In 2006, Melanie Rieback, a researcher at Vrije Universiteit Amsterdam in the Netherlands wrote an article entitled “Is Your Cat Infected with a Computer Virus?” The article noted the increasing adoption of implanted RFID tags for tracking pets and questioned whether those tags were susceptible to computer viruses.
The larger implication of the article was that if implantable devices could be contaminated, a risk was created for humans as well as animals.
RFID Tags Explained
RFID tags are tiny microchips combined in a package with an antenna. The tags have the ability to send out signals to a wireless network, which can be used to determine the tag’s location or perform more sophisticated applications such as transferring records.
Major Security Concerns
Dr. Rieback posited the question of whether, during a transfer of information, a virus could be introduced on the tag; and, if such a virus was introduced, could it then be transferred to other parts of a network?
At the time the article was published, the IT security community dismissed the possibility. The consensus was that because of the read-only capability of most RFID devices, viruses would have no way to replicate.
However, RFID technology capabilities have grown dramatically in the last four years. Read/write devices are now common. Unlike read-only tags — which only contain the information put on them when they were manufactured — read/write tags can be overwritten. This means that information can be sent to, and recovered from, these tags. In short, the early argument against Dr. Reiback’s theory is now defunct.
The First Computer Virus to Infect a Human
To demonstrate the dangers this advanced technology can pose, Dr. Mark Gasson of the University of Reading, England recently performed an experiment that caused him to make newspaper headlines as the “the first man in the world to be infected with a computer virus.”
RFID chip — small enough to be implanted in a hand.
Dr. Gasson programmed an RFID chip to open doors and to activate his cell phone. He then implanted this chip into his arm. The result: using the chip, he could activate door-entry systems and wake his cell phone just by walking within range.
For the next part of his experiment, Dr. Gasson sent a virus to the tag. When the tag was used to enter his lab, its virus was passed on to the network that controlled the door-entry system. From there, it was passed to the tags of Dr. Gasson’s colleagues who used the entry network. This proved, according to Gasson, that the human body could be the carrier of contamination that could infect a computer network.
IT Security Community Reaction
The IT security community largely condemned Dr. Gasson’s methodology and his conclusions. The human-computer virus connection, they said, was an alarmist grab for personal publicity.
In his defense, Gasson told the Sydney Morning Herald he was “exploring from a multi-disciplinary perspective the potential and risks of implanted devices,” and that the research “used vulnerability in the technology to allow an engineered computer virus to propagate via an implant."
This intentional attempt to spread a virus to a device inside the human body invites the question of whether a virus could maliciously be spread to implanted medical devices.
Many pacemakers, for example, wirelessly communicate with computers in a doctor’s office. This allows the doctor to easily collect information and keep track of what’s going on with his or her patients. Could a life-threatening virus use this connection to spread to these devices?
Medical Device Viruses at the VA
A recent article in InformationWeek reported that the Department of Veterans Affairs has taken 122 medical devices offline in the last fourteen months because of malware contamination. Diverse equipment — including MRIs, CT scanners, EKG machines and audiology diagnostic machines — were included. The total represents a small percentage of the VA’s 50,000 medical devices, but the threat is seen as significant.
"The major challenge with securing medical devices is that, because their operation must be certified, the application of operating system patches and malware protection updates is tightly restricted," said Roger Baker, assistant secretary for information and technology at the Department of Veterans Affairs. "This inherent vulnerability can increase the potential for cyber attacks on the VA trusted network by creating risk to patient safety.”
Viruses Spread Between Devices
As Danny Lieberman showed last month in an article published in Infosec Island, viruses can be transferred through medical devices into a hospital’s network.
In the InformationWeek article, Baker expressed his concern: "These infections have the potential to greatly affect the world-class patient care that is expected by our customers. In addition to compromising data and the system, these incidents are also extremely costly to the VA in terms of time and money spent cleansing infected medical devices.”
The VA, like many healthcare organizations, has a strict policy on the application of operating system patches, malware protection updates and the re-certification of compromised equipment. Therefore, it typically takes several months before a medical device infected with a virus can be cleared for reuse.
Implications to IT Professionals
So, could your cat get a computer virus? Probably not.
Dr. Gasson did not, in the end, have a computer virus. He was merely carrying a device that had a virus. The fact that the device was embedded under his skin is actually immaterial, as he could have achieved the same effect by carrying an infected smartphone.
It’s more important to focus on the device: there was nothing in the tag to keep it from acquiring and spreading malware. Though in most cases, viruses can’t get past an individual device due to firewall protection, a device itself that isn’t secured poses a potential risk.
For example, the inability of a pacemaker to associate with a hospital network would be of small consolation if that pacemaker resided in your chest and was being controlled by someone with malicious intent. It is important that those responsible for security in healthcare organizations be aware of these potential access points for attacks from unexpected sources, and provide security for every intelligent device.
Bill Cannon is Vice President of Business Development at MCPc, and an IT industry veteran with expertise in networking and telecommunications technology. Connect with Bill on LinkedIn.