The Bode

Pacemakers have saved countless lives by detecting irregular heart contractions and controlling heart beats through timed low-voltage electric shocks. But these same devices now pose a serious threat.

Barnaby Jack, Director of Security Research for IOActive, found that wireless pacemakers could be easily hacked, which "could definitely result in fatalities." 

The programming of the wireless transmitters is used to give instructions to pacemakers and implantable cardioverter-defibrillators (ICDs), which detect irregular heart contractions and deliver an electric shock to avert a heart attack.

In the past, medical staff used a wand to flip a software switch to accept instructions. But now the procedure has gone wireless. In 2006, the U.S. Food and Drug Administration approved full radio-frequency based implantable devices operating in the 400MHz range, which can be programmed via wireless transmitters so that patients don’t have to go through the invasive procedure when medical professionals send new instructions to the devices. Since 2006 more than 4.6 million pacemakers and other medical implants have been sold in the United States.

However, with that wide transmitting range, there is a potential risk of remote attacks against the software. Barnaby Jack found that hackers can easily obtain information like serial number and model number so as to take control of the device and reprogram the firmware of it.

During a talk at the Breakpoint security conference in Melbourne, Australia, he demonstrated how he could remotely instruct a pacemaker to send an 830-volt shock through a person's body, which could be lethal. The worst part is that any deaths derived from this hacking method would be viewed simply as a tragic accident.

Even worse, a hacker could upload malicious software to a company’s central server that would infect everybody using that company’s pacemakers. In the worst case, a hacker could kill many people at the same time by spreading shocks through the whole system as a lethal virus. "We are potentially looking at a worm with the ability to commit mass murder," Jack said. "It's kind of scary."

And that’s not all, since pacemakers often contain personal data such as patients’ name and their doctor, hacking into it means the leak of such confidential information.

Jack is developing "Electric Feel," an application with a graphical user interface that would allow a user to scan for a medical device in range and select a device in the appeared list to control.

"My aim is to raise awareness of these potential malicious attacks and encourage manufacturers to act to review the security of their code and not just the traditional safety mechanisms of these devices," Jack said.

One slide in Jack’s presentation showed a man similar to former U.S. vice president Dick Cheney, who has long suffered from heart problems. The flaws in the device means an attacker could perform "a fairly anonymous assassination" from 50 feet away, Jack said.

Reach reporter Evie Liu here.