
Can I drop a pacemaker 0day? - jessaustin
http://blog.erratasec.com/2014/05/can-i-drop-pacemaker-0day.html
======
redthrowaway
Call up CNN and offer to demonstrate how BIOTRONIC is so evil that they refuse
to fix their pacemakers. Hook it up to an ECG and use your phone to make it
flatline. Then turn to the camera and tell the audience, "because BIOTRONIC
doesn't want to pay to fix their product, I can now _kill your grandmother_
just by walking past her on the street."

Watch how long it takes them to fix it then, and watch how reactive they
become to responsible disclosure next time.

Also, short their stock before you go on TV. A little something for your
troubles.

~~~
jph
Terrible advice to pull a media stunt.

First, you have no idea what the manufacturer needs to do to fix the problem,
alert customers, do recalls and recertifications, and the like.

Second, you put yourself directly in the line of fire unnecessarily and for
all the wrong reasons. You could find yourself on the end of all kinds of
legal trouble, and on top of that you would be morally culpable for any harm.

Do it the right way: get a lawyer. The lawyer will know how to contact the
vendors, the regulatory agencies, media if necessary, and customers if
necessary.

~~~
mindslight
> _get a lawyer_

Because this is the world we should want to live in? Where you must pay a
member of the protection racket to mediate publishing knowledge of someone
else's extreme wrongdoing?

 _That_ is terrible advice. Its road ends with TORified disclosures of
weaponized automated exploits, because as pure info sec has shown, that's the
only way the message ever gets across when you give people the insulation to
not listen.

Publicly demonstrating these exploits to an amicable media is the best idea
I've heard yet, as they have straightforward real-world effects that can be
easily illustrated. If certain manufacturers choose to send goons after you
rather than fix their buggy products, then the community-accepted custom for
them can change to psuedonymous press releases accompanied by a video with a
(mock) live human subject.

~~~
thenmar
Can you elaborate on how lawyers are "member[s] of the protection racket"?

~~~
mindslight
The oft-recommended prudence of having a lawyer's advice for most any action
in the public realm indicates a de facto protection racket.

Specifically, the above comment references having a lawyer handle (and
moderate) what should be open technical communication with the manufacturer
and regulatory agencies, the implication being that simply disclosing facts
put you at grave risk from an endlessly complex legal system.

~~~
thomasz
1) You really shouldn't have an _open_ conversation about knowledge that can
easily kill people.

2) I'm pretty sure that communication isn't the problem, the problem is that
he want's to __pressure __them into fixing their mess, and that is exactly the
point where things get messy from a legal perspective. I can hardly imagine a
legal system in which a situation like this would be unproblematic.

~~~
baddox
> 1) You really shouldn't have an open conversation about knowledge that can
> easily kill people.

You mean like guns, toxins, and martial arts?

~~~
thomasz
_sigh_. This will get boring quite fast because a sizable portion of people
participating in threads like that find the idea revolting that actions can
have, you know, _consequences_ , but what the heck...

If you would find a recipe for a toxin that is deadly, untraceable and can be
mixed together from common household items by a talented 14 year old, it's
probably a bad fucking idea to post that to 4chan. The same goes for
hypothetical weapon blue prints or martial arts techniques that would allow to
kill with a microscopic risk.

~~~
zheshishei
>If you would find a recipe for a toxin that is deadly, untraceable and can be
mixed together from common household items by a talented 14 year old, it's
probably a bad fucking idea to post that to 4chan.

Does this count as a straw man argument? Wouldn't the actual scenario would be
more like disseminating the information that a deadly toxin that is deadly,
untraceable, and can be mixed together from common ingredients exists, not the
recipe itself.

~~~
Anderkent
Well, that depends on whether he dropped the actual exploit, or just talked
about it. Which was the original question.

------
firloop
This is _the_ most important problem that the internet of things faces. How
can we network everything while maintaining at least some scrap of security,
especially in the long term? How can we convince people that their toaster is
worth patching, and, more importantly, how to we convince vendors that
toasters are worth releasing patches for? What if appliance makers go bankrupt
and your dishwasher no longer receives patches? How will devices be updated if
another Heartbleed-esque situation occurs? It's easier for a user to protect
themselves from a 0-day in an app they use, for example, compared to vital
home appliances such as dishwashers, refrigerators or washing machines, which
cannot merely be uninstalled.

This is a very real threat, most notably Belkin [0] has suffered critical
security breaches, and this issue won't be going away any time soon. How can
security researchers get CVE's patched, and how can we prevent them from
occuring in the first place? This should be priority #1 for any company trying
to bring internet-connected appliances to the mainstream.

[0]: [http://arstechnica.com/security/2014/02/password-leak-in-
wem...](http://arstechnica.com/security/2014/02/password-leak-in-wemo-devices-
makes-home-appliances-susceptible-to-hijacks/)

~~~
userbinator
> How can we network everything while maintaining at least some scrap of
> security, especially in the long term?

Another question that we should be asking more is _should_ we network
everything that could be?

As for a pacemaker, personally I think the answer is a definite NO. It has
only one function, to keep someone alive, and any extra functionality only
represents an increased risk of malfunction. If there is any firmware in it
then that firmware should be as simple as it can be. Preferably open-source
and subject to being reviewed/corrected by many, _before_ it gets permanently
embedded in a device.

> how can we prevent them from occuring in the first place?

The obvious way is by doing it right the first time. Sadly, this is something
that seems to have fallen out of fashion, as the prevalent mentality is more
like "we can always issue an update, so it doesn't matter that much". A
dangerous mentality indeed, when it's in truly safety-critical applications.
Companies are increasingly pushing for "smartness" in their products,
espousing all the ostensible advantages, while not giving much exposure to the
possible downsides too.

~~~
aianus
I imagine there's some value in being able to update the firmware on a
pacemaker. Maybe a new pacemaking algorithm can save 1% more lives or
something. Or it could automatically call an ambulance when you have a heart
attack, etc.

~~~
ijk
Implanted medical devices do seem like the ideal situation for wireless
access, albeit you probably don't want to overburden the thing with features
either.

------
jph
Absolutely _NOT_ because this could kill people.

If you truly have a pacemaker 0day, contact me (joelparkerhenderson) on most
major service and I will connect you with my healthcare policy lawyer. She can
rapidly open the doors to the vendors who have the risk.

~~~
iandanforth
Do most medical device manufacturers carry insurance against lawsuits? If so,
historically, how high has the bar been before the insurers pay out? If there
is a strong relationship between a device manufacturer getting sued and an
insurer losing money then this could be a great contact to try.

~~~
seehafer
Yes, but more importantly, medical device makers have broad immunity when
their devices go through the PMA process (the most stringent type of FDA
approval). Basically, the argument is "hey, the FDA said it was safe".

~~~
dsuth
Then this is where the pressure needs to be applied - at the certification
process. It needs to be made a legal requirement to attain certification (if
not already), and the certifiers need to follow best practices for
vulnerability detection. And it needs to be an ongoing, open process.

~~~
niels_olson
Yes, the FDA certification should include something along the lines of
"Manufacturer has an ongoing process to evaluate new vulnerabilities and push
updates to affected individuals."

~~~
seehafer
It does, at least for new approvals post ~2012. Doesn't help existing devices
in the field though.

------
david_shaw
Here's an idea:

1.) Responsible disclosure to vendor. Allow reasonable amount of time for a
fix to be created and deployed.

2.) (If fix is deployed, release details)

3.) If no fix is deployed in a reasonable amount of time _and_ the vendor is
unresponsive, release a PoC that demonstrates exploitability without giving
away details. eg: "Here is a pacemaker. Look, I did magic and it stopped!"
This is the same idea as releasing the actual vulnerability/exploit, but
doesn't put lives at risk. People that could fuzz for any type of a
vulnerability would be able to find it on their own anyway.

I agree that ICS and health-sensitive vulnerability disclosure is a trickier
field than most. Medical devices, cars, and power plants are _much_ more
sensitive than a random kid's iPhone; that's why groups like _I Am The
Cavalry_ are trying to address the issue industry-wide.

However, to answer the original question: don't drop a pacemaker 0day at DEF
CON. Find a way to fix the problem with the vendor instead. At the very
"worst," demo without vulnerability or exploit details.

~~~
croggle
What does 'fix deployed' mean? How do you actually update pacemaker software?
Are you going to wait for 100% of the deployed pacemakers are fixed? What is
an acceptable fix rate before you release the exploit?

~~~
rmcpherson
Pacemaker firmware can almost always be updated using inductive or rf
telemetry. In most cases it still requires an appointment with a cardiologist
or similar physician though.

~~~
kijin
Anyone who uses a pacemaker will need to have it checked at least a couple of
times a year anyway.

------
fiatmoney
\- Contact the FDA, or other regulatory bodies.

\- Contact the customers. They'll likely have standing to sue (they were sold
a defective product).

\- Class-action attorneys may be interested for this reason.

\- Did you know you can pay a very, very modest amount of money to file a
press release saying anything you want?

\- Contact some investors. Short sellers will have a vested interest in making
sure the information gets widely publicised.

~~~
duaneb
What is legality regarding the investors shorting?

~~~
jacquesm
Since it's on HN you could technically argue that it is now publicly known. If
you short the stock past this point you may well be in the clear.

~~~
fiatmoney
There's no requirement for information to be "publicly known" to trade on it.
You have to be an "insider" for it to be insider trading - ie, there has to be
some relationship of trust (eg an employee or officer, or in some
circumstances people they "tip off").

------
kmowery
This sort of 0-day has been known in the academic literature for some time[1].

Disclosure of critical vulnerabilities in implantable devices is far more
fraught than your normal critical software 0-day. These devices require
surgery for replacement, and a small number of those surgeries will have
possibly fatal complications. The cost of immediately replacing all existing
vulnerable devices could literally be measured in lives. (And that's even
assuming that the device manufacturer fixed the problem!)

Implantable software is already a very tricky area, and there's no signs that
it'll get any easier.

[1] Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks
and Zero-Power Defenses, [http://www.secure-
medicine.org/public/publications/icd-study...](http://www.secure-
medicine.org/public/publications/icd-study.pdf)

------
zaroth
It's not quite "this could kill people" but rather "this could be used to kill
someone." But there are a lot of things that one person could use against
another person to kill them, ethically, what does adding this thing to the
list change?

If you discovered / disclosed a particular way the unit could malfunction and
kill someone it seems like that's put in a different class; in that case
you're a hero saving lives. But if you report on a technique someone could use
to _cause_ the device to malfunction, it's treated completely differently.

I think a related and important message is that pacemaker "malfunctions"
should be treated as possibly suspicious.

~~~
Kliment
This is a way to kill someone at a distance, with no obvious trace leading to
you, and using nothing but an off the shelf laptop or phone. It's
significantly more dangerous than any of the other known methods of murder
because of the reduced risk to the murderer.

~~~
zaroth
My understanding is that pacemakers, insulin pumps, and such have only limited
short-range wireless capability. It's not exactly a 3G connection with a
public facing IP address.

As long as you still need proximity and individual targeting, I think it's not
a paradigm shift in murder.

~~~
noir_lord
The short range is to do with the antenna in the device which is (obviously)
limited to a certain size.

A larger aerial on the attacking device will allow for communication over a
greater range.

The paradigm shift is when you can sit 6 rows back at a baseball stadium and
take out someone or walk through their subway car and kill them.

There is no trace evidence and done in a crowd at rush hour essentially no
chance of getting caught, heart attacks happen all the damn time.

------
jfoster
How about releasing the vulnerability in stages? The author jumps from
unresponsive vendor to releasing exploit code. What if you add steps between
the two?

For example:

\- Announcing a vulnerability has been found and identifying the unresponsive
vendor.

\- Announcing what the disclosure timeline will be.

\- Detailing the product lines known to be affected by the vulnerability.

\- Publishing communication with the vendor so far with any details about the
vulnerability redacted.

\- Private disclosure to professionals (doctors & journalists) to have them
independently verify that the vulnerability exists and help with raising
awareness.

\- Full details about the vulnerability, but no exploit code.

~~~
techdragon
This just sounds like responsible disclosure to me. With added steps because
the "responsible" part requires you act differently due to the possible risk
involved. This is likely the best way to go, and I'd expect to see some legal
advice back it up were it to actually happen such an exploit existed.

------
ntrepid8
What pacemaker communicates via blue tooth? Last I checked they all used
induction telemetry (which requires the telemetry wand to be within several
inches of the device) or MICS band radio for distance telemetry. I think some
Boston Scientific devices used 900MHz at one time, but how many of those are
still in the wild?

The only instances of "hacking" a pacemaker (or ICD) have been when
researchers used a programmer from the manufacturer to "hack" the device.

So it seems super unlikely you know a blue tooth zero day for a pacer.

~~~
pbhjpbhj
> _The only instances of "hacking" a pacemaker_ [...] //

Someone has linked a PDF of an "ICD study" upthread that shows your contention
to be at least partially false.

~~~
ntrepid8
I assume you mean this one:

[http://www.secure-medicine.org/public/publications/icd-
study...](http://www.secure-medicine.org/public/publications/icd-study.pdf)

You would need to be specific about which one of the linked documents you
meant, there were several. All the hacking attempts started off with a
manufacturer's programmer and worked back from there. In the example using a
software radio, the researchers were able to replay sniffed commands to the
device after it had been activated by the programmer.

Which of the reports talked about a device being compromised without using a
manufacturers programmer?

~~~
pbhjpbhj
Yes. I've not pored over it but they said:

>"We implemented several active [replay] attacks using [only] the USRP and a
BasicTX daughterboard to transmit on the 175 kHz band." //

Yes, they used a programmer for reverse engineering purposes but from my -
admittedly brief - look at the paper it seemed they performed active attacks
(page 8(A) onwards) without using the programmer.

So they previously used a programmer but the attacks were performed without
one. Assumed true it seems a reasonable PoC that contradicts the essence of
your statement which seemed to say all "hacks" needed a manufacturers
programmer to perform.

------
cpt1138
What do you expect them to do? Even assuming they were 100% concerned with
security and did everything right and there was still a bug that allowed a
pacemaker to be compromised. Do you expect them to cut open a person and
replace the buggy pacemaker?

I don't pretend to be an expert in this area but getting medical equipment
approved is a huge undertaking and I don't know what the ramifications of
changing anything would be. Say they take your 0day and fix it. Then they have
to go through the entire re-certification process again and after however many
months or years, NEW patients get the fixed pacemaker. But what about all the
old patients?

While I sympathize, the only realistic approach here is to make the
consequences for killing someone via a 0day for the "lulz" so drastic that it
would certainly legally bleed over into the disclosure. I realize this is the
approach we do tend to take here in the US.

~~~
xur17
Someone made a comment above stating that people with pacemakers typically
have to go in once or twice a year to get it checked, and the devices can be
updated using 'inductive or rf telemetry'. Presumably doctors could update the
devices when patients come in.

------
JunkDNA
In the case of medical devices, this is squarely in the FDA's wheelhouse in
the USA. The FDA likely lacks the people with appropriate expertise to
evaluate these kinds of safety issues because their traditional focus has been
on the more typical kinds of medical device risk. A concerted effort at dialog
with them could turn that around. Particularly if it were done through a
series of academic workshops with key people.

------
TheSockStealer
Make a YouTube video of the hack actually working on a pacemaker (preferably
one that is not in a person). Show how it can be executed from a smart phone
while walking down the street or sitting at Starbucks.

Send that to the company and the media. You are best off also showing
documentation that you told the offending company multiple times.

Show don't tell.

------
neurobro
"The problem is that dropping a pacemaker 0day is so horrific that most people
would readily agree it should be outlawed. But, at the same time, without the
threat of 0day, vendors will ignore the problem."

If this is the case, then wouldn't the same most-people (if made aware of the
issue) also agree that it should be illegal for a company's management to
ignore life-threatening software flaws in their products after being notified?

I mean illegal as in reckless endangerment or manslaughter, not illegal as in
lawsuits and golden parachutes.

------
NamTaf
And so it begins. I was wondering when we'd finally start seeing the InfoSec
guys get to this. The more recent stuff branching into CAN on cars and before
that SCADA systems seemed to be the last sort of stepping stone from a
traditional PC network to the internet of things networks.

I'm sort of glad, in a twisted way, that this has finally happened. Better the
light get cast on this now than in a few years once the criminal(/nation-
state...) equivalents have had time to go through it themselves.

------
clarky07
I remember reading that Cheney had them remove all wireless functionality from
his pacemaker because they were afraid of the potential of someone using it
for assassination.[1]

[1][http://abcnews.go.com/US/vice-president-dick-cheney-
feared-p...](http://abcnews.go.com/US/vice-president-dick-cheney-feared-
pacemaker-hacking/story?id=20621434)

EDIT: Also, no you shouldn't release a pacemaker 0day. As others have said,
expose it without releasing details. Makes for a nice demo.

------
Taek
I think that there are a lot of ways to approach this. The Heartbleed
disclosure was very well done and has a lot of lessons, perhaps there's
something to learn from that.

Personally, I think it's completely unacceptable the way many technologies
critical to keeping people alive are so vulnerable. Especially if the
vulnerabilities are as widespread as the article suggests (30%!), find a list
of 10-20 that vary in importance. List all the products, and list the
consequences of each vulnerability.

Then start dropping 0-days one at a time until the industry realizes you are
serious. Start with the less severe ones, but if the pacemaker vulnerability
hasn't been addressed after a few months of weekly vulnerability releases,
don't hold back. The more publicity you can get the more likely a company is
to patch vulnerabilities.

If _teenagers_ are capable finding vulnerabilities that can end lives using a
script they downloaded online, then we need to be ready to take drastic
action. The industry is in a terrible state and we aren't safe, and
decreasingly so as these gaping holes continue to sit there and be discovered.

------
watty
This is an incredibly sensational piece. All of the sane suggestions are
dismissed as "doesn't work" by giving one example where it didn't work. It's
not that easy - going to the media won't solve the problem 100% of the time
but it sure as hell would if it were a life and death 0day and wasn't fixed
with urgency.

Don't even get me started about the Nazi analogy...

------
chrismorgan
If it’s an obvious vulnerability, is there value in withholding the details?
There is a strong case to be made for the argument that the people who would
be willing to use such a 0day maliciously (sociopaths) would find it anyway.

It could potentially also depend on how easily the vulnerability can be
patched—one that can be patched remotely can be dealt with much more rapidly
than one that will require surgery to replace the device. If one assumes that
full disclosure will lead to the fixing of the issue, the first class is
probably closer to being judged “responsible” than the second.

It is certainly a difficult dilemma. The correct answer can only be known with
the benefit of hindsight…

------
robszumski
When there is a flaw in a car seat or child's toy everyone flips shit and
recalls start happening. It's covered on the local news and all that. Why
doesn't that happen for pace makers? Isn't this a problem for the Consumer
Product Safety Commission or the FDA?

It's a product that has a flaw. Seems like it qualifies for a public recall.

------
s_tec
I don't understand why there is such a debate here. I would _absolutely_
disclose the 0-day if the manufacturer was unresponsive (given sufficient
warning, of course). Moreover, if anyone died, I wouldn't feel the least bit
guilty about that - the guilt rests firmly on the manufacturer and the
individuals who choose to use the exploit.

After all, black-market exploits will come, and people will die, whether you
disclose the vulnerability or not. At least with disclosure, the innocent have
a chance to protect themselves.

You must weigh the lives lost to silence against the lives lost to disclosure.
We practice disclosure in all other areas of computer security because we have
seen the cost of silence too many times. There is no reason it should be
different here.

Disclosure saves lives.

------
SapphireSun
This is clearly something where a regulatory agency that can and will apply
penalties to manufacturers that do not fix bugs that are physically possible
to fix without ill effect in a timely manner is appropriate. You simply report
to that agency.

These problems are serious enough that failing fast and hard is not a good way
to go about it. This is software meets physical reality. In software land,
we've developed radically different approaches to engineering problems because
of the incredibly cheap costs. This is one place where we have to borrow from
other disciplines that have more experience with safety issues.

------
joyeuse6701
Solution I find is relatively simple from a moral standpoint. Exhaust all
options. Instead of saying 'ah it won't work', just do it anyway, contact
anyone and everyone , privately related to this, about this and do everything
you possibly can before press exposure. With the press you can demonstrate but
not release the actual steps to how it's done. If it is still denied as fake
or ignored despite all of that, release it if you feel the moral obligation to
do so. 'You must do what you think is right, of course'.

------
hackuser
Of course, don't publicize it.

But consider a though experiment: From a security perspective, does it really
increase risk? There are many ways to kill someone that are much simpler than
figuring out what pacemaker they have, finding a 0day, designing an attack and
implementing it. This vulnerability doesn't necessarily increase the risk that
someone will be murdered.

EDIT: Or if you want to attack the pacemaker, use radiation from microwaves or
similar devices. At least according to signs posted in many places, they are
dangerous to users of pacemakers.

------
koliber
There seems to be this idea embedded in human minds that there is a group of
people who are just waiting to kill someone, and the fact that they have not
yet found a way of doing it is the only thing preventing them from doing so.
As soon as you show them that you can do it by hacking a pacemaker, they will
go ahead and do it.

There is no shortage of methods of killing someone or inflicting bodily harm.
As far as moral culpability, showing how a 0day exploit can be used to kill a
person is akin to saying that you can use arsenic to kill grandma.

------
lrichardson
relevant: "It’s Insanely Easy to Hack Hospital Equipment" (wired.com)

[article]: [http://www.wired.com/2014/04/hospital-equipment-
vulnerable/](http://www.wired.com/2014/04/hospital-equipment-vulnerable/)

[hn thread]:
[https://news.ycombinator.com/item?id=7684291](https://news.ycombinator.com/item?id=7684291)

------
achille2
Of course you can. Executing this type of attack would be more technically
complex then executing a plain old murder, with say a simple gun.

~~~
gamegoblin
But also significantly less traceable back to the murderer.

------
rrggrr
Notify the manufacturer's products liability insurer through a respectable and
concerned PI lawyer. Action will be swift.

------
phazmatis
Ideally, there would be some way to disclose this kind of info to whatever
government regulatory agency is responsible for approving these things. In
your situation, you have to worry that whoever you disclose this to is going
to act irrationally, and governments exist to mediate between irrational
actors for the benefit of the public.

------
Alupis
Wasn't Barnaby Jack going to unveil a Pace Maker 0day last year before he
[mysteriously] died?

~~~
tptacek
He didn't mysteriously die. There are several people on HN that knew him
personally, and there's been a lot of creepy not-even-wrong speculation about
what happened to him. None of his friends appreciate it.

~~~
Alupis
I was referring to the timing of things. But yes, I don't disagree. He did
some very brilliant work.

------
keyme
Drop the 0day. I'd say Anonymously, but not necessarily. If its an obvious
bug, this isn't a moral issue at all. Had it been a multi stage, complicated
exploit (hard to find and implement), I would suggest otherwise. In this case
its a no brainer IMHO.

------
jonmrodriguez
@fiatmoney's comment seems like very good advice. Here's a link since it's
very far below the fold:

[https://news.ycombinator.com/item?id=7849734](https://news.ycombinator.com/item?id=7849734)

------
aurelianito
I think that unless you want to carry the burden of possible assassinations
that you could have stopped, you have to disclose the vulnerability ASAP. In
order to avoid legal vendettas, I recommend to do it anonymously.

------
Qantourisc
Pacemakers have a remote exploit bug ? If you can get this close to my heart,
you might as well stick a knife in it. The only difference is the one will
look like a failed pacemaker and the other will look like murder.

------
userbinator
I suppose Heartbreak Bug would be an awfully appropriate name for one.

------
vermontdevil
Write a script for CSI or one of these police procedural shows.

------
m1sta_
Warn the CDC of an impending health issue and include very specific details or
the at risk group and the transmission vector.

------
deckar01
Anonymously do what you think is right.

It would be interesting if someone created a payload that patches exploited
device.

------
ticktocktick
The ONLY people who need to know about this is the manufacturer and their
regulatory body FDA, etc.

The company can then pull all the inventory that is in and out of the patients
and apply fixes or facilitate replacements.

If this could kill people, I'd hope the above ideas would be obvious...but
well I know they won't be to everyone.

~~~
ggyttf
Correct, it's not obvious to me. If there is a flare in my medical device, I
want you to tell me about it...

It's amazing to me that you think I'm not entitled to know there's a problem.
Do you also believe I shouldn't be informed if the lock on my door doesn't
work? You must hate those consumer watchdog shows!

If someone is capable and willing to kill Mr with a pacemaker bug, they likely
already have the skills to find the bug. Not telling me just withholds the
opportunity for me to protect myself (stay indoors? Contact doctor, etc).

~~~
deciplex
You should definitely be informed there is a serious issue. Whether you (and
everyone else) should be given instructions how to duplicate that issue is a
different matter.

------
DevX101
Is there any secure way to update a pacemaker's software without surgery?

------
lotsofmangos
Contact the surgeons who implant them and demonstrate to them.

------
BorisMelnik
was really sketchy when it happened on homeland

[http://vimeo.com/63176830](http://vimeo.com/63176830)

------
lechevalierd3on
Where is the landing page and scary logo ?

------
rasz_pl
You can play moral white hat hacker when you are disclosing vulns in some
shitty Chinese router, or participating in one of bug bounty programs, but NOT
when you play against big boys (AT&T, MBTA, Juniper, Adobe, etc). You will get
crushed, jailed and humiliated.

Disclose fully, but anonymously.

------
gonzo
I call BS.

How does an ECM (or anti-lock brake controller) "slam on the brakes"?

~~~
shiftpgdn
All cars produced for US sale after 2011 have mandatory traction control
systems that work by modulating the brakes on a corner by corner basis. It's
not inconceivable that this could be hacked.

~~~
gonzo
OK.

[http://cfr.regstoday.com/49cfr571.aspx#49_CFR_571p126](http://cfr.regstoday.com/49cfr571.aspx#49_CFR_571p126)

------
tuaz
I would snap insta do it for the fame and future business opportunities alone.

