Pacemakers could be infiltrated to deliver deadly shocks, according to a security expert. It wouldn’t be simple, but it offers the very James Bond-like possibility of anonymous digital assassination.
IOActive researcher Barnaby Jack demonstrated this capability at a security conference in Melbourne, according to Australia’s SC Magazine. He used a laptop to send a series of 830-volt shocks to a remote pacemaker, and used some sort of unclear “secret function” the pacemakers possess, which could be used to activate all pacemakers and implantable defibrillators within a 30-foot radius. The devices would give up their serial numbers, which would allow the would-be assassin to breach their firmware and upload nefarious malware that could spread to other pacemakers like a virus. The devices could also give up personal data, and even supposedly secure data from the manufacturer.
“The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or [defibrillator] and then each would subsequently infect all others in range,” he reportedly said.
It wouldn’t be the first time a security expert showcased the vulnerability of these lifesaving devices. In one study four years ago, researchers from the University of Washington and University of Massachusetts figured out how to assume control of implanted pacemakers and obtain personal data. Other groups are working on ways to encrypt artificial organs and limbs.
Jack said he made the demonstration to alert device makers to insecurities.