This is not a hoax. There is a published research paper by scientists and medical professionals. They have explained in detail how a simple and relatively cheap way to fabricate a device that can be used to hack into an Implantable Cardiac Defibrillators (ICDs), also commonly known as as pacemakers.
During their research, they been successfully hacked their way into 10 pacemakers with successful results.
The things they were able to do to the said pacemakers are as follows:
1.) They were able to drain the device’s battery
2.) Steal information stored or sent from the pacemaker
3.) Send commands to the ICD, which can be fatal to the user.
To be able to do this, researchers created a test rig out of inexpensive commercial off-the-shelf equipment. The rig included a Universal Serial Radio Peripheral (USRP), a data acquisition system (DAQ), and a few antennas.
Their approach was pretty simple. It was a basic “black box testing” approach in the beginning. They even managed to hack the pacemaker without reverse engineering its protocol. The rest of the devices protected their data and communications using a simple XOR algorithm.
We are all inclined to think that hacking would be the hard part, but to their surprise, waking up the pacemaker to the signal they are sending was the deal breaker.
Pretty much, if they can wake up and activate the pacemaker, it would enable them to send through a command that would be received by the ICD.
This would mean that they need to be in close contact with the patient. Meaning to say, the hacking device needs to be inches away from the pacemaker inside the patient to wake up and activate the ICD.
If the attacker couldn’t afford this step to have it activated, he could just wait for the patient or a doctor to wake the device on their own.
Once the pacemaker is out of sleep mode, the attack rig can be used to send periodic pings to the ICD and keep it in a constant “on” state. Slowly but surely, continuous pings can also drain the ICD’s battery.
With their rig, the attack distance was two to five meters, but researchers said that attackers could use more powerful antennas to expand the rig’s reach.
Attacks can have lethal consequences
Technically, ICDs are more advanced than pacemakers, despite being referred to as pacemakers by some users. Just like a pacemaker, ICDs can send small electrical signals to a patient’s heart and regulate its activity. Additionally, ICDs are also capable of sending strong electrical signals, like a defibrillator, in the case of an emergency.
According to the researchers, the rig they have developed can be deadly depending on the set of commands that that has been sent to the ICD’s.
Researchers said they’d notified ICD vendors about the flaws they’ve found. The research paper, titled “On the (in)security of the Latest Generation Implantable Cardiac Defibrillators and How to Secure Them” is available online.
All “smart” medical devices are easy to hack
At the 32nd Chaos Communication Congress (32C3) held in Hamburg, Germany at the end of 2015, Marie Moe, a former member of Norway’s Computer Emergency Response Team, warned about the dangers of hackable pacemakers. Moe, herself, was using one such device.
A 2015 study by Independent Security Evaluators (ISE) has also shown the low level of skills an attacker needs to hack modern “smart” hospitals nowadays.
In October, Rapid7 security researcher Jay Radcliffe said he discovered that OneTouch Ping insulin pumps made by Animas, a Johnson & Johnson subsidiary, could be hacked and used to set off hypoglycemic reactions.