Researcher claims feasibility of writing lethal wireless pacemaker viruses


30 Responses to “Researcher claims feasibility of writing lethal wireless pacemaker viruses”

  1. anansi133 says:

    If the thing I buy to keep me alive doesn’t really belong to me, then who do *I* then belong to?

  2. Boundegar says:

    The only thing that saves this from being true nightmare fuel is the very low likelihood of other same-brand pacemakers within 30 feet.  If your thing got virused, the virus would have a hard time spreading.

    But still.  Yeeagh.

    • Marc Mielke says:

      Spread the virus through old folks homes, cardiology labs (high chance all patients in a single lab might have the same brand, I’d guess), anywhere the elderly congregate to increase the overall probability of pacemakers in general. Set your “Heartbreaker” to go off after, say, one week or so. I think that might cause enough mayhem.

    •  And just to be clear, the pacemakers don’t spread the virus — they only receive it. They programmer device spreads the virus. Cory has either misread or misworded that part of his comment. It would take someone bringing a programmer to the Republican Convention or some other place with lots of potential victims — you couldn’t just turn someone with a pacemaker into a walking bomb.

  3. strangefriend says:

    OK, but why would hackers do this?  Just to cause sh!t?  I can see, say, Iranians doing this if the US turns up the screws more, but who wants to kill a bunch of old people they don’t know?  Unless, of course, it was a cover for killing ONE old person so they could inherit, say, $5 billion dollars.

    • anansi133 says:

       Think of a variation on the old “Lock you in a bomb vest and make you rob a bank for me”- this one would be so much more subtle. All you’d need to do is perform some non-lethal shocks to convince the victim you mean business.

      Sounds like the next caper movie to me!

    • Antinous / Moderator says:

      …but who wants to kill a bunch of old people they don’t know?

      Well, you clearly don’t live in Palm Springs or Fort Lauderdale.

    • Editz says:

      Makes you wonder if someday insurance companies will insist on post-mortem examinations of the devices for signs of tampering in cases of strange cardiac deaths.

    • Lexicat says:

       “who wants to kill a bunch of old people they don’t know?”

      Governments, corporations, and bigots.

    • dragonfrog says:

      Iranians can be hackers too, as can people of any nationality.

      If the one person you want to kill is the president of a rival country, or CEO of a rival company, it could get very movie-plot plausible (which is to say, not usually plausible, but occasionally freakily prescient).

    •  Because it would be like wow!  Specially if you do it with an app using a slashing motion.

    • Thorzdad says:

      You make the mistake of assuming “hackers” is a giant monoculture of peaceful, white-hat-wearing geeks working for the good of all mankind. It’s not too beyond the pale to imagine some misanthropic nerd doing this “just for the lulz.”

  4. TheOven says:

    If this were true, why is Dick Cheney still here?

  5. tylerkaraszewski says:

    Also, you can kill people by shooting or stabbing them.

  6. Rindan says:

    Shit that goes into your body should be open source, period. Security through obscurity is a sure way to fail.

    That said, I am not all that terrified.  Body hacks are scary in theory, but in practice, it is about as scary as some dude wandering around poisoning people.  You need a combination of sadism,technical capability, and lack of fear of consequences that is just so damned rare it isn’t worth worrying your pretty little head over so long as there is cancer, heart attacks, and cars driven by your fellow humans.  

    A smart sadistic human with no fear of consequences could do far worse than whack a few pace markers.  With access to just the chemicals I have at work I can think up at least a couple of ways to murder a pile of people in very terrible ways that would be very hard to trace to me.  Lone killers are just not worth the bother of worrying about. Hell, I think DHS should be tossed in the trashcan because organized terrorist are not worth worrying about either. What can I say though, I am a crazy fellow who only thinks you should worry about things that stand at least a slim chance in hell of killing you.  Fear cancer, heart attacks, and cars.

    • tylerkaraszewski says:

      Open source is a complete non-solution here. How do you verify that the code running on a pacemaker matches any particular branch of source code in a publicly accessible repository? How long is the company who builds the pacemakers supposed to wait around for someone to look through the code to try and find problems like this before they start putting the code on actual pacemakers and shipping them?

      One of the biggest myths that people seem to have about open source software is that there are thousands of qualified people out there reading through it for no other reason than because they think it’s an interesting way to spend their evenings. This is not the case.

      • Rindan says:

        The point isn’t to have branches and or even public contributions.  The point is to have the code available for inspection.  Interested parties should be able to examine the code and look for weakness.  Security through obscurity simply doesn’t work.  

        Will armies of people tear into the code?  Probably not.  Will a few security folks and nerds with giant batteries attached to their heart take an interest?  Probably.

        If nothing else, it encourages non-shitty coding practices.  It is one thing to write bad code and hide it.  It is another thing to write bad code for a life critical device and then have everyone be able to look at it.

  7. henryschwarz says:

    Barnaby attacked my ATM at Black Hat 2010:

    • TheMadLibrarian says:

      Unless you are using this as a cautionary tale, it has very little relevance to jinxing pacemakers.

      • henryschwarz says:

        Same security researcher (Barnaby Jack) doing the same thing (infecting an embedded device with malicious firmware), but with very different consequences

      • dragonfrog says:

        It’s some interesting background information on the related professional history and approach of the researcher.  I can hardly imagine a more relevant link.

  8. Already the MacGuffin on NCIS.  Nice to know that it’s real, but I am glad I don’t need a pacemaker.

  9. Girard says:

    “They had spent two years of team effort figuring out how to use mobile phone technology to hack into a pacemaker and turn it off by remote control, in order to kill a person…The reason I call this an expression of ideology is that there is a strenuously connected lattice of arguments that decorate this murderous behavior so that it looks grand and new. If the same researchers had done something similar without digital technology, they would at the very least have lost their jobs. Suppose they had spent a couple of years and significant funds figuring out how to rig a washing machine to poison clothing in order to (hypothetically) kill a child once dressed?…These are certainly doable projects, but because they aren’t digital, they don’t support an illusion of ethics.”
    Jaron Lanier, You Are Not a Gadget, p. 65

    I’m not sure if I back Lanier’s attitude that the tech angle “supports an illusion of ethics,” but the contrast he draws (which is probably a problematic analogy in ways that don’t occur to me right now) seems to illustrate a certain amount of paranoia we have toward the digital that we don’t have toward, say, the mechanical. Like, why aren’t blog posts going up about the remote, but real, possibility of people poisoning the machines at your local laundromat, but they are going up about the remote, but real, possibility of someone flashing a virus to your pacemaker?

    • Jerril says:

      Because there are people spreading viruses to all kinds of equipment. It’s something the every-day person is dreadfully familiar with, often because they keep having to get their machine scraped clean.

      Their experience of malware is that it is mysterious and unstoppable AND a universal constant.

      Telling the person who’s got three unwanted toolbars and who’s World of Warcraft account keeps getting hacked that the same asshats that do that sort of thing to their desktop could do that to their grandfather’s heart is very believable.

  10. Christina Ward says:

    In the ‘hack’ environment, a real and practical use for that virus has been overlooked.

    Many of these pacemaker/defrib devices have been implanted into bodies whose brains are degenerating at an exponential rate. Visit any Alzheimer’s care unit and you will see people who are essentially only alive because of these devices.  Families do not have the ability to turn OFF these devices. 

    If you want to get a real feel for what a zombie really looks like; visit any long-term care facility filled with people who have severe Alzheimers.  Alive, only because of the steady shock to their hearts provided by that machine.

    These facilities charge anywhere from 5k to 12k per MONTH for the care provided; now it’s an economic issue.

    As an aside, I’ve heard the rumor that passing a very strong magnet over the chest of someone with this kind of device will booger it up enough to render inoperable.

Leave a Reply