>I do think that medical devices are a special case. If you have a heart
>implant, that thing needs to be "unhackable", but also totally
>verifiably safe. So there should be firmware signing, no mutable state,
>verifiable memory safety...but the code should be open source, and if
>need be the firmware signing key for each device (needs to be different
>for each device!) should be accessible by a legitimate owner.
>So, no more remote-hackable heart implants, but doctors and cardiac
>technicians can still apply critical patches and inspect the source for
>sanity.
It should be fairly simple to protect against heart-implant hacks. First, communication with them is probably limited to inductively-coupled signalling, at a fairly high level. Secondly, it should be based on a two-way challenge/response system: The external device signals a code, call it a password, to which the implant would respond with a reply, which itself includes a randomized code. The external device reads that randomized code, processes it in some way (presumably a hash), and retransmits it to the implant. Only if the implanted device receives what it considers the correct code, would it allow further manipulation. Presumably, any attempt to illegitimately access such a device wouldn't be close enough to read the implant's reply signals, and thus couldn't proceed further.
"Do you have have a match?". "No, but I have a lighter". "Even better". "Until they go wrong".
Jim Bell