Link (http://www.msnbc.msn.com/id/37360942)


University of Reading researcher Mark Gasson has become the first human known to be infected by a computer virus.

The virus, infecting a chip implanted in Gasson's hand, passed into a laboratory computer. From there, the infection could have spread into other computer chips found in building access cards.

All this was intentional, in an experiment to see how simple radio-frequency identification(RFID) chips like those used for tracking animals can host and spread technological diseases.


The research from the British university shows that as implantable bionic devices such as pacemakers get more sophisticated in the years ahead, their security and the safety of the patients whose lives depend on them will become increasingly important, said Gasson.

"We should start to think of these devices as miniature computers," Gasson said. And just like everyday computers, they can get sick.

Down with disease
Gasson had a relatively simple chip implanted in the top of his left hand near his thumb last year. It emits a signal that is read by external sensors, allowing him access to the Reading laboratory and for his cell phone to operate.

He and his colleagues created a malicious code for the chip. When the lab's sensors read the code, the code inserted itself into the building computer database that governs who has access to the premises.

"The virus replicates itself through the database and potentially could copy itself onto the access cards that people use," Gasson said.

The experiment showed that implants which wirelessly communicate with other computers can infect them and vice versa.

Gasson said he knows of no instances to date of bionic devices having been contaminated by computer viruses. But the threat will grow with the number and complexity of these devices.

Besides pacemakers for people with heart trouble, other modern bionic devices include cochlear implants for the hearing impaired and deep brain stimulators — a "brain pacemaker" — for neurological conditions such as Parkinson's disease.

Years ahead, this surgically implanted hardware may not only be for people with medical conditions. Bionic enhancements, much like today's cosmetic surgery, could boost memories and IQs. A side effect mentioned in cases of deep brain simulation is patients who have experienced greater creativity, Gasson said.

Wash your digital hands
To fight communicable diseases caused by bacteria, viruses and fungi, we take precautions such as washing our hands.

"I don’t think for us that (infectious technological agents) would be a particularly new concept, but implants in our bodies will make it a lot more real," Gasson told TechNewsDaily. "A denial-of-service attack on a pacemaker, if such a thing were possible, would of course be very detrimental."

Weird, I didn't know that RFIDs had enough memory on them for this sort of thing, but I guess it doesn't take much.

This sounds extremely gimmicky. The CompSci department Reading is also the home of "Captain Cyborg" who made all sorts of grand claims about built in computing, when really they amounted to little more than grafted hardware.

Now this guy is trying to do much the same thing, with some added shock value. It all stinks of a fairly feeble series of publicity stunts, possibly in an attempt to pull in grant money.

The Register describes the rebuttal far better than I could anyway:
http://www.theregister.co.uk/2010/05/26/captain_cyborg_cyberfud/

I'm struggling to come up with a non-technical analogy. The best I could think of would be if someone grafted a tail onto themselves and claimed that they now had the ability to balance like a monkey. crude and slightly gruesome analogy I know!

That's pretty fascinating, though I suppose we knew it was coming eventually.

Though with pacemakers and medical equipment, you shouldn't be connecting to external things, so you shouldn't need software protection. It's like the XKCD about virus protection and voting booths. If a teacher told you he always wore a condom while teaching, it's technically better than the alternative, but someone is still obviously doing their job horribly, horribly wrong.

I expect a million "The world is now turning into a sci-fi setting" responses.

You know, I do gotta say, there is such a thing as technology that is TOO advances. We're not capable of handling this!

while i found the original article gimmicky, i felt the rebuttal was far from convincing.
the technical problems listed aren't that hard to overcome, basically "create virus that can effect chip and reader" is not that hard as the chips get more advanced (which they are already doing).

even at this basic level, if those chips became commonplace, and someone made a virus that locked users out, you could have some pretty widespread problems.

Though with pacemakers and medical equipment, you shouldn't be connecting to external things, so you shouldn't need software protection.Wha...? They already are, and all the time. Mostly it's just uploading biometric data. But if implantable devices aren't equipped to download firmware (or other) updates yet, it's probably only a matter of time, and that could become a potentially fatal security hole.

EDIT: The rebuttal amused me. "The RFID reader would have to have a security flaw!" ...Yeah, because buffer-overflow and command-parsing vulnerabilities haven't popped up in systems that weren't designed with the idea that they might be attacked - and even in some that were.

It's true that the original article is a gimmick. Implanting a device that doesn't interact with your body is not really cyberware at all, IMO. (Now, a pacemaker arguably is.) And he isn't demonstrating anything novel, otherwise. BUT... The notion that security should be addressed BEFORE these technologies get too far off the ground is IMO totally correct and we have only to look at the internet to see why.

Wait a second, why would someone intentionally infect a pacemaker?

Besides hitman work and the like?

Wha...? They already are, and all the time. Mostly it's just uploading biometric data. But if implantable devices aren't equipped to download firmware (or other) updates yet, it's probably only a matter of time, and that could become a potentially fatal security hole.

EDIT: The rebuttal amused me. "The RFID reader would have to have a security flaw!" ...Yeah, because buffer-overflow and command-parsing vulnerabilities haven't popped up in systems that weren't designed with the idea that they might be attacked - and even in some that were.

It's true that the original article is a gimmick. Implanting a device that doesn't interact with your body is not really cyberware at all, IMO. (Now, a pacemaker arguably is.) And he isn't demonstrating anything novel, otherwise. BUT... The notion that security should be addressed BEFORE these technologies get too far off the ground is IMO totally correct and we have only to look at the internet to see why.

Bah. Anything on which someone's life depends should be rugged enough to go the distance without needing updates. And there's a difference between upload and download and you know it.

Far as I'm concerned, pacemakers should be little self contained atomic clocks with a battery life of decades. Keeping perfect time as long as you do.

@^: Also, the implantation should be painless and performed by unicorns, because having a cybernetic device that zaps your heart to keep you from dying isn't wondrous enough.


Wait a second, why would someone intentionally infect a pacemaker?

Besides hitman work and the like?

There are pacemakers that are connected to the Internet so that doctors can constantly check on their status. If you could get access to the pacemaker of an important public figure, you could sell information on their health status. More mundanely, you could hack into some random guy's pacemaker and sell the data to his insurance company so they can jack up his rates if he's doing poorly.

Hey, guess what. Turns out there ARE wirelessly programmable pacemakers and they HAVE BEEN shown to be compromisable in lab tests. Reference (http://www.secure-medicine.org/icd-study/icd-study.pdf).


Bah.And humbug. :smallamused:


Anything on which someone's life depends should be rugged enough to go the distance without needing updates. ... Far as I'm concerned, pacemakers should be little self contained atomic clocks with a battery life of decades.These devices are not that simple. On-going expert diagnosis and tuning benefits the patient (and unnecessary excess surgery, of course, does not). http://en.wikipedia.org/wiki/Pacemaker


And there's a difference between upload and download and you know it.:smallannoyed: That was your error, not mine. I specified.

Bah. Anything on which someone's life depends should be rugged enough to go the distance without needing updates.
And the engine in my car should be 100% efficient. :smalltongue:

C’mon, now. No matter the technology, there’s always room for improvement. And if you have the capability to directly add certain of those improvements to an older model, you should take advantage of it.

Hmm... Well, it is technically possible to take control over a system if you're cunning enough and can manipulate some of the data being passed to it.

However, an RFID chip that holds code that is executed by the reader?

Shouldn't be especially easy. All an RFID chip really needs to store is a unique user ID and a little bit of security information, and I doubt Reading has more than 3.0 e+38 personnel who are all authorised to use the facility.

Looking at the article, I can just about see why someone might want to program a pacemaker wirelessly, although I'm not convinced it should be that easy to install malicious software on one.

(although I guess most engineers wouldn't bother too much with securing the device).

Gimmick. He implanted into his arm an RFID chip that was infected to begin with - then used it to transmit the virus into the system. For the same effect, he could have just been holding the chip in his hand. Had he implanted a normal chip, then managed to infect it remotely, we would have something to talk about.

Gimmick. He implanted into his arm an RFID chip that was infected to begin with - then used it to transmit the virus into the system. For the same effect, he could have just been holding the chip in his hand. Had he implanted a normal chip, then managed to infect it remotely, we would have something to talk about.

Way I'm reading it, that's what he did. Could use some clarification on that aspect, actually.

All an RFID chip really needs to store is a unique user ID and a little bit of security information...There's a lot of work being done right now on RFID technology, both to add dynamic data (for tracking) and to reduce costs (and thereby increase ubiquity). As we've already seen with the pacemaker, if the technology isn't built with security in mind, flaws are almost guaranteed.

At the end of the day, they want to put the internet in everybody and every product, tracking everything everywhere. That wave is coming and I think security and privacy activists are right to be trying to get in front of it rather than merely dealing with the fallout after the fact (which is basically what happened with the early web).

I agree with Pyrian. This is a very real concern, but this 'experiment' was meaningless since it wasn't actually done with technology that is intended or may be used later for this purpose.

There's a lot of work being done right now on RFID technology, both to add dynamic data (for tracking) and to reduce costs (and thereby increase ubiquity). As we've already seen with the pacemaker, if the technology isn't built with security in mind, flaws are almost guaranteed.

It's certainly something to bear in mind, and it could become an issue one day - I'm just querying exactly what information Reading stores on its RFID chips. All it needs is an encrypted user ID. You then walk up to the keypad and it's ready to accept your pin and match it to your ID, providing quick, easy two-factor authentication*.

I'm not really convinced that the RFID chips being used here need to store enough information to not only cause a buffer overflow but also go from there to code execution.

* I'd link the wikipedia article, but... well, see for yourself (http://en.wikipedia.org/wiki/two-factor_authentication).

Certainly the standard non-dynamic (or barely dynamic) single-fixed-value RFID chips in wide commercial use today can't do that sort of thing at all.

Going to the source (http://www.reading.ac.uk/sse/about/news/sse-newsarticle-2010-05-26.aspx), the only information given about the specific RFID chip involved is that it is "high end", probably unnecessarily capable for mere identification, presumably deliberately chosen for the capability to process and transmit the desired payload. There's no indication that it's even a standard technology for the school.

As a proof of concept, the physical implantation strikes me as unnecessary and probably just for hype. Seriously, our schnauzer is chipped, does that make it a "cyberdog"?

Wait a second, why would someone intentionally infect a pacemaker?

Besides hitman work and the like?
Intentionally killing someone is not the main concern.

Viruses, and many other softwares, have a long history of causing unpredictable effects. Usually, unpredictable effects manifest when a virus or software hack interacts with a similar, but slightly different version of the targeted software or operating system. Even programs designed with benign intentions have caused many an admin untold frustration and resulted in both great monetary and data loss. The chief concern is that a virus may accidentally cause a malfunction in a critical piece of biotech.

Targeting of specific individuals is mostly a non-issue right now due to the low number of high profile targets that have integrated system critical biotech. Is it possible to kill someone that way? Yes, even today. Is it far more likely that they would be killed purely on accident by a virus that was not built to kill? Also, yes.

Why would someone hack biotech? I’m sure there are a number of jerks out there who’d do it just because they can. Isn’t that largely the source of most computer viruses?

And I don’t see why it’s worthless just because the chip wasn’t some major piece of actual bio-tech. It’s a proof of concept. It’s not like a major piece of actual bio-tech will be more protected just because it is what it is. It’s only going to be more protected if it’s actually got more security.

Personally, I don’t see why such a concept needed a proof to begin with. Any system of sufficient complexity that communicates with another system will have vulnerabilities. Period. The system’s physical location can possibly minimize, but will never eliminate them.

To be honest I'm really sad that my first impressions were not accurate.



http://img109.imageshack.us/img109/6032/ohgodk.png (http://img109.imageshack.us/i/ohgodk.png/)

Uploaded with ImageShack.us (http://imageshack.us)