People entering secure facilities—such as those found in military, security, and government agencies—are often asked to hand over their connected devices such as fitness trackers and smartphones. Those devices are stored in secure lockers and then returned when their owners leave the facility. All this is done in the name of national security since these connected devices could be hijacked to compromise the security of these facilities.
But what happens if the connected device is inside the person?
That was the question Dr. Alan Michaels, director of the Electronic Systems Lab at the Hume Center for National Security and Technology at the Virginia Polytechnic Institute and State University set out to answer with a team of researchers. Michaels described how implanted medical devices—such as pacemakers and insulin pumps— could be compromised to listen to conversations, access classified information, even expose the location of these secure facilities in his presentation at this year’s Black Hat conference (which was offered virtually).
"Given that these smart devices are increasingly connected by two-way communications protocols, have embedded memory, possess a number of mixed-modality transducers, and are trained to adapt to their environment and host with artificial intelligence algorithms, they represent significant concerns to the security of protected data, while also delivering increasing, and often medically necessary, benefits to their users," Michaels said.
The presentation summarized a research whitepaper authored by Michaels, Zoe Chen, Paul O'Donnell, Eric Ottman, and Steven Trieu, on how implantable medical devices (IMDs) could be a threat to a Sensitive Compartmented Information Facility—a place to work on and discuss sensitive and classified information.
It’s not news that pacemakers, insulin pumps, hearing implants, and other IMDs have vulnerabilities which can be exploited. Back in 2011, Jerome Radcliffe discussed in a Black Hat presentation how he was able to intercept and modify the wireless control signals sent to his insulin pump (he was diabetic) to change his insulin dosage. Research in 2008 showed that wireless pacemakers and implantable cardiac defibrillators could also be manipulated. However, the research focused on the impact on the person with the IMD.
Most secure facilities would restrict devices that are GPS-based or collect location data, or ban devices that have microphones, for example. Devices can leak location data and GPS coordinates. If the device has a microphone, it can be used to listen to sensitive conversations. Some devices can be hijacked to use sensors and transducers to collect information about the facility’s environment.
Typically, devices that use GPS or passively collect data would be considered low-risk, but those that use open source code, connect to cloud services, have an artificial intelligence/machine learning component, or can be activated by voice, would be considered medium- to high-risk. The fact that many IMDs are fairly sophisticated computers with radio communications capabilities that would put them in these medium- to high-risk categories.
The person with a fitness tracker can take it off and have it stored in a secure locker. A person with an asthma monitor that emits a predictive warning in the event of a major asthma attack can't just take off the tracker--what if the person suffers an attack while in the facility?
In some cases, there are policies explicitly making exceptions for them, and in others, they are simply overlooked because no one stopped to consider the dangers. One-off waivers and exemptions can only go so far. This is going to become a bigger problem, as Michaels estimates that there could be 100,000 individuals with IMDs with security clearance to access a secure facility.
The simplest way to prevent IMDs from being a security threat is to physically shield them, such as wearing a hazmat suit. It will be far safer than modifying the firmware to disable certain functions as that could impact the IMD’s operations.
Many of these policies are set without thinking about cybersecurity. It’s a difficult balance to navigate, because the security of these facilities have to be protected, but the individual has a job to do. In certain cases, it may wind up that the individual has to be denied entry because of the IMDs. It’s a discussion that security teams have to be prepared to have because this kind of situation is going to start coming up more frequently.