Stories about medical devices have come across my news feeds a few times in the last couple of months. Dutch security researchers found that they were able to hack several implantable medical devices.
What’s interesting here is that the researchers were able to do this using a black-box approach: they just used radio equipment to eavesdrop on wireless signals between the implantable devices and the equipment used to maintain and control those devices. The researchers weren’t privy to the communication protocols the vendors use to control the devices, but the researchers were able to reverse-engineer these protocols and then send command signals of their own. These protocols typically used poorly-implemented encryption or no encryption at all.
The equipment the researchers used doesn’t come cheap, nor does the researchers’ expertise. Still, this makes it at least theoretically possible to do several things regarding devices like these:
- Track the patient’s movements.
- Trigger potentially fatal shocks in defibrillators and pacemakers.
- Prevent a medical device from providing treatment.
- Disable a device’s power-saving mode, causing its battery to drain too fast.
This isn’t entirely theoretical. Research like this has compelled at least one vendor to provide software upgrades to minimize these shortcomings. That’s probably an imperfect solution, but there are obviously some complications in providing firmware upgrades for already-deployed devices.
And in a case that’s presenting some interesting privacy questions, police arrested and indicted a man on charges of arson and insurance fraud. They used data from the suspect’s heart monitor as evidence that he set fire to his own house to collect the insurance money.
The radios in these implantable devices have a pretty short range, just around five meters. So your story’s character couldn’t run exploits like these from a great distance, but it provides some interesting possibilities.
Photo credit to ec-jpr for VVIR leadless St Jude Medical pacemaker