You knew this had to happen eventually. After all, even a lowly fish tank thermometer can be hacked to allow network access. There are numerous advantages to smart medical devices. They can send data to the physician on a patient’s health. The patients can monitor their stats on an app. Theoretically, firmware and software updates could be downloaded. Although in this last situation, I’d want “firm” control over how and when that took place!
The United States Department of Homeland Security (DHS) recently issued a warning that over a dozen heart defibrillators are vulnerable to hacks. What “great” news to folks who have survived a severe heart problem, received the life-giving implant, and now could be the victim of a hacker.
Many of the impacted devices are made by the American company, Medtronic. According to an article in The Hacker News, there are two areas of vulnerability for the Medtronic devices. The first involves the fact that their Conexus Radio Frequency Telemetry Protocol does not check for data tampering or take any authentication or authorization steps.
The bottom line here is a dangerous one for the patient. A hacker intent on harming an individual with an implant with the right radio equipment could modify the memory of the implant with potentially lethal effects.
The second weakness comes from the Medtronic devices not using any encryption. This allows bad actors within range to “eavesdrop” on the data and get information about the health of the patient. This last bit might not seem all that harmful but could be used for political and other purposes.
Medtronic has stated that they know of no successful hack. They are telling the world that the chances are remote that any hacker could do harm because of the following operational requirements:
· An unauthorized individual would need to be in close proximity of up to 6 meters (20 feet) to the targeted device or clinic programmer.
· Conexus telemetry must be activated by a healthcare professional who is in the same room as the patient.
· Outside of the hospital activation times of devices are limited, which vary patient to patient and are difficult to be predicted by an unauthorized user.
Excuse us if that is not all that reassuring. The world of espionage is full of tales where agents are able to get into close range of a target and attack, bug, or otherwise do harm. Still, it’s a great relief to hear that no one has been hacked.
Manufacturers in every sector are discovering that they need to include robust security in their product design and development efforts. The internet of things (IoT) brings unheard of capabilities. At the same time, they create unexpected weaknesses, like the aquarium issue cited at the beginning of this article.
CRIP.TO is dedicated to protecting data with the best possible level of end-to-end encryption available to people outside militaries and governments. Protected, secure communication of data leads to a safer world. In the case of medical implant users, the lack of such security can “heart-stopping.”
Find out more about the use cases for our technology and enjoy the freedom of communicating fearlessly.