It was February 2012. Barnaby Jack gave a presentation on hacking insulin pumps armed only with a laptop, a small antenna and a see-through mannequin. He waved the antennae like a magic wand, pushed a button, and, as though he was a real evil sorcerer, delivered death – in this example filling the baggie holding the mannequin’s fake pancreas with blood.
Barnaby explained: “I can scan for any insulin pumps in the vicinity. I will return those insulin pump ID’s, and then I can have them dispense their entire 300 units of insulin, which for a type 1 diabetic will easily prove fatal unless you seek immediate medical attention.”
It wasn’t the first time one of Jack’s hacks made national news. By 2012 he was already a semi-celebrity for the live demonstration he gave at Black Hat 2010, stealing the show and the national spotlight by making an ATM machine spew out dozens of crisp bills on demand – what he described as “jackpotting.” He was a showman who didn’t like interviews, but when he was on camera it was exactly as expected: a sly smile, a little swagger and a belief that he really may help change the world.
Exactly one week ago today he was set to deliver another shocking Black Hat presentation, not on hacking insulin pumps, but something that had captured his mind years prior: pacemakers.
Speaking of the research he was going to present, Barnaby Jack bluntly told Reuters in a phone interview, “I’m sure there could be lethal consequences.” Not long after that interview, he was dead, just 35-years-old, his presentation slot left vacant to honor his memory.
The Real Threat to Medical Devices – Ten-year-old viruses?
Embedded devices of medical technology capture a lot of news, but it’s only part of the story. Hospitals are full of non-embedded medical devices.
“The biggest impact we’re seeing right now with medical devices are computer viruses,” said Matthew Neely, director of a strategic initiative at SecureState. “Most of these devices basically have little to no security built into them both from just design and very poor security protections enabled on them, so literally attacks – things that we haven’t seen working for the past ten years — work on these devices. Even very simple denial-of-service attacks will cause these devices to go offline.”
An old virus from years ago, one that a modern operating system would flick away like an ant at a picnic, can cause real problems in some medical networks. Of course, there’s always the question of motive when it comes to equipment cybersecurity. There’s not much to gain for cybercriminals – no money, no personal information. Even malicious hackers aren’t setting out to murder innocent patients. That’s why, as of now, most of these attacks have been accidental, but they can still have a big impact.
“We did have a case of a hospital chain out west that got an infection on their network that was causing so much traffic that it was knocking their medical devices offline. They actually had to shut down the network in their hospital chain of five hospitals and go through and basically clean each network, isolate the medical devices before they brought it back online, and that process took about a week and a half,” Neely said. “There was definitely a financial impact.”
From TV Plot Drama to Real World Threat
Less than a year ago Showtime’s Emmy award-winning Homeland had a plot twist that seemed a little far-fetched for some viewers: terrorists hacked into the vice president’s heart device in an attempt to deliver enough jolts to cause a heart attack – all they needed was the pacemaker’s serial number.
After seeing the episode, Barnaby Jack joked on IOActive’s blog, “My first thought after watching this episode was ‘TV is so ridiculous! You don’t need a serial number!’”
Two months before the Homeland Episode aired, Jack was at a security conference in Melbourne presenting another deadly hack. This time remotely causing a pacemaker to deliver a 830-volt shock, “which could be heard with an audible pop.”
Although he was always clear that “the threat of a malicious attack to anyone with an implantable device is slim,” looking forward Jack saw an even scarier scenario involving specially-crafted firmware uploaded to a company’s servers that could infect and spread – “a worm with the ability to commit mass murder,” he said. “It’s kind of scary.”
The medical device market is huge, clocking in at $331 billion globally in 2012. That includes roughly half a million insulin pump users. In just the U.S. alone it’s estimated 2.9 million pacemakers were implanted from 1993 to 2009.
The pacemaker was a device Jack had wanted to toy with prior, but he settled on insulin pumps first due to their ease of access. Now, after his presentation and Homeland’s premise, people started to put together a scary thought: a former U.S. vice president with a pacemaker who had terrorist enemies overseas.
The horrific fictional scene suddenly took on new meaning.
Changes Being Made
After discovering the insulin pump vulnerability, Barnaby Jack said they were working with the manufacturers to discuss solutions and that the insulin pump revisions would be fixed with the next release. As for the vulnerabilities in heart devices, Neely believes changes will be made:
“I strongly believe there are changes being made by pacemaker manufacturers to basically use what he has learned to try to correct those issues. The main thing I still haven’t seen is too much proactive work from medical device manufacturers to seek out these vulnerabilities on their own. A lot of it is still a researcher like Barnaby discovers a vulnerability and they kind of scramble to fix it as opposed to doing their own research.”
Some have speculated the device manufacturers don’t want to find the vulnerabilities or admit to them. Others have even gone as far as saying Jack was murdered for revealing the information. By who changes with the theory, but it seems to be between the manufacturers who want to protect profits and the U.S. Government who want to be the only ones with the knowledge to do Homeland-style assassinations. From a more grounded viewpoint, if manufacturers do admit to problems, the next question in line is an expensive one: “What are you going to do to fix it?”
“One of the challenges with pacemakers is manufacturers are making changes to future designs,” Neely said. “It’s pretty difficult to make changes to pacemakers that have already been put inside somebody. So that’s one area that’s definitely unique.”
Looking to the Future
“The FDA released kind of their official draft guidelines for how to secure these devices,” Neely said. “There’s definitely two sides to the issue: one is medical device manufacturers need to start producing devices that are secure and can be secured, but hospitals then also need to implement those devices correctly and then also find a way to secure any insecure devices they’ve already purchased.”
That’s been Jack’s stated goal all along, to put pressure on the manufacturers and the FDA to make sure the devices being put out there are safe, even if the possibilities are still “slim,” as Jack himself put it.
“Right now that’s an unlikely event, but that may change,” Neely said. Threats evolve rapidly in the cyber world, just think back even five years from today. “If someone has a pacemaker in for 20, 30 years, a lot can change in that time period.”