- February 10, 2017
- Posted by: Kerry Tomlinson, Archer News
- Category: Archer News, Cyber Crime, Cyberattack, Data Breach, Hacking, Health Care Security, Mobile Devices, Posts with image, Privacy, Ransomware, Smart Devices
Police are now using pacemaker data to verify your alibi. But what if someone hacked your data to frame you?
Your pacemaker can keep you alive. And now it may also keep you in jail, if the data from the electronic medical device shows your story isn’t true.
A man in Middletown, Ohio claimed he saw a fire at his house, rushed around to pack some things in a bag, broke out a window and hurried to his car, police said.
But his pacemaker data did not match his story, according to investigators.
In addition, investigators found gasoline on Compton’s clothing and said Compton gave inconsistent information, reported WLWT News.
Now 59-year-old Ross Compton has been indicted—and pleaded not guilty—to charges of aggravated arson and insurance fraud.
This case is still going through the courts. But as more cases rely on digital evidence from smart devices, a cybersecurity question remains—could malicious hackers worm their way into your medical device and change the data that’s crucial to your health and now possibly to your guilt or innocence?
“I think the possibility exists today for that type of scenario,” said Adam Brand, director of security and privacy at Protiviti. “Remember, we’re talking about computers here. Where there’s computers, there’s manipulation that can occur.”
It was the pounding heart that gave it all away in Edgar Allen Poe’s 1843 story called “The Tell-Tale Heart.”
A murderer hid his victim’s body under the floorboards, but when police arrived, the murderer heard the dismembered corpse’s heart beating so loudly that he confessed to the crime.
In the case of Ohio man, his heart apparently “confessed” that he had not rushed around his house in a panic, according to The Washington Post.
“We’d be able to see did he exceed his threshold limit,” Middletown’s Deputy Fire Chief Jeff Spaulding said in The Post. “Or did his pulse drop below a certain rate. It won’t say what you’re doing, obviously, but it would help corroborate his story. It was much more informative than we thought.”
The September case was a first for Middletown, but not the last.
“They’ve used it twice since for two homicides and were able to get arrests,” Spaulding said.
Police in Middletown, Ohio are checking pacemaker data for evidence in crimes. Photo credit: Nyttend
A way in
The pacemaker is just one of many connected medical devices that record data about your body.
And attackers know that these implants are a way in.
“Medical devices now are more connected and have more context data than ever, and clearly starting to attract more hackers,” said Sam Rehman, CTO of cybersecurity company Arxan.
Researchers have already hacked their way into medical devices, showing that bad guys can do the same.
“Drug dosage can be changed,” said Richard Conklin, vice president of engineering at Dispersive Technologies. “Data being sent from the device to the healthcare provider can be intercepted and manipulated.”
“Hackers are already targeting connected MRI machines, CT scanners and dialysis pumps to steal patient medical data, which is worth more than twice as much as financial information on the black market,” he added.
Malicious hackers may be trying to identify you through your medical device, track you or steal your health information to use against you, Rehman said to Archer News.
But now a new path may be opening up for attackers or spies who want to do someone harm.
If police and prosecutors use device data in court, attackers could look for ways to alter the facts for their own agenda—fake guilt or false innocence.
“If there is not proper encryption and hardening on one of these devices, the privacy and safety of the user is threatened, and the integrity of the data can be called into question,” said Aaron Lint, vice president of research at Arxan.
More work to do
Experts say some manufacturers are making more secure medical devices now, but there are still security problems.
“More work really needs to be done in this area,” Brand told Archer News.
It may take years for some manufacturers to get the more secure devices onto the market, he added, leaving thousands of devices now in people’s bodies potentially at risk.
“I think people have the illusion that these are not really computers, they are just things. And the things somehow aren’t vulnerable,” Brand said.
The Middletown arson case is not a first for tattling technology.
Police in Pennsylvania charged a woman with filing a false police report in 2015 when her Fitbit health band information allegedly betrayed her story that she was sexually assaulted during the night, reported abc27 News.
Investigators said the fitness band showed she was up and walking around during the night, instead of being asleep and waking up to an attack as she claimed.
In December 2015, the on-board safety system on a drunk driver’s car automatically called police dispatch when the woman hit a truck, police in Florida said.
The driver told dispatchers over the phone that there was no crash—and that she hadn’t been drinking.
Police later found her car with front end damage and paint from the victim’s truck.
Echoes of a murder?
In another case, investigators in Arkansas asked Amazon to give them information from a voice-activated Echo smart speaker to help solve a 2015 death investigation.
They believed the always-listening Echo could provide clues about what happened when a house guest died after a night of drinking and possibly a violent fight.
A look into the future shows how smart device data could play into investigations.
Could a smart shower head show that you took a long, cleansing shower after disposing of a body?
Could smart recycling or trash reveal that you threw out a large amount of things right after someone died?
Could your smart washer tip off investigators to an extra load of bloody clothing or sheets?
And could someone falsify that data to put you in the investigator’s spot light—or even the electric chair?
“I think your average person in the course of their day probably wouldn’t a be a target for this level of data manipulation,” said Brand.
“But it’s good that people stay aware of this and we try to get ahead of situations in the future where it becomes easy to exploit and no one has built security around it,” he said.
More than a frame-up, you should be concerned about the privacy of your data on medical devices, and about ransomware attacks, said Conklin.
“Recall the hotel that paid a ransom because guests were locked in their rooms,” he said. “What price would you pay if a hacker demanded a ransom to keep your implanted medical device from killing you?”
One solution? Start asking questions about cybersecurity if your doctor recommends you get a smart medical device, according to Brand.
“I think having this conversation is probably the most important thing that can happen right now,” Brand said. “If you just assume that these devices are secure and infallible, we’re going to be in for some trouble down the road.”