Hacking under your skin?

Well this one sounds like something from a science-fiction movie. A research team in Belgium has worked out how to hack into the communications used by an implanted medical device – that is a piece of technology permanently placed inside a living person.

In this case, the device was an unnamed neurostimulator used to treat conditions including Parkinson’s Disease as well as chronic pain. Although these devices are placed within the body, they can be reprogrammed using wireless connections. The protocols which govern how data is exchanged between the implant and its programmer are not published, and crucially, in this case, not encrypted. 

The researchers did not have access to the inner workings of the implant software, so they used what is known as black-box reverse-engineering to work out what was going on. In this context, the implant and its communications are the black box, and reverse engineering means working out how the implant works from seeing what it does.

The team used a pair of wireless antennas for receiving and sending messages. These were connected to a standard data acquisition system. The reverse engineering was performed by sending messages to the implant through one antenna and listening to the output with the other antenna. This approach is time-consuming but is relatively simple and requires no specialised equipment.

Over time, the team were able to reverse engineer the format of individual commands and found that they were neither encrypted against eavesdropping, nor were commands correctly authenticated to protect against improper use that could cause harm to the patient.

After discovering these problems, the team went on to suggest ways in which medical equipment could be made much more secure. One of the obvious solutions would require companies developing implants to publish details of the communications protocols used by their equipment. This may sound counter-intuitive, (if we can read how they work so can the bad guys), but it is common practice for computer security techniques – such as encryption – to be openly published for scrutiny.

The more people who can test how security works, the more likelihood of finding bugs and getting things fixed. All of the security you use when making phone calls, buying stuff online, paying by contactless cards and chatting on WhatsApp has been published and it is secure. The makers of the implant had been practicing ‘security through obscurity’ – that is hiding how things work in the hope that no one would look – rather than making their devices truly secure.

The medical implant story is just one from an increasing number of cases where ‘internet of things’ devices ranging from home security cameras, to automated drug dosage systems and cars have been found to be insecure. With millions of these devices being bought every day and used in increasingly crucial environments – such as healthcare and transport – we need manufacturers to take security seriously.

https://www.esat.kuleuven.be/cosic/publications/article-2803.pdf
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4667325/  - a 2015 article summarising the need to secure insulin-delivery devices
http://www.bbc.co.uk/news/business-37551633 - a 2016 article about a security flaw in a Johnson & Johnson insulin pump
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ - 2015 WIRED article about a vulnerability that would allow remote control of a Jeep Cherokee