The Legacy of Barnaby Jack : Pacemaker Hack Causes Government Action

Dick Cheney Eludes to What We Were All Wondering

Past Unites States Vice President Dick Cheney admits his reservations about the security of his own medically implanted device. (pacemaker and defibrillator)

On October 22nd the former Vice President of the United States Dick Cheney granted an interview with CBS’s “60 Minutes” reporter and CNN Chief Medical Correspondent Dr. Sanjay Gupta.  In the interview Cheney revealed that doctors had removed the wireless capabilities on his pacemaker which was installed in 2007.  Recent speculation and logic proves that these devices often operate wirelessly, making them vulnerable to unauthorized access, denial of service, and even malware.

The Barnaby Jack Story

Barnaby Jack

Barnaby Michael Douglas Jack (1977-2013)

Almost 3 months earlier (July 25th, 2013) in San Francisco, California State Police were announcing the death of Internationally Renowned Hacker Barnaby Jack.  Jack annually spoke at the Black Hat Conference to prove new theories and probable scenarios without compromising his ethical standards.  One of his greatest achievements at the conference was actually hacking an ATM in the hotel lobby in which the conference was being held.  He accomplished this from the stage while presenting his solution to exploit the vulnerability.  In 2011 Jack was able to override the radio control and vibration alert to deliver a potentially lethal dose of insulin to the individual without them even knowing.

This year at age 36 he was set to unveil his newest and most malicious hack at the Black Hat Conference (August 1st , 2013).  This hack was designed to steal the most precious thing that we have; Life.  By exploiting the wireless capabilities, Jack stated that he could hack into implantable cardioverter defibrillators and Pacemakers.  Only days before he was set to speak and demonstrate the vulnerabilities of these devices he was mysteriously found dead in his San Francisco, California residence.

Fact or Fiction about Medical Device Security

Defibrillator Location  In recent months, there has been a whirlwind of motion around this topic in general.  Many of the world’s great minds could not comprehend how the infection of medical devices was even possible due to the tremendous security measures that are taken when the devices are designed and used in medical procedures.  The idea was so “far-fetched” that even the television show “Homeland” depicted a pacemaker assassination by a hacker at the end of its last season.

In reaction to the recent related events, the U. S. Government is taking extensive action to attempt to combat the vulnerability.  Over a year ago the U.S. Government Accountability Office (GAO) made the very distinct recommendation that the Food and Drug Administration (FDA) be handed the task of researching the possibility that these devices are indeed susceptible to wireless attacks.  In response, the FDA has issued specific orders to the device manufacturers and hospitals to strengthen security to prevent hacking into these now vital systems.  These orders specifically are geared to:

  • Limit Malfunctions resulting from computer viruses; and
  • Protect the confidentiality and integrity of data
  • Require that Cyber Attack Plans are in place before approval for the device is granted

The Center for Internet Security (CIS) has also taken action by launching a mobile medical device security benchmark initiative earlier this year.  President and CEO of CIS, William Pelgrin, stated that even though there have not been any documented cases of this type of breach, “the risk is real.  Unsecured wireless devices are vulnerable to attack.”

If my Organization Deals with These Devices what does this mean?

If your organization works with or around these types of devices, then there is a significant vulnerability that must be addressed.  If your network is not secured you are potentially placing your patients or clients at risk.  There are many companies that can execute Security Assessments and Network Vulnerability Tests to identify Risks or threats that your company may be facing.  If your Organization does deal with persons with medically implanted wireless devices you should immediately engage an IT Security Firm for more information regarding the vulnerabilities of your network and mitigating your risk.

Subscribe Today to receive our monthly email newsletter
including new blog articles, news, and security awareness tips!