Hacking Heart Attacks
Mar. 12th, 2008 09:34 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
jackofallgeeksSo, Here
is an article talking about a hacking attack that can turn off a certain
type of heart-monitor/pacemaker. The heartmonitor in question is used to
regulate the heartbeat, speeding it up it it gets to slow and shocking it if
it gets to fast. It also incorporates a radio which is used for
reprogramming by medical techs, so that the programming can be maintained
without open surgery. Now, that right there is a big security concern; it's
a necessary function of such a device, sure, but it should be clear that
such an interface needs to be protected. Apparently, there's no
authentication or encryption on the communication, which says to me that
nothing at all was done to secure the device. The attack, researchers
found, could be used to turn off the monitor or to deliver unnecessary
shocks to the heart, podssibly causing a heart-attack ("potentially fatal
arrythmia," they call it).
Now, the researchers didn't share their methodology, so a malicious attacker
would have to find it out on their own. And the manufacturer said that
newer modles will incorporate encryption and authentication. And they say
the chance of an attack is low, and requires expensive ($30,000+) equipment
and physical proximity (within whatever radio range they use). In today's
world, though, I can't help but fear that it's only a stone's throw away
from yet another sort of terror attack by a suitably-funded and motivated
adversary. It doesn't have the ahck and shaw value of crashing planes into
buildings or suicide bombings, so maybe it will be disfavored as not
striking enough, but it still makre me (as a security professional)
uncomfortable that such a sensitive piece of equipment was made without any
concern for security.
is an article talking about a hacking attack that can turn off a certain
type of heart-monitor/pacemaker. The heartmonitor in question is used to
regulate the heartbeat, speeding it up it it gets to slow and shocking it if
it gets to fast. It also incorporates a radio which is used for
reprogramming by medical techs, so that the programming can be maintained
without open surgery. Now, that right there is a big security concern; it's
a necessary function of such a device, sure, but it should be clear that
such an interface needs to be protected. Apparently, there's no
authentication or encryption on the communication, which says to me that
nothing at all was done to secure the device. The attack, researchers
found, could be used to turn off the monitor or to deliver unnecessary
shocks to the heart, podssibly causing a heart-attack ("potentially fatal
arrythmia," they call it).
Now, the researchers didn't share their methodology, so a malicious attacker
would have to find it out on their own. And the manufacturer said that
newer modles will incorporate encryption and authentication. And they say
the chance of an attack is low, and requires expensive ($30,000+) equipment
and physical proximity (within whatever radio range they use). In today's
world, though, I can't help but fear that it's only a stone's throw away
from yet another sort of terror attack by a suitably-funded and motivated
adversary. It doesn't have the ahck and shaw value of crashing planes into
buildings or suicide bombings, so maybe it will be disfavored as not
striking enough, but it still makre me (as a security professional)
uncomfortable that such a sensitive piece of equipment was made without any
concern for security.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2008-03-12 02:23 pm (UTC)That's something I've always wondered about the "War on Terror," though. It would be so easy for someone with anti-American sympathies to just get a hold of an automatic weapon and cut loose in a ballpark, a shopping mall, a public school, whatever. Hell, lone nuts do it here pretty often, which demonstrates how easy it would be. And in the immediate aftermath of 9-11, it would've been intensely demoralizing -- look at what the Beltway Sniper attacks did to the national psyche with just 10 dead, 3 wounded -- not to mention the logistical and resource costs of trying to protect everything, everywhere.
I just wonder why they didn't. Is al-Qaeda obsessed with bigger attacks for propaganda or ideological reasons? (If so, bin Laden is an even stupider strategist than we thought! This is the same guy who helped fend off the Soviets?!) Is it that hard for them to project power into the US? Is it just that it's that much of a wasted resource to out an agent for a small attack? Is al-Qaeda really that small, atomistic, and disorganized? It just doesn't make sense to me.