At the Breakpoint 2012 Security Conference, IOActive researcher Barnaby Jack recently warned that pacemakers made by several different vendors can be forced to deliver an 830-volt electrical shock from up to 50 feet away.
“Jack … said the flaw lies with the programming of the wireless transmitters used to give instructions to pacemakers and implantable cardioverter-defibrillators (ICDs), which detect irregular heart contractions and deliver an electric shock to avert a heart attack,” writes Computerworld’s Jeremy Kirk. “A successful attack using the flaw ‘could definitely result in fatalities,’ said Jack, who has notified the manufacturers of the problem but did not publicly identify the companies. In a video demonstration, Jack showed how he could remotely cause a pacemaker to suddenly deliver an 830-volt shock, which could be heard with a crisp audible pop.”
“The vulnerabilities could be leveraged not only for anonymous assassinations, but also for mass murder if the attacker can load a compromised firmware update onto a terminal,” writes Softpedia’s Eduard Kovacs.
“Jack said his goal was not to cause harm, but to help manufacturers secure their devices,” writes SC Magazine’s Darren Pauli. “‘Sometimes you have to demonstrate the darker side,’ he said.”
“This is not the first time that Jack has been able to exploit vulnerabilties in critical medical devices,” notes Threatpost’s Dennis Fisher. “Last year he demonstrated an attack on insulin pumps that enabled him to cause the pump to give the wearer a lethal dose of insulin. He can execute that attack against a pump within about 300 feet.”