1(630)802-8605 Ravi.das@bn-inc.net

Well, it’s a great Monday morning here in Chi town, but as I was perusing the headlines of what to blog about this morning, I came across some very distressing news.  But first, let me give you some background.  About 6 years ago, I suffered a massive heart attack.

In fact, it was so bad that only half of my heart still functioning today.  I had 5 grafts sutured into my heart, and as the surgeon met my family to debrief them about the surgery, the first words out of his mouth were is “He’s lucky to be alive”.

Now of course, there are millions of others like me here in the United States with varying degrees of heart ailments, some are even much more serious than mine, some others are less serious.  But, the good news is that we live in a country where advancements in heart treatments are happening every day.

But, there is one thing that never crossed my mind until now:  That even the technology that is used to treat heart patients can be probe to a Cyber attacker as well.

Now, I don’t mean the computers as such.  But rather, the medical instruments themselves that are used in the heart procedures themselves.  Such is the case is with cardiac Pacemaker.  Millions of Americans have them implanted into their heart, which is used to help control an irregular heartbeat.

According to news wire this morning, some half-million pacemakers are up for a firmware update, to address potentially life-threatening vulnerabilities.

Apparently, this firmware upgrade is being used to protect the patient from unauthorized access to their Pacemaker.  In other words, it is only their cardiologist or PCP that can adjust these settings, according to the best medical interests for the patient.

The catalyst for this has been when security researchers, programmers, and remote monitoring systems discovered in 2017 that the St. Jude’s cardiac implant ecosystem was riddled with cybersecurity flaws that could result in “catastrophic results.”

What is at stake here is a is a universal, hardcoded unlock code that, if discovered by the Cyber attacker, would give a hacker backdoor access to all affected Pacemaker devices.  Not only this, but this transmitter is also extremely vulnerable to what are known as the “Man in The Middle Attacks”, and as a result, the backdoor could be exploited to send commands so that an attacker could manipulate the implants and cause heart problems and even death.

What is even more alarming being that St. Jude had known about these security issues way back in 2014 and is only now taking corrective actions in terms of its firmware upgrades.  Even worse yet, it is not just St. Jude that has security flaws in their Pacemaker technology, there are over 8,000 security vulnerabilities that were discovered across seven different pacemaker programmers (a device used for programming pacemakers) from four different manufacturers.

But, it really may not be the device itself which is actually at risk, but rather, its connectivity with other technologies that are needed to make them run smoothly and efficiently.  For example, according to this quote: “Connected devices have become the weakest link in a hospital’s cybersecurity chain. . . these connected devices were not built with security in mind, they very often run obsolete operating systems, use unsecure communication protocols and are typically out of scope for traditional IT security solutions, and therefore are difficult to protect.”  (SOURCE:  https://threatpost.com/abbott-addresses-life-threatening-flaw-in-a-half-million-pacemakers/131709/).

So far, the good news is that the Cyber attacker may some moral boundaries to themselves have not exploited this security flaw into an actual threat.  But, research in the simulation labs have shown that some of the pacemaker models could be remotely controlled and commanded to deliver an 830-volt shock via a laptop.  That is, of course, enough to kill someone in just a matter of a few seconds.

But on the flip side, apparently, getting the firmware upgrade to your pacemaker is not at all a complicated process.  Rather, it simply takes a quick visit to your cardiologist or PCP to receive it, and it is non-intrusive.

For example: “During the upgrade a wand will be placed over your ICD or CRT-D and will transfer the information to the device . . . At the end of the process, the final settings on your device will be reviewed to ensure that the updates have been completed successfully.  (SOURCE:  https://threatpost.com/abbott-addresses-life-threatening-flaw-in-a-half-million-pacemakers/131709/).

Apparently, this whole process takes less than 5 minutes.  So, let us go back and visit this issue of connectiveness.  There is a new concept, or I should say, technology, that has evolved out there, and this is known as the “Internet of Things”, or “IoT” for short.

This is a rather complex phenomenon, but in simple terms, it all comes down to how we, as an individual, interact with objects on a daily basis in both the physical and virtual worlds.

These interactions, or connections, can then be used for many purposes, especially when it comes to making our every day lives easier.  Probably some of the best examples of this (although they are still in the evolving stages) are Siri and Cortana, the Virtual Personal Assistants that are available on our Android or iPhone devices.

They are meant to make lives easier for us, especially when we are on the road travelling, by giving us driving directions, locating restaurants based upon our preferences (apparently, when we first initiate Siri and Cortana, we have to build a profile, and they “learn” about us over time), etc.

There is also another concept called the “Smart Home” in which all of the objects in our home are connected with one another.  So, if we say something like “Siri, start my computer” it will not only start this, but even ask us if we want any other related electronic device started.  It is important to keep in mind that IoT is still in the beginning stages, and there are not too many applications of it yet in the real world.

My thoughts on this?  A lot of visionaries and idealists are touting that the IoT will be the wave of the future.  To me, it is all just a bunch of phony baloney.  I like to keep things simple, there is no need for all of this interconnectedness with another.  Really, all of these points of connection are just another point of failure, leaving more vulnerabilities for the Cyber attacker to prey upon.

As it is summarized nicely by this quote: “With the number of IoT and connected devices being used within hospitals constantly increasing and diversifying in their nature, the exposure to potential breaches is great; [vulnerable] devices can vary from MRI machines to an insulin pump, the latter of which could result in an attacker administering a fatal dose.”  (SOURCE:  https://threatpost.com/abbott-addresses-life-threatening-flaw-in-a-half-million-pacemakers/131709/).