Pacemakers and Malware: The Beat Goes On
Sometime along September 2004 (see exhibit 1), I penned some thoughts on technology and the idea of binary-based malware infecting carbon-based life forms. The original piece was titled “Pacemakers and Malware Properities.”
The following revisits some of these thoughts in light of today’s increased dependency on technology and our somewhat naïve idea that technology is safe or that technology may even protect us.
This is not intended to be detailed research into medical procedures nor devices or even an in-depth analysis of medical risks and associated technical procedures but, rather a brief discussion of the potential..”what if.” Remember once again as you read ahead, these thoughts were first presented in 2004.
The examples given are probable, especially given the reliance of these devices upon microprocessors. Expanding our view, won’t or aren’t most all “appliances” which depend upon microprocessors to operate, susceptible in varying degrees?
Let me take this concept one step further with an idea I have been tossing around for some time, regarding the impact of malware and end user dependent appliances or appliances upon which end users critically depend.
Let’s go back, way back into the production life cycle of a product. I have elected to pick on the medical manufacturing industry, specifically those organizations which make pacemakers. According to policy, each pacemaker must have a serial number, be recorded and traceable. This makes sense, in case there is a malfunction or defect, each pacemaker can be traced back to its individual recipient.
By design, each pacemaker has as its heart (no pun) and soul a microprocessor, which performs a wide variety of functions all designed to make the life saving device – function properly - logical. Today’s pacemakers are so sophisticated and advanced, that an individual need not go into his/her physician’s office for a checkup or to re-calibrate the pacemaker. The “calibration” can be done in the comfort of the patient’s home via the telephone. The physician can transmit the appropriate instructions via signal, passed over simple twisted pair connectivity.
Ok, so knowing this, an interloper through poor or non-existent internal controls, weak overall security procedures and/or ineffective quality control, or simply because he/she has access and capability, embeds malware in the form of a Trojan into the source code burned into or uploaded to the pacemaker’s OS or ancillary and support application software.
The malware remains dormant and for the most part 99.9 percent of the devices, which contain this dormant malware are never “in play” or activated. But, because I can trace each pacemaker to the individual who wears it in his/her chest, I can target specifically selected individuals. Two scenarios evolve and come to mind easily, one political, one financial.
What type of chaos, damage or ability to shift the balance of power might I wield if I were to awaken my Trojan and execute its payload, in the pacemaker implanted in the chest of say a U.S. Senator, who is the swing vote on a major subsidy bill or a Congressmen who is blocking the expenditure of billions of dollars in funding for high tech genome research, or a C-level executive who is the architect of a green mail campaign seeking to overtake a favored third-party supplier?
My payload activates and is designed to cause a catastrophic OS failure, which in turn causes a cascading termination of critical systems, and ultimately failure of the medical device, and subsequent incapacitation or worse, death. However, to all subsequent external examinations, the deceased succumbed to a fatal heart attack, so unfortunate and at such a critical time (the individual did not make the meeting to cast the deciding vote and the measure passed [or was defeated] for example). We mourn his/her passing and deal with the results/impact of this event, not giving significant thought (or any thought) to the potential or possibility that the deceased fell victim to a pre-conceived plot to control political agenda, corporate policy or even potentially, foreign affairs.
From a financial perspective, how many health care facilities would drop, like the proverbial hot potato, an organization whose medical devices were shown to contain defective technology, the very technology, which drives the product? One could envision a domino effect occurring, which could ultimately infect (again no pun) an organization’s entire product line.
If all I wanted to do was to under mind the general public’s level of confidence in Company “A’s” product or products, all I would need is for a couple of high profile individuals (or even regular Janes and Joes) to drop dead and link their deaths not just to a specific product, which is tangible and visible, but to the technology unseen which hums within the product, unseen but critical to its proper functioning. The ensuing loss of consumer confidence and lawsuits may financially cripple the organization beyond its ability to restructure and continue as an ongoing enterprise. Mission accomplished!
So, yes, I can see where soon we as a society will be faced with a scenario where an individual or individuals (or rouge nation state, etc.) will seize upon the idea that overt control could be obtained by under minding, via malware, either the technology which controls an extremely wide variety of critical user “appliances” or the general public’s (and investing public’s) confidence in such appliances and their manufactures, due to a product’s susceptibility to undetected malware. Here is where I ended my 2004 article.
Cut now to 2013 and the following as aired on CBS….
Elementary Episode: "A Landmark Story"
Season 1, Episode 21
Original Air Date: May 2, 2013
Episode Synopsis: Holmes resumes his hunt for Moriarty when Sebastian Moran reveals that Sherlock's nemesis may be responsible for a series of recent murders, including the death of a man who was thought to have died from a heart attack.
We open on a man returning home to find another man perched on his couch with a laptop. (We will learn later this man's name is Daniel Gottlieb.) With the laptop Gottlieb has the power to hack the pacemaker in the man's chest. He wants the man to "revoke" his vote on a committee he sits on. The man grabs his iPad, revokes his vote and... Gottlieb kills him anyway.
Holmes and Watson perform on autopsy on the dead man and discover that his blood was literally boiled and he had marks on his hand consistent with being shocked and deduce that someone hacked his pacemaker.
After some other digging they discover the "revoke" vote he made right before he died. It appears his vote was the deciding one to knock an old prohibition era speakeasy off a historic register list meaning that a real estate/contractor could renovate the site now.
Reality or Hollywood?
So, just how far are we from hearing those immortal words first penned by Arthur C. Clarke “Open the pod bay doors, HAL.” “I'm sorry, Dave. I'm afraid I can't do that,” maybe not from sophisticated deep space apparatus but, from say your refrigerator, upon assessing that (a) it is after 21:00 hours and (b) you have reached your daily recommended calorie intake?
I haven’t even shared my ideas for the interplay of malware and the pharmaceuticals industry but, that’s for another time.
Go with throttle up.