Dr Mark Gasson, from the University of Reading has had a virus infected computer chip implanted in his arm. Tests proved this virus could spread to external control systems wirelessly.
The BBC who initially reported this proof-of-concept ‘infection’ stated that Dr Gasson admitted that the test is only proof of concept but believe that there are significantly implications for advanced medical devices. In my opinion, such systems should be incapable of malware infection as a heavily important part of their design. Such real-time systems should not have the necessary capacity to carry and distribute, both in terms of storage space and system capability.
If you are running an (operating) system capable of malware reception* on mission critical systems (and thus required anti-malware measures), such as those used in nuclear power plants or reservoirs to regulate containment, there there is a fundamental problem with this design. This is akin to a school teacher wearing a condom during classes – while this technically provides additional safety, there is obviously something fundamentally wrong with this principle at a more basic level.
* I’m aware there is no system that is 100% secure from malware, but levels of security exist. For example, the mission critical systems discussed here do not require a full Microsoft Windows operating system, nor a full consumer operating system of any kind in fact. Such devices should be self-contained in most cases, with entirely custom code. Lesser mission critical systems may rely on a Linux kernel as the base operating system with the business/operational logic running on bespoke programs running ontop of this base system.
The BBC article and Mark Gasson goes into further details on the security risks of advanced medical devices which may be subject to malware.
“With the benefits of this type of technology come risks. We may improve ourselves in some way but much like the improvements with other technologies, mobile phones for example, they become vulnerable to risks, such as security problems and computer viruses.”
He also added: “Many people with medical implants also consider them to be integrated into their concept of their body, and so in this context it is appropriate to talk in terms of people themselves being infected by computer viruses.”
However, Dr Gasson predicts that wider use will be made of implanted technology.
“This type of technology has been commercialised in the United States as a type of medical alert bracelet, so that if you’re found unconscious you can be scanned and your medical history brought up.”
We can all hope that security in these heavily critical devices is never designed alongside the principles of many general purpose computers.
Imagine an equivalent of the Storm botnet that, rather than infecting and making zombies of its host computers, infects human medical devices. In fact, that is not even a future I want to consider.
If you liked this post, you may be interested in these: