Digital security expert says medical device companies are failing to make pacemakers safe

17 October 2012 (Last Updated October 17th, 2012 18:30)

The poor programming of wireless bedside transmitters in pacemakers and implantable cardioverter-defibrillators (ICDs) could lead to deaths, according to new research.

The poor programming of wireless bedside transmitters in pacemakers and implantable cardioverter-defibrillators (ICDs) could lead to deaths, according to new research.

Wireless bedside transmitters are used to give instructions to pacemakers and ICDs to deliver an electric shock when any irregularities in the heart are detected, however, this could be exploited by hackers.

The study has found that the US Food and Drug Administration (FDA) looks at the medical effectiveness of devices, but not the security of a device's code.

IOActive embedded device security director Barnaby Jack, who led the study, warned that security weaknesses in some devices could be exploited to give a deadly electric shock to the wearer.

With FDA-approved full radio frequency-based implantable devices operating in the 400MHz range, hackers can extract a device's serial and model number and reprogramme the firmware of a transmitter to deliver a shock.

"Security weaknesses in some devices could be exploited to give a deadly electric shock to the wearer."

Jack demonstrated this weakness at the Ruxcon Breakpoint security conference in Melbourne, Australia, by giving an 830V shock to an ICD.

"My aim is to raise awareness of these potential malicious attacks and encourage manufacturers to act to review the security of their code, and not just the traditional safety mechanisms of these devices," Jack said.

To overcome the remote attacks against the software, Jack is developing a new application with a graphical user interface, 'Electric Feel', allowing users to scan a medical device before use, reports PC Advisor.

The application will provide a list, through which a user can select a device, such as a pacemaker, which can then be shut off or configured to deliver a shock.