
In the manufacturer’s defense, it’s not easy to come up with software updates that can fix all issues and some issues are really hard to fix. Sometimes it has to do with the costs involved as well. However, given the seriousness of the situation, how potentially people’s lives could be at risk, it’s something Medtronic should really consider.
The situation is especially more critical now due to the fact that researchers have come out and have publicly demonstrated the exploit. According to Rios, they had informed the manufacturer about the flaw 18 months ago but they still didn’t do anything so that’s when he said: “enough is enough”.
“And so, we made it pretty clear that at some point in the future we were going to present this research somewhere and I think that time has come“
Perhaps, after what the researchers have presented and after public pressure, Medtronics might come up with an update to fix the issues that makes the devices vulnerable. Otherwise, it’s a really scary thought that one could potentially stop someone’s heart by hacking a computer. You can find the BBC interview here.