Ransomware Expected To Hit 'Lifesaving' Medical Devices In 2016

An anonymous reader writes: A surge in ransomware campaigns is expected to hit the medical sector in 2016, according to a recent report published by forecasters at Forrester Research. The paper 'Predictions 2016: Cybersecuirty Swings To Prevention' suggests that the primary hacking trend of the coming year will be "ransomware for a medical device or wearable," arguing that cybercriminals would only have to make mall modifications to current malware to create a feasible attack. Pacemakers and other vital health devices would become prime targets, with attackers toying with their stability and potentially threatening the victim with their own life should the ransom demands not be met.

Re:DJ Kardio and the Beatskippers

[cdrudge]

Communication with an implant isn't uncommon. Diagnostics, monitoring, tweaking for optimal operation, etc. It's a lot easier to do checkups and make adjustments on a person when you don't need to open up the chest cavity.

Re:DJ Kardio and the Beatskippers

[canajin56]

The problem is that people see "wireless" and think "wireless network a.k.a. WiFi". These devices are programmable using wireless communication, but they are not on WiFi. They communicate with a "programmer", a device that is placed on the patient and used to change the treatment protocols. The issue is that this communication is not encrypted and it is vulnerable to a replay attack. That means with a USRP module and a some GNU Radio know-how, you can mimic the programmer device from a long way away. This lets you send commands like "disable treatment 1". The reason this is potentially lethal is that while the pacemaker cannot be turned off by the programmer, this is part of the UI, not part of the pacemaker! So if treatment 1 was the only one currently enabled, the UI would not let the doctor send "disable treatment 1" but the pacemaker would still accept that command should it receive it. But that's a slow kind of lethal. It just means that if the patient has an issue that needs correcting, the pacemaker won't correct it. This particular model has another thing it can do. It has a built in defibrillator. That way of the patient needs zapping, the pacemaker can be told to do it, rather than needing paddles (which would potentially fry the pacemaker). This mode is also activated by a wireless command. One that can be sent using a replay attack. Normally after a shock, the pacemaker would reestablish rhythm. But not if all treatment protocols are turned off.

So although these devices are hackable, it's not a remote hack unless you happen to hack a computer that's close to the patient, and that has a radio you can control with GNU Radio.

That's not to say these devices don't touch WiFi at all. To avoid frequent doctor's appointments, the hospital can give you a device that will connect to your home network and act as a relay. This doesn't let them reprogram the pacemaker remotely, what it does is transmit telemetry remotely so the doctor can check up on you daily without needing to schedule an appointment. As I understand it, this relay runs Windows XP and is full of holes (but I repeat myself). This lets hackers potentially access lots of confidential medical data, but doesn't let them kill you.