Read The Times Australia

Daily Bulletin

Why health implants should have open source code

  • Written by: James H. Hamlyn-Harris, Senior Lecturer, Computer Science and Software Engineering, Swinburne University of Technology
image

As medical implants become more common, sophisticated and versatile, understanding the code that runs them is vital. A pacemaker or insulin-releasing implant can be lifesaving, but they are also vulnerable not just to malicious attacks, but also to faulty code.

For commercial reasons, companies have been reluctant to open up their code to researchers. But with lives at stake, we need to be allowed to take a peek under the hood.

Over the past few years several researchers have revealed lethal vulnerabilities in the code that runs some medical implants. The late Barnaby Jack, for example, showed that pacemakers could be “hacked” to deliver lethal electric shocks. Jay Radcliffe demonstrated a way of wirelessly making an implanted insulin pump deliver a lethal dose of insulin.

But “bugs” in the code are also an issue. Researcher Marie Moe recently discovered this first-hand, when her Implantable Cardioverter Defibrillator (ICD) unexpectedly went into “safe mode”. This caused her heart rate to drop by half, with drastic consequences.

It took months for Moe to figure out what went wrong with her implant, and this was made harder because the code running in the ICD was proprietary, or closed-source. The reason? Reverse-engineering closed-source code is a crime under various laws, including the US Digital Millennium Copyright Act 1998. It is a violation of copyright, theft of intellectual property, and may be an infringement of patent law.

Why researchers can’t just look at the code

Beyond legal restrictions, there’s another reason why researchers can’t just look at the source code in the same way you might take apart your lawnmower. It takes a very talented programmer using expensive software to reverse-engineer code into something readable. Even then, it’s also not a very exact process.

To understand why, it helps to know a bit about how companies create and ship software.

Software starts as a set of requirements – software must do this; it must look like that; it must have these buttons. Next, the software is designed – this component is responsible for these operations, it passes data to that component, and so on. Finally, a coder writes the instructions to tell the computer how to create the components and in detail how they work. These instructions are all the source code – human-readable instructions using English-like verbs (read, write, exit) mixed with a variety of symbols which the programmer and the computer both understand.

Up to this point, the source code is easily understood by a human. But this isn’t the end of the process. Before software is shipped it goes through one final transformation – it is converted to machine code. It now looks like just a lot of numbers. The source code is gone, replaced by the machine code. It’s now a bit like the inside of your car stereo; it “contains no serviceable parts”. Users are not supposed to mess with the machine code.

The alternative

The alternative to closed-source software is open-source, which is freely available both as source code (published on websites) and as binaries or machine code. The philosophy of open-source software is that there are no secrets and no ownership. In the MIT licence, which is just one kind of open-source licence, anyone can download and use the software and anyone can contribute to it, provided they retain the messages embedded in the source code by its various authors.

The biggest difference between open-source and closed-source is money. Developers of closed-source software get paid because they have a monopoly on their software, and software sales generate income. Open-source software developers have to find another source of income.

You might think that no one can make any money from open-source software, but that’s not entirely true. A lot of businesses thrive on the distribution and support of open-source software. Because open-source software is written by programmers, generally for programmers, it’s not as polished and easy to use as proprietary software. This provides a role for businesses like RedHat, IBM, Oracle, Google and Mozilla, who make the open-source software experience nicer.

Closed-source or open-source?

The argument has raged for decades and centres on issues of code quality and security. Open-source supporters subscribe to a “the more eyes the better” argument. If any programmer can see your code, the reasoning goes, they will discover bugs and tell you about them. The same argument is used to support the proposition that open-source software is more secure.

Both assertions are difficult to prove. Security vulnerabilities in openSSH (an open-source tool for securing connections) are constantly being found, and the 2014 Heartbleed attack was based on bugs in the code that have been there for more than 12 years. On the other hand, a vulnerability was recently found in a Windows (closed-source) automatic printer driver installer that had been in the code for almost 20 years.

Closed-source advocates say that their code is better because professionals (not amateurs and volunteers) are paid to read the code and find the bugs. Open-source people point out that many closed-source products (such as Windows, Microsoft Office and Adobe Acrobat) are so big that no one, paid or otherwise, understands the entire code.

Another argument for closed-source software is that bugs and in particular, security flaws (which do not affect the user) can remain hidden indefinitely. This is referred to as “security by obscurity”. If you can’t see the errors, then they can’t be used in cyber-attacks. The opposing principle is that an effective security system does not rely on secrecy; only good design and a secret key.

How code gets fixed

When it comes to actually fixing code, the real difference between open and closed-source software is who can modify, fix or exploit the bugs when they are found. If it’s closed-source, the user has to report the bug to the author or software vendor. They then replicate the fault, open up their private code repository, find a way to fix the bug, and write a patch. Problems arise when products are no longer supported, or companies extend “security by obscurity” to the point where they will ignore, discredit or even prosecute those who point out flaws.

When dealing with open-source software, on the other hand, you can report the flaw to the team of volunteers who maintain the project through the public code repository (such as GitHub, SourceForge, or GoogleCode). Then if someone is working on the project (many projects are abandoned and are not supported at all), they may fix the bug and you can then download and install the updated version. Of course there is always the possibility of a malicious programmer adding “features” like malware and backdoors to the software, although if others are working on the project they should detect such tampering.

Implant manufacturers should open source software

Having a open-source software run closed-source hardware is nothing new. The Raspberry Pi, for example, uses a proprietary Broadcom graphics processing unit (GPU), the internals of which are kept secret. Broadcomm has published just enough information to allow any programmer to use the chip while maintaining its monopoly on the hardware design. In theory there is nothing stopping implant manufacturers doing the same.

The reason they should do it comes down to real-world experience. When someone’s pacemaker misbehaves, doctors, medical technicians and their programmers do not have the luxury of waiting for a manufacturer to release a patch or update. They need the fix immediately. That’s why manufacturers use only lightweight security on these products. When your doctor needs to access your device, they don’t have the time to mess around with cryptographic keys and authentication protocols. The most they have time for is to look up your device’s serial number and default password in your medical records.

While this is a security flaw, the same medical imperative argument applies to the source code. If your device goes crazy, your programmer needs to be able to find the code fast – that means open-source repository. When lives are at stake, there’s no time for secrecy. Just publish the code.

Authors: James H. Hamlyn-Harris, Senior Lecturer, Computer Science and Software Engineering, Swinburne University of Technology

Read more http://theconversation.com/why-health-implants-should-have-open-source-code-66383

Business News

Australian organisations are relying on business continuity plans built for a far more predictable world

Tariff escalations, supply chain fragility, geopolitical events, and the ongoing threat of cyber disruption have reshaped the risk environment facing Australian organisations. The problem is that ma...

Daily Bulletin - avatar Daily Bulletin

How to Rent a Car for Uber in Melbourne: What Every New Driver Needs to Know

Starting out as an Uber driver in Melbourne is not as complicated as it sounds but getting the vehicle right is where most new drivers get stuck. Uber has strict requirements around vehicle age, condi...

Daily Bulletin - avatar Daily Bulletin

When Should You Speak to a Lawyer About a Legal Issue?

Legal issues can begin with a simple question, then become harder to manage once formal steps are involved. Many people wait until a matter feels urgent before seeking guidance, even though earlier ...

Daily Bulletin - avatar Daily Bulletin

The strategic rise of Bali as Australia’s next essential healthcare support hub

As Australian healthcare providers grapple with unprecedented operational bottlenecks, a new nearshore model is quietly transforming patient care delivery. Forward-thinking organisations,  including...

Daily Bulletin - avatar Daily Bulletin

Cost Savings and Benefits of Using Used Pallets in Logistics

In today’s competitive logistics and supply chain industry, businesses are constantly looking for ways to reduce operational costs without compromising efficiency and reliability. One of the most prac...

Daily Bulletin - avatar Daily Bulletin

How Fulfilment Services in Australia Help Businesses Scale Efficiently

The growth of e-commerce and modern retail has transformed customer expectations. Consumers now expect fast shipping, accurate order processing, and seamless delivery experiences regardless of where...

Daily Bulletin - avatar Daily Bulletin

Practical Ways Australian Workplaces Can Reduce Operating Costs

Reducing business costs doesn’t always mean cutting staff, shrinking services or making the workplace feel bare-bones. In many cases, the smarter savings are hiding in everyday operations: the light...

Daily Bulletin - avatar Daily Bulletin

Executive Recruitment Solutions That Help Organisations Secure Exceptional Leaders

Leadership has a direct impact on organisational performance, employee engagement, strategic growth, and long-term success. Businesses operating in increasingly competitive environments require experi...

Daily Bulletin - avatar Daily Bulletin

Why A WooCommerce Website Designer Matters For Online Growth

Running an online store today requires more than simply listing products and waiting for customers to arrive. Businesses need a website that is fast, reliable, easy to navigate, and designed to suppor...

Daily Bulletin - avatar Daily Bulletin

The Daily Magazine

DIY Rodent Control Vs Professional Help: When Is It Time To Call The Experts?

Rodents are one of the most frustrating pest problems for Australian property owners. Rats and mic...

Lighting Shop in Perth: How The Right Lighting Can Transform Your Home And Business

The right lighting can completely change the look, feel, and functionality of any space. Whether it ...

Traffic Light System Solutions For Safer And More Efficient Traffic Management

Modern cities and growing communities rely heavily on effective traffic management to ensure safety...

Gold Migration Lawyers in Liquidation: How the Closure Affects Your ART Appeal

If your appeal was with Gold Migration Lawyers, a recent change to how the Tribunal decides cases ...

The pressure cooker: life in urban Australia in 2026

Australian cities have always been demanding. Long commutes, rising housing costs, busy schedules a...

What Actually Makes a Good Criminal Lawyer in Melbourne

Most people only think about this question once. That is usually too late. Most people charged wi...

Why Working With A Chatswood Tutor Can Improve Academic Performance

Academic expectations continue increasing for students across primary school, high school, and senio...

Is It Worth Getting Solar Panels in Melbourne?

The real question is not whether solar works in Melbourne. It works. The question is what it is co...

How A Diploma Of Project Management Builds Practical Skills For Modern Work Environments

Developing the ability to plan, execute, and deliver outcomes efficiently is a key requirement in to...