Friday, August 15, 2008

Hacking a Heart

You may have seen the recent news stories about how some researchers have figured out how to hack a heart.

Researchers at the University of Massachusetts have figured out how to turn off a pacemaker remotely, using wireless communications. There were a number of news stories about their research last spring, but it got a lot of press recently because they did a DefCon presentation on the heart hack.


Computers use wireless signals to program a pacemaker so it can deal with the patient’s unique needs. Not surprisingly, pacemakers’ wireless signaling capacity isn’t protected with passwords or encryption or any other kind of security . . . probably because no one ever though it would be needed. Pacemakers were invented long before we had the Internet or wireless networking, and probably haven’t been modified to take either of those into account.

The stories all say that this isn’t something people with pacemakers need to be worried about, at least not for the moment. From what I’ve read, the researchers used very expensive technology, which puts the hack outside the reach of most people. And from other things I’ve read, it seems you have to be very close to the pacemaker to be able to send a signal that will shut it down.

I suspect both of those conditions are transient. As we all know, technology evolves very rapidly, and now that the “how” of this has been demonstrated, it will probably not be long before someone figures out to make it a realistic way to commit murder.

Would it be a cybercrime if, say, Joan used an evolved version of this hack to shut down the pacemaker of her not-so-dearly-beloved-but-very-very-rich uncle Ferd? It would be murder, and it would be committed by using computer technology, so, sure, it would be a cybercrime. (As I’ve noted elsewhere, I define cybercrime as using computer technology to commit a crime, can be a computer-specific crime like spreading a virus or it can be a regular, garden-variety crime like theft.)

Would there be any difficulty in prosecuting Joan, assuming the prosecution could prove what she did and prove that what she did caused Ferd’s death? I can’t see why there would. As I’ve noted elsewhere, criminal law traditionally has worried about the result – the “harm” – instead of the method. So we outlaw homicide; we don’t separately outlaw homicide by shooting, homicide by stabbing, homicide by poisoning, homicide by strangulation, and so on.

(A number of states do have vehicular homicide statutes, but I think those are artifacts dating back to when cars were new . . .the produce of a feeling that you needed to make it really, really clear that if you ran someone down with a car and killed them, that was homicide. I don’t think any jurisdiction ever felt it necessary to adopt homicide-by-wagon statutes, probably because it would be pretty hard to kill someone with a wagon, unless you caught them off guard.)

Getting back to my point, the substantive law – the law that defines criminal offenses – would not be a problem here: Murder is purposely causing the death of another human being. Joan, in our hypothetical, used the pacemaker for the purpose of killing Ferd, and succeeded. So, that’s murder.

I’m not even sure proving the crime would be that difficult. Not being a technical expert, I can’t opine on how easy it would be for Joan to hide her tracks, but for the moment I’m going to assume that it would be possible to prove Ferd died from a hack, not from natural causes. (I’m also willing to bet that pacemakers are going to become more sophisticated, hopefully more impervious to this kind of hack. Along with that, they might include some feature that could track such a hack, just in case the pacemaker was not able to resist a particular attack.)

What I find interesting about this is the possibility it creates of getting away with murder because no one realizes there has BEEN a murder. There have been anecdotal tales about attempts to hack hospital computers, apparently for the purpose of causing the death of someone or more than one someone’s. There have been stories about efforts to alter the dosage of particular medications, for example, the premise being that the hacker would increase the dosage of a medication so that it would cause the person’s death relatively quickly.

If such a hack were possible, and if hospital personnel didn’t (as I assume they would) notice that the dosage of that particular medication was out of whack for a patient, then it would be a clever way to commit murder. It would probably be even more clever if the killer upped the dosage of the medication for a number of people. That way, it could look even more like medical negligence than murder. And even if someone figured out that it was murder, it would then be necessary to figure out which of the patients was the real target, with the others, sadly, simply serving as the killer’s smokescreens.

I hope the pacemaker hack can somehow be resolved before it becomes possible really to do this to someone else. I hope that because I suspect that if someone were to do this, they’d stand a really good chance of getting away with murder. The death might be attributed simply to the patient’s own fragile condition; or it might be attributed to a faulty pacemaker.

The pacemaker hack illustrates the unanticipated perils we will have to confront as technology becomes an increasingly pervasive aspect of our lives. Pacemakers are a well-established, routine type of implant. Many forecast that in the future we will have other kinds of implants . . . implants designed to make our lives easier by, say, letting us use our brains to access information or communicate wirelessly with each other. Other implants might somehow boost our alertness or intelligence. Those implants, like the pacemakers that have been around for decades, can become a vulnerability, a way to attack someone in new and different ways.

The so far unrealized pacemaker hack as murder also illustrates another aspect of cybercrime. People have been saying for a long time that the best cybercrime is the one no on realizes has been committed.

No comments: