If I used a pacemaker — a machine that used pulsing electrical signals to help keep me alive — the last thing I'd want is for hackers to try and tamper with it. But not everyone is as brave as cybersecurity expert Marie Moe.
Moe is calling for hackers and security researchers to start hacking pacemakers. It's not to potentially put people in harm's way, but to make them more safe and secure from tampering.
Moe was given a pacemaker after a cardiac episode at a relatively young age, while she was working on digital security for Norway's critical infrastructure. When she realized that the pacemaker had wireless communication capabilities, she knew from experience that this meant it could possibly be hacked.
"I realized that my heart was now wired into the medical Internet of Things, and this was done without informing me or asking for my consent," Moe wrote in Wired Monday morning. "I was alarmed. ... As a security researcher, I see this as an increased attack surface."
"As a security researcher, I see this as an increased attack surface."
Nobody has died from a hacked pacemaker yet, but hackers and researchers are confident that pacemakers and other medical devices, like drug infusion pumps, are definitely hackable given enough time and dedication.
The problem: Medical devices like pacemakers are a "black box" technology, meaning that nobody knows what the code inside looks like. For example, imagine owning a car with no means of checking under the hood to see what kind of engine it has or changing the oil yourself. This is the problem with making pacemakers secure: You can't fortify a program if you don't know how it works.
By collecting discarded and donated pacemakers, then putting them to the test, Moe is hoping that the hacking community can learn enough about what's under the hood to eventually make pacemakers safer.
"[P]atients have been killed due to malfunction of their medical devices, configuration errors and software bugs," Moe wrote. "This means that security research in the form of pre-emptive hacking, followed by coordinated vulnerability disclosure and vendor fixes, can help save human lives."