Pacemakers, Defibrillators the Latest Target for Hackers?

Millions of Americans have pacemakers, which keeps their hearts beating regularly, or (like Dick Cheney) an implanted defibrillator, which can restart stopped or fibrillating hearts automatically when they detect an issue.

However, after these devices are implanted, they have to be programmed by a doctor. And that is the security hole that could allow hackers to maliciously attack these types of implanted devices.

The "programmer" as it's called transmits a signal to the implanted device. In a "why didn't they think of this earlier?" study, researchers have found that they could simulate the signal without the need of a programmer - which, for security reasons, can only be sold to physicians by one of the manufacturers (Medtronic Inc., Boston Scientific Corp., and St. Jude Medical Inc).

Of course, if you don't need a programmer ...

"This report demonstrates that you can obtain private information without authorization. You can reprogram the device without authorization," said William Maisel, a Harvard Medical School cardiologist and a co-author of the study, which will be presented at a California computer-security conference in May.

It should be noted that there have been no incidents like this so far (BTW, researchers, thanks for giving hackers a new idea ).

Dr. Maisel and his colleagues on the study - Kevin Fu of the University of Massachusetts, and Tadayoshi Kohno of the University of Washington, both computer-science professors - emphasized that they tested only one model of defibrillator made by Medtronic. They informed the FDA last month, he said.

It's not clear how long this hole will remain open, anyway. Boston Scientific, for one, encrypts data passed to its defibrillators, and doubted its devices could be hacked. That, to me sounds perfect, as that's how, for example, some models of powerline networking adapters work, encrypting data and pairing with each other to prevent hacking.

Meanwhile, Medtronic, the company with the questionable device, indicated it was increasing security in its products but said that security must be balanced with practicality and safety: if each defibrillator had its own password to prevent unauthorized access, a doctor might not be able to control it in an emergency situation.

Yeah, that makes sense, but isn't that what computerized records are for? I mean, after all, computers are secure and ... oh, waitasec.