Wow, it seems electronic medical implants still have a long way to go when it comes to device security.
This paper describes hacking a pacemaker/defib implant. The authors were able to deliver ‘test defib shocks’ using simple replay attacks of recorded communication sequences between an implant and the commercial programmer.
It seems the devices comes with a basic design flaw. The engineers who built the system added safety checks to the programming software running on the physicians computer. This means that, when using the commercial programmer, test shocks can only be applied when the therapy in the implant is enabled. In this case, the test shock causes a fibrillation, which is immediately countered by the implant.
The problem is that untrusted transmitters can also initiate ‘test shocks’ after the therapy has been disabled.
Lesson learned: the implant itself should check that the therapy is enabled before it applies a life-threatening test shock.
Interesting quote:
Additionally, we argue that if any IMD exhibits a test procedure T for some property P, and if there are no medical reasons for conducting procedure T other than testing property P, then it should be impossible to trigger T unless P is enabled. For example, as our experiments
suggest, if P is the efficacy of the device when therapies are enabled and T is a test, then the ICD — not only the external programmer — should verify that therapies are enabled prior
to conducting the test T.
I should keep this in mind…