HAMBURG, Germany—Security researcher Marie Moe has a much more personal and potentially more dangerous connection to the Internet than most people.
Following a medical emergency, Moe was outfitted with a pacemaker. That life-saving device can send data wirelessly to doctors in two ways, including over Wi-Fi, which helps them and the device’s manufacturer monitor her and the device itself.
“I started asking questions that [the doctors] didn’t know how to answer,” she told The Parallax on Monday before her presentation to the Chaos Communication Congress, Europe’s largest annual hacker and computer conference. “I realized I had to figure this out on my own.”
Those questions go to the heart of safety fears over the Internet of Things, the movement by product manufacturers to embed everything from toys to tea kettles to insulin pumps to cars with Internet connectivity. Moe’s concerns for medical devices like her pacemaker aren’t limited to the commonly expressed fear of malicious hacking. She’s also worried about how the device receives software updates, who can access the data it generates, who controls that data, and what informed consent means for a person whose life depends on Internet-enabled devices.
READ MORE ON CONNECTED MEDICAL DEVICES
At the heart of pacemaker hacking problems: Lack of coordination
Yes, your life-saving medical devices can be hacked
Critical systems at heart of WannaCry’s impact
Time for a Department of the Internet of Things?
The long reach of Mirai, the Internet of Things botnet
Hackers call for federal funding, regulation of software security
Fortunately, she’s also better equipped than most to figure out how to answer these questions. The 37-year-old Moe, from Trondheim, Norway, has a master’s degree in cryptography and a Ph.D. in network security from the Norwegian University of Science and Technology.
Moe and her research partner, Eireann Leverett, are part of the “I Am the Cavalry” initiative, which advocates for better government regulations and corporate policies on Internet-connected devices. They want to see clearer requirements for what doctors must disclose to patients, and how manufacturers are required to manage device updates and data security.
Despite some early advances in the field, medical device computer security research has been a legal gray area until last October. That’s when the Library of Congress granted a Digital Millennium Copyright Act exemption that allows, for the first time ever, independent security researchers to investigate software for medical devices and cars. The exemption begins in 2016.
“We’re more concerned with how society handles its dependencies on [computer] code,” Leverett said. “Should a member of the infosec community be able to audit the code in her heart?”
Although some pacemakers are starting to come with Wi-Fi and other wireless transmission features, Dr. Andrew Rosenblatt, a San Francisco cardiologist who co-founded what became one of the city’s largest heart medicine practices (and who, full disclosure, is my father), says few of his practice’s patients have Internet-enabled pacemakers. Today’s pacemakers, he says, only rarely receive software updates.
“The pacemakers we have generally are not updated,” he said. “However, it’s very device-specific. There may be ways to access them that I’m not aware of, such as in Homeland,” he said, referencing the TV show in which the U.S. vice president was killed when a hacker gained control of his pacemaker.
Moe wouldn’t reveal the manufacturer of her pacemaker out of concern for her personal safety. She and Leverett also declined to describe in detail their communication with pacemaker manufacturers, saying only that the contact they’ve had so far with them has been “positive.”
“In six years’ time, I’m going to have to have [pacemaker] replacement surgery, and I’m going to be a really difficult patient,” she said. “I want to be informed.”
Corrected on December 31, 2015: This story originally misspelled the first name of Marie Moe’s research partner. It is Eireann.