Hacking a Pacemaker

jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."

Bionic eye

[sm62704]

I'm sure glad the device in my eye (see my sig for details) is focused by the eye's muscles rather than electronics/motors. Some things shouldn't be networkable.

Oh yeah, the oblig: We are cyborg. You will be assimilated. resistance is not only futile but you won't resist, you'll beg to join us..

Re:Bionic eye

pacemakers aren't "networked" but are programmable, usually through a short range (touching the skin) transmitter. Need to be able to change the strength and trip thresholds without doing new surgery. Apparently, they need to add encryption/passkeys to the devices if they haven't already.

Re:Bionic eye

[downix]

You know I'd often wondered about your sig, but never wondered hard enough to read. Now I have, very interesting, as you have, well, a better "viewpoint" at this than the rest of us.

Re:Bionic eye

[sm62704]

I would think the safest thing would be to have to physically interface with it to program any electronics in it. Once they've sewn one into my chest (thank God heart disease doesn't run in my family) I wouldn't want it to be programmable!

Re:Bionic eye

[Ihlosi]

Once they've sewn one into my chest (thank God heart disease doesn't run in my family) I wouldn't want it to be programmable!

Um, yes you do. Do you want them to have to cut you open because you don't like the maximum pacing rate and want to have it reduced by 5 bpm ?

Re:Bionic eye

[Misagon]

Some things shouldn't be networkable. Not networkable. A pacemaker communicates only with the diagnostic equipment.
Pacemakers are [i]implanted[/i] under the skin. The only way to interface with them is through induction or radio signals. The signals have ranges measured in centimeters.

Re:Bionic eye

[StylusEater]

I can see the headlines... "Cheney's Pacemaker Hacked by Chinese Militants" ... :-) One can only wish.

Re:Bionic eye

[BoomerSooner]

Or better yet, "Cheney's pacemaker hacked by time travelers from the future." Circa 1999. Now that's a wish.

Re:Bionic eye

[sm62704]

I want them to get the pacing rate right BEFORE they sew it in.

Re:Bionic eye

Changes in your health/body can warrant these adjustments.

Re:Bionic eye

[Ihlosi]

I want them to get the pacing rate right BEFORE they sew it in.

Finding out which settings you like or don't like unfortunately involves putting a pacemaker into you first. Of course, you could go with a completely dumb device, but your heart would be paced too fast when you're asleep and too slow when you're physically active.

Re:Bionic eye

[sm62704]

I can see the headlines... "Cheney's Pacemaker Hacked by Chinese Militants" ... :-) One can only wish.

This is off the topic for the summary (but on topic for your comment) but if Cheney goes duck hunting with Bush we could have the first woman President.

If Cheney shoots Bush in the face accidentally while duck hunting (well it happened once before, I'd never go hunting with him) and suffers a heart attack as a result, and both die, then House Speaker Nanct Pelosi becomes President Pelosi.

One can only wish!

Modding myself down with the "no karma bonus".

Re:Bionic eye

[Brian+Gordon]

The one time you're thankful that manufacturers are so negligent with firmware/BIOS updates :)

Re:Bionic eye

[tsa]

Believe me, you really want the thing to be programmable. They have to try a few settings to find oujt which makes you feel good, and if/when your body changes they can adjust the pacemaker accordingly. Modern pacemakers are marvellous pieces of technology that can give you your life back as long as you program them well!

Re:Bionic eye

> The signals have ranges measured in centimeters.

"The signals emitted by the pacemaker manufacturer's FDA-approved programming devices have ranges measured in centimeters. The signals emitted by the bad guys are amplified and have ranges measured in meters."

Sorry, bud, just like WiFi ("Who cares? The bad guy would have to live next door to you!") and RFID passports ("Who cares? The little card reader HomeSec uses only reads cards within a few centimeters"), you just don't get security.

You can argue that the cost/risk of making the provably correct, embedded, suitable for use in a life support environment cryptographic authentication protocol isn't worth the effort (particularly since even a secure pacemaker/ICD-programmer would suffer from the same DRM problem as DVD/HD-DVD players: it only takes one "bad guy" doctor to dig one working key, or one firmware image, out of the programming device, and to subsequently hand over the key to the local "bad guy" with a microcontroller, an antenna, and a Pringles can.)

But to argue that the range of the signals in the commercially-approved devices are too short is to miss the point entirely. The risk isn't with commercially-approved hardware, it's that a bad guy can build something with as much range as he wants.

Re:Bionic eye

[darkfire5252]

Yes, I want it to be programmable. But I want the designer to keep in mind that it's my life at stake. We know how to do these things securely.

Public-Private Key cryptography. The manufacturer has a public key, and it's embedded into the device. The manufacturer's private key is kept secret in the same way as the PKI people do it; there are multiple parties required to do anything to the key, there is armed security 24/7, and the key is treated as if people's lives depend on it because that's the situation. There's a process to go through for a hospital to get certified to update the device. When the hospital certifies a doctor to update the device, the doctor's public key is signed by the manufacturer's private key. The doctor keeps his private key on a smart card that requires a PIN with the full knowledge that people could die if he loses it. Preferably the smart cards are kept under lock and key at the hospital next to the lethal drugs and the morphine. When an update command is done, a specially formatted message is signed by the doctor's private key, and the message is send along with the doctor's certificate (the doctor's public key signed by the manufacturer's private key). If there's no valid certificate or the message format is not correct, no command interpretation takes place. If everything checks out, the command is logged in onboard flash memory and the device updates. If someone's pacemaker is updated in a manner that kills them, there is an audit trail pointing to exactly who's at fault. I don't care how much more expensive it is, particularly when the answer is 'not very.'

People's lives are at stake here, the manufacturers should be held liable and negligible if they aren't using already existing methods that essentially guarantee security.

Re:Bionic eye

[hey!]

It's not necessarily so bad. They don't have to split your sternum open, they can just make a keyhole slit to access the interface. It's not something you'd do for fun, but it beats worrying about worrying about whether you're pacemaker settings are accessible to the outside world to make "adjustments", either unintentionally via EMI or deliberately.

Based on what I know about non-specialists designing security into ad hoc network protocols, I'm not very optimistic about biomedical engineers getting it right, bright as they may otherwise be.

Re:Bionic eye

[geekoid]

gee, a completely impractical piece of advice. how.../.

There already is a trail, and you advice would be spectacularly expensive.

So, your lying ahve heart problems and you want to wait for what, an hour best case before getting treatment?

Stupid. fortunately people smarter then you are involved with pacemakers...granted, that doesn't say much.

Re:Bionic eye

[frission]

Yes they are, or will be soon, networkable. From the article: "...But device makers have begun designing them to connect to the Internet, which allows doctors to monitor patients from remote locations."

Re:Bionic eye

[pnewhook]

Oh for crying out loud - don't be ridiculous. These are pacemakers not PCs. Get some perspective. It doesn't have the capability that you seem to be thinking it does.

And right now you have to be in contact to reprogram. It's not like anyone is at risk of being hacked from down the street or anything.

Re:Bionic eye

[darkfire5252]

Sure. It's impractical, because cryptography uses "magical hard math," right? Nevermind that the math involved can be done with relatively cheap chips made for the purpose. An hour best case for what? The doctor gets certified to update the device as a part of employee training, not 'on demand'. There already is a trail... how, exactly? /Done feeding trolls

Re:Bionic eye

[shaiay]

Even if you can transmit very strong signals to the pacemakers from afar, the answer will be very faint (these things need to run for years on a single battery, they are very low power). Most communication protocols are bidirectional, so you won't really be able to communicate with it.

As an added precaution, some manufacturers (at least Biotronic IMHO) have devices which only communicate when a magnet is placed near (again centimeters) the device, thus closing a magnetic switch and enabling communication.
This is extremely hard to "hack" from afar -- you would need a very strong magnet which would probably cause a lot of other problems.

Re:Bionic eye

[darkfire5252]

It already is receiving signals and acting upon those signals. All the stuff that I mentioned requires is another chip and a small flash storage for logging. 'Right now' it takes $30,000 to do this hack. If the information becomes well known and the technique becomes easier, being in contact isn't really a big deal. The problem is that the person goes into heart failure for what is apparently no reason at the time. The fact that someone in a crowd has their hand on his chest or did for a brief moment is a lot different than watching that same person stab the guy...

Re:Bionic eye

[pnewhook]

Not quite.. The pacemakers send data to a bedside device that then relays the information gathered to the Internet. Not really the same. No pacemaker will connect to the internet directly, it doesn't make any sense to do so.

Re:Bionic eye

[jamstar7]

They don't usually sew them in your chest these days. They snake the leads down your carotid to the heart, and bury the electronics in that hollow at the base of your neck, on top of your shoulder, for easy access. It's under a couple layers of skin and a bit of muscle instead of behind your ribs.

Re:Bionic eye

[jamstar7]

Older model pacemakers were susceptible to microwaves from your kitchen 'nuke'. And they had to redesign the kitchen 'nuke' to cut this radiation down so it wouldn't interfere with a pacemaker. Pacemakers are also subject to getting whacked by an electromagnetic pulse, so this isn't 'news' per se, they've known it for decades.

Re:Bionic eye

I read your post about your eye.

Yeah...you might want to think about what you posted a little more, and how it effected your life.

Re:Bionic eye

[Ihlosi]

Public-Private Key cryptography.

Sure. Will you ship your secure, encrypted pacemaker with an external power supply to plug it in ?

Sheesh. These things don't come with a multi-core desktop CPU. They're ultra low-power systems, optimized for battery life because changing the battery requires surgery, which already puts your life at stake (Sorry - cutting your chest open isn't trivial. And the chance of something bad happening during or after surgery (infection, complications with the anesthesia, etc), as of now, is about infinitely higher than someone hacking your pacemaker to kill you).

If you'd get a pacemaker, would you get the one that requires you to be cut open every five years, or the one that requires you to be cut open every eight years ?

Re:Bionic eye

[frission]

I see that as adding one more level of complexity, but it may not be any/that much harder. I would think that they've already done the hard part (messing w/ the signals). if they can get into a device from the internet that ALREADY KNOWS how to communicate w/ the pacemaker, then these people are still in the same boat.

Re:Bionic eye

[bay43270]

Also, your pacing needs change as you grow and as your heart develops. Not all pacemakers go into 70-year-olds.

Re:Bionic eye

[pnewhook]

No, the pacemaker only SENDS to the bedside. It does not receive. Receiving / programming is done by direct contact through the patients skin.

Re:Bionic eye

[sm62704]

The implant affected my life in a completely positive way. The posting is an attempt at affecting others' lives in a positive way.

At my age nothing I can do or refrain from doing can affect even half my life, as it is certainly more than half over by now.

Re:Bionic eye

[theshowmecanuck]

or better yet, some bully hacks someone's bionic arm: hey kid, why do you keep hitting yourself? (mouse click - whap! mouse click - whap!) hey hey, you shouldn't hit yourself man (mouse click - slap! mouse click - slap!)...

Re:Bionic eye

[nahdude812]

And once the private key is cracked or exposed, do you operate on everyone with that model pacemaker?

The thing is that this private key needs to be sent to every hospital and doctor's office which wants to make adjustments to the pacemaker. They'll have it, whether it's embedded in a chip or written in a config file. You have to make this information public in some sense, the very best you could hope to do is use some kind of DRM to protect the key from exposure, but as we all know, such exercises are fated to failure.

And what happens when a pacemaker manufacturer discontinues a line and stops manufacturing the equipment to tune certain kinds of pacemakers (such as would be expected to happen should a key be discovered), do these patients just have to hope that the equipment used for tuning their pacemaker outlives them?

Also, will doctors and hospitals have to buy dozens of different pacemaker adjustment machines, one of every type, even those they don't install themselves so that they can treat patients who move into the area? What happens when the patient needs emergency adjustment of his pacemaker but doesn't remember the model he has (or isn't conscious)?

Finally, these devices don't exactly have little general purpose CPU's in them. One of their biggest concerns is decent battery life. If we put something in there as computationally intensive as strong private/public key cryptography, you're going to significantly hurt the battery life of these devices.

This problem is not as simple as it seems on the surface. It turns out that human life is fragile, and there are many ways in which you can kill someone, some of them even require little effort to kill many people. Hacking this device in a way that endangers other humans would not even need new laws to be punishable since we fortunately already have laws which surround murder, reckless endangerment, and other such things which actually or reasonably could result in the death or injury of other humans.

Re:Bionic eye

[Beardo+the+Bearded]

Ah, finally, someone understands something! Most programmers think that EVERYTHING that can be programmed has a multi-core architecture with a hard drive, monitor, etc. You haven't seen most of the computers that you use on a daily basis. Do you think your elevator runs a Duo-core? Your apartment buzzer controller isn't made by AMD.

I'm an EE with a lot of embedded experience in RF devices. I've had to make recalls because the standby current* was 50uA instead of 12uA. (For a GPS tracking board with VHF transmitter.)

The level of misunderstanding that's required to think that you can surreptitiously reprogram somebody's pacemaker without their knowledge is astounding. If you've got a pacemaker and someone tries to walk up to you and reprogram your chest, just walk away, man. Walk away. It's not like it's going to take 2 seconds to line everything up correctly. Even if all the technical details are magically sorted, a different brand could make your hack useless. So could temperature, humidity, clothing, chest hair, and any of the other RF voodoo things that you have to deal with.

*(Technically "quiescent" but I'm not sure everyone knows what that means.)

Re:Bionic eye

[darkfire5252]

Older model pacemakers were susceptible to microwaves from your kitchen 'nuke'. [...] are also subject to getting whacked by an electromagnetic pulse, so this isn't 'news' Yes, and someone could break into my home by smashing a window or driving a bulldozer through the wall, but I'm still going to lock my doors. Just because there are known faults and vulnerabilities doesn't mean that we should pretend there are no consequences to introducing new ones.

Re:Bionic eye

[nicomachus]

It's off topic, but you did reference the link in your sig concerning your eye history. Two questions about that: (1) You say that when you were young, "contact lenses were made of glass." I started wearing contacts at the age of 13, in 1959, and the only lenses I ever heard of were plastic (acrylic, the old-fashioned non-gas-permeable hard lenses). I know there were at one time glass lenses, but I'd be surprised if you're much older than I am. (2) You say your vision was 20/400. Is that primarily myopia? If so, what's your refractive correction? I'd have been very happy to have come up to 20/400 for most of my life (-10 diopters at its worst, in my mid-20s). I've known many people with corrections worse than -8; 20/400 sounds like about a -5 to me. As for cataract surgery: had one done when I was 60, which got me to a trivial -0.75 diopter correction (waiting for the other one to get bad enough so that insurance will cover it). This was the closest thing to no surgery I can imagine (less than ten minutes in the operating room). I'll take that over a root canal any day.

Re:Bionic eye

[darkfire5252]

Cryptography consists of basic math operations, exponentiating and modulus. I am not assuming that they make 200MHz pacemakers, nor do they have to. A budget chip that performs on the order of 5 mathematical operations (iterations, it would have to support 3 operations IIRC) is not out of the question. You already have the foundation for receiving signal and determining what the signal is. A device that interpreted the signal by performing a few mathematical transformations on it before sending it along the pathway that already exists is not out of the question. There's no reason that the chip should be getting clock cycles and using power unless the device is being updated, so what's the big problem with using a slightly larger amount for an update that likely takes a nontrivial amount of power in the first place?

Re:Bionic eye

[darkfire5252]

Look up public private key cryptography and get back to me. Asymmetric cryptography does not require revealing the private key to hospitals....

Re:Bionic eye

[pnewhook]

Yes, its all nice and simple to the software guy that doesn't know what he is talking about.

Yes what you are asking is possible but it's prohibitively expensive, pointless, and adds ZERO benefit to the patient. In fact because of the extra power draw of this pointless device the patient will have to undergo extra surgeries to replace the battery more ofter thereby further jeopardizing the patient safety.

Re:Bionic eye

[geekyMD]

You sir, are a moron. You suggest: 1) Requiring doctors to carry smart cards with encryption data 2) Requiring doctors to keep said cards with "the morphine" (showing you have never seen how a hospital manages secure resources) 3) Said hideously rare and necessarily hard to obtain cards would be required to save a life in dire emergent situations. This shows: 1) You have never seen how an emergency room or hospital inpatient floor works. 2) You have no idea how a pacemaker interrogator works. Furthermore, you suggest: 1) A hideously complex encryption system based on ONE point of weakness: the manufacture's private key. 2) You KNOW this is a weak point by your suggestion of "armed guards" (where should they be? in yur hard drivez guardin' your bites?) Therefore: 1) You have suggested a security by obscurity scheme which even the RIAA is learning just doesn't work. 2) You have definitively solved a "hard" problem in a field of experience vastly different from your own by applying your specific brand of expertise without any form of intellectual humility. Which shows: You're a slashdotter alright. I also stipulate: Due to your heinous disregard of human life in your brash search for security, and disregard of other peoples input on this forum, as priorly asserted: You sir, are a moron.

Re:Bionic eye

[Beardo+the+Bearded]

Both multiplication and division are "heavy" operations in the embedded world. Incorporating them into the code even once can mean that your code won't fit into the footprint. One chip I used in 2006 has 512 bytes of Flash and 24 bytes of RAM. Not for a trivial application either - there are tens of thousands of that product out in use right now, and people depend on the device to live.

Sure, a few chips have built-in single-line multipliers, but I don't think that's what they use in pacemakers.The pacemaker chips are probably running at 32kHz (kilohertz) for battery efficiency.

I don't think that the very remote chance of a pacemaker hack with technology that doesn't exist is a sufficient threat to require encryption on the pacemaker. If thousands of people start dying as a direct result of this hack, then I might change my mind.

Re:Bionic eye

[mkiwi]

Dude, you don't have to like Cheney of Bush. In fact you can hate them to their cores. But don't say "One can only wish." implying that death or health trouble would be a good thing.

You become as bad as they are when you say that, so don't do it.
It's not cool to say that about anyone.

Re:Bionic eye

[darkfire5252]

Quick access in an emergency is something that didn't occur to me; that would pose a problem. I'll grant that I am no MD nor am I at all qualified to manage hospital processes, but I do know something about cryptography. I would think moron is a bit strong, as your 'rebuttals' reflect a person about as qualified to speak about cryptology as I am to speak about hospital procedure. So, just for fun:

) Requiring doctors to carry smart cards with encryption data 2) Requiring doctors to keep said cards with "the morphine" (showing you have never seen how a hospital manages secure resources) 3) Said hideously rare and necessarily hard to obtain cards would be required to save a life in dire emergent situations. 1) Doctors presumably already have some identification card that they are required to keep on them. If not, they likely have had either a driver's license or a credit card at one point in their life, so they are familiar with the idea of keeping a card with them...
2) I was making reference to the fact that hospitals already keep things securely, so whatever method should work just as well for the cards. I have no knowledge whatsoever how a hospital manages secure resources, but they have a means for doing so.
3) Cards would not necessarily be rare nor hard to obtain. The purpose of the card would be to link a particular doctor at a particular hospital with the permission to update or send commands to the device, as opposed to assuming anyone with proper equipment is authorized to do so.

1) You have never seen how an emergency room or hospital inpatient floor works. 2) You have no idea how a pacemaker interrogator works. Furthermore, you suggest: 1) A hideously complex encryption system based on ONE point of weakness: the manufacture's private key. 2) You KNOW this is a weak point by your suggestion of "armed guards" (where should they be? in yur hard drivez guardin' your bites?) 1) Yep, you are correct.
2) Right again
1) This is already done, so it is a non-issue. Verisign and all the other certificate authorities that issue SSL and other certificates have a private key kept at this level of security. I am unaware of a case where the private key became known and every computer on the internet needed to have the CA public key changed, so it seems that they do a decent job.
2) ... The key is stored on a computer isolated from all others in a locked room. The system is set up such that the private key does not get revealed when it is used to sign a certificate. Two or more trusted parties are required for entry to the room, and no one is left in there alone. Presumably there would be a chair for the guard... Again, this is something that is already done; there is established procedure.

1) You have suggested a security by obscurity scheme which even the RIAA is learning just doesn't work. 2) You have definitively solved a "hard" problem in a field of experience vastly different from your own by applying your specific brand of expertise without any form of intellectual humility 1) This is the polar opposite of security by obscurity. 'Security by obscurity' is keeping the method used for security secret, and if the method is revealed the security is defeated. This is a case where the methods are known and tested, but a key is kept secret. The RIAA has to use security by obscurity because DRM requires that you provide an encrypted media file, the key to decrypt it, and then dictate the terms under which the key can be used. That doesn't work, because the second the method used to obscure the key becomes known the security is broken.
2) And you have rebuked my argument by showing that you lack knowledge about cryptography and I lack knowledge about hospitals. My search for security is precisely because of the human life involved. It should go without saying that I am capable of being wrong, that doesn't mean I should be required to be timid with my suggestions; you certainly are not.

So, I am no moron nor am I a doctor, and you are no cryptographer nor are you capable of having a discussion without resorting to personal attacks and name calling.

Re:Bionic eye

[geekyMD]

Sorry dude, very long day and I sucumbed to internet asshole syndrome. Seriously, sorry. I stand very corrected.

Regards cryptography, yeah I did botch that point regarding obscurity, and I wasn't aware of the specific protocols followed at a CA. But here's the thing: it wouldn't be CA's doing this, it would be medical device firms for whom security is a "feature". And instead of revoking a CA key (which I understand would cause a large degree of chaos, but I would, perhaps wrongly, assume there is a mechanism for this as well?) you get to dig these pacemakers out of peoples bodies and I guaranty you that some of them will die as a result.

Regarding, "hard to obtain cards", I mean that if you want to make it such that only a few people can use them, they must by definition be hard to obtain. Not letting the surgeon into the OR because he forgot his ID is moronic, everyone knows him, but not so with a security ID, bringing huge risks for not carrying it with you. Suffice to say that leaving it at the hospital would not be a tenable solution for any physician who will be ID'd by this thing. If you lose it when your wallet gets stolen, it cannot be revoked in any meaningful way. So ultimately, this security ID is just a barrier to access and ID for pointing fingers.

Since these cards could be trivially stolen and are unrevokable from the standpoint of an implanted device, lets forget the pointing fingers part, since they cannot guarantee identy.

Now this whole thing is just a barrier to access via key exchange. Every manufacturer will have a different key as well as interogation protocols, which alone constitute a large barrier to attack but are closer akin to DRM.

So, today's attacker could either:
a) reverse engineer the whole thing from scratch and try to implement that at remote distances via observing an interogator and device interacting
b) reverse engineer the interrogator and simply modify its wireless mechanisms to work over high power over longer distances.

If I was an attacker I would choose b.

This schema doesn't change at all once public key crypto has entered the fray. You still need to RE the interrogator communication path, but now the interrogator requires you to insert your ID card. Simple: just steal any cardiologists ID card, probably at the same time that you steal his interrogator. You're already killing your target, one more surely couldn't hurt. Done. The only change between yesterday and today is that now a cardiologist is dead (or just pickpocketed) too.

And there is the critical assumption: that it is possible to meaningfully change the internal state of a pacemaker/defibrilator from a distance. I would posit, perhaps wrongly, that it would be VERY difficult to send a signal remotely into a pacemaker. Interrogatogators must be placed directly on the chest since the pacemakers are so insensitive, and my understanding is that most pacemakers actually reqire the physical presence of a small magnet in a very specific location on the patient's chest (not the deactivation magnet mind you) to even turn on their reciever, thus any attacker would have to place a magnet on the victim's chest for about a minute or two while this very low bandwidth communication is going on from 200' away. Is it starting to sound silly yet?

If your goal as a troublemaker is to disable pacemakers as an act of mass terrorism, there are much easier ways than this, so that issue is not really a concern. If your goal is to take out a specific target, ok, maybe, but just putting in the authorization magnet as above should be more than enough to stop that sort of attack. Even if communications could be perfectly secured, think that someone willing to put this much effort into killing you will very easily find another way to do it if they were denied this one.

Thus, from a cost-benifit or number-needed-to-treat point of view encrypting these communications gets horribly low marks. From the added cost of implementation and key maintenance t

Re:Bionic eye

[Ihlosi]

My search for security is precisely because of the human life involved.

In that case, you should search for patient _safety_ first, and then worry about the security of the device. Right now, a doctor needing _quick_ access to the programming of the pacemaker, or a patient catching MRSA or something equally nasty during a surgery to change the pacemakers battery are, while having a very low absolute probability, pretty much infinitely more likely than someone getting harmed by a successful pacemaker hack. And security that will jeopardize patient safety might as well be left out.

Re:Bionic eye

[nahdude812]

What ever end of the key you give to the hospital is the private key. It's the key in most limited distribution, making it the private key. Whatever that key is, whether it's the "public" half of the pair, or the "private" one, it's the one which is required to make changes to the pacemaker. Doesn't matter what you call it, if it is revealed, it is all that's necessary to make changes to the pacemaker, and my point stands.

In public/private key cryptography, there is nothing particularly special about the public vs private key except that we designate them that way, and freely hand out one, while we protect the other. Sure, if one consists of stronger factors than the other, it makes a better private key, but it doesn't *have* to be the private key.

So I suggest you follow your own advice =)

Re:Bionic eye

[sm62704]

I thought they were glass, perhaps not. You're actually older than me and it was about 1970 when I tried contacts. So if yours were plastic in 1959 mine certainly were as well.

You say your vision was 20/400. Is that primarily myopia?

Yes.

If so, what's your refractive correction?

I have no idea, but the lens I wear in my right eye is a 6.

As for cataract surgery: had one done when I was 60, which got me to a trivial -0.75 diopter correction

Mine corrected my vision to 20/16 at distance and 20/12 closeup, but I got the new tech that can focus. A little arithmetic says you're 6 years older than me, so you got yours done about the same time I did.

(waiting for the other one to get bad enough so that insurance will cover it).

Me too. Right now I'm waiting for the blood in my good eye (the one with the IOL) to clear up, my retina bled a few weeks ago where it tore the year before last. Dr. Odin says if it keeps doing that he'll have to perform a vitrectomy.

This was the closest thing to no surgery I can imagine (less than ten minutes in the operating room). I'll take that over a root canal any day.

Root canals are a whole lot easier than they were in the early seventies, but I'd still take cataract surgery over it. Except fo rthe eyedrops it was entirely painless.

Re:Bionic eye

[giminy]

Look up public private key cryptography and get back to me. Asymmetric cryptography does not require revealing the private key to hospitals....

I think the GPs terminology is wrong, but he/she is hinting at a potential problem. The single-instance-public-private-keypair in this scenario is as follows:
Pacemakers gets private key
Every hospital gets public key

Public key is used to encrypt data destined for the pacemaker. However, if the public key is released more widely than just the hospitals, a bad guy can do bad stuff by encrypting bogus pacemaker commands with the public key, which the pacemaker will assume are legitimate.

One way of securing this is to have a PKI. Hospitals would get signing keys authorized by the pacemaker manufacturer (or perhaps a pacemaker consortium would start a CA), and the hospital could sign and encrypt a message for the pacemaker with a key issued by a trusted node in the chain. Signing is always good :). A PKI is worse in some respects, though: If the root cert of the PKI were compromised, the certs would have to be revoked and new ones issued. This would require removal of everyone's pacemaker.

Re:Bionic eye

[nahdude812]

A public key infrastructure assumes the pacemaker can communicate with a certificate authority to validate the signature of the cert offered to the pacemaker by the hospital, which it can't.

As I said in my followup to your parent, we're looking at best at a single public/private keypair which is pre-programmed into the pacemaker (or a handful of them, but where it only takes one to get compromised). Half of this key exists in the pacemaker, half of it exists in the configuration devices used by the hospital. The half in the pacemaker is the private half, because it is the least readily accessible (it's the pacemaker determining whether it permits the communications, so it gets the "private" half, though we're really talking about two pseudo-public halves, and again as I said in my other post, public and private are just labels we assign to different members of a key pair). The half in the hospital's machine is the public half, it is the half which random humans have the most access to (though it's the half with the most damaging consequences if it's compromised, so in that sense it's private - you see, these labels do not fit well in this case since we're really talking about wide distribution of two halves of a keypair, a model which is atypical for asymmetric cryptography).

And even still, cryptography is not the answer, at least not as these devices are built today, they don't have anywhere near the computing power necessary to participate in cryptographic exchanges which would be strong enough to withstand brute force attacks by modern computers. Giving them that kind of computing power would seriously hurt their battery life.

Also as you mentioned, you still have to deal with certificate revocation. If there is a compromise, it's not good to be having to rip people's chests open to fix it, and you don't want it to be such that you can update its key remotely (like flashing firmware), or that compromise might lead to keys getting changed by unauthorized parties.

Finally you have to deal with many manufacturers, each with their own keys, and potentially unconscious patients needing emergency adjustments, and not being able to tell the doctor which make and model they have to get that adjustment; there'd have to be a separate machine for each manufacturer so they could put the hospital's key in firmware to protect it best (or else exchangeable cards with firmware coded on it). Yeah, you could mitigate that by further increasing complexity of the devices, and by this point people need a new battery every year.

Plus who is responsible for maintaining devices for a manufacturer who has gone out of business? They can't just release their keys to the world, is there some new governing body which assumes ownership of such keys? Do we create new laws that require companies to provide a copy of every such key, along with source code to the new agency?

Or maybe we should just realize that you have to be in close proximity to someone to control their pacemaker (my grandfather's requires a device pressed into his armpit), and that doing things which jeopardize someone's health in such a substantial way as modifying an implanted pacemaker already qualifies as reckless endangerment or attempted murder. We don't require cryptographic exchanges to reveal the sharp end of a knife, and it's even more deadly since pressing it into someone's armpit with the same force as is required to control my grandfather's pacemaker will jeopardize anyone's life, not just those with a metronome in their chest.

remote kill?

does this mean that someone can eventually kill people remotely?

Re:remote kill?

[Snowgen]

does this mean that someone can eventually kill people remotely?

The technology for that already exists; it's called a "gun". It replaced an older technology called an "arrow", which in turn was the replacement for an even older technology called the "javelin". There was also an older technology called a "sling" which was a peripheral device designed to increase the effectiveness of the original technology call the "rock".

People have been remotely killing other people for millions of years.

Re:remote kill?

[Oktober+Sunset]

Killing people remotely is not hard, doing it without anyone knowing it was you, without any indication at the time that it was anything other than natural causes, requiring no opportunity other than being within wireless range and leaving no evidence behind whatsoever. That's the novel part.

Re:remote kill?

[kdemetter]

good idea .

That leaves a hole in the market , namely defensive devices this , like a tin foil t-shirt , sweater , etc
Together we will make millions .

Re:remote kill?

[legoman666]

Sorry friend, that niche is already filled: http://www.lessemf.com/personal.html

Re:remote kill?

[JasterBobaMereel]

Ah you mean the dropping rock on his head, rather than beating him to death with a rock ....

Re:remote kill?

[powerlord]

I was expecting something more like this: http://www.thinkgeek.com/tshirts/generic/9080/

Re:remote kill?

[DrEasy]

But this perhaps creates an interesting opportunity for programmable euthanasia or suicide. Our society may not be ready for this yet, but having a way to decide in which conditions you want to leave this world with dignity sounds good to me.

Re:remote kill?

[Oktober+Sunset]

That still requires opportunity, especially if you want to make it look like an accident. You need to be in a hidden place where you are above them with the rock, at the right time, where you can't be seen by anyone else, you need to hit them, you need it to be a place where a rock might drop naturally, you need to leave no trace behind that you were up there.

With this, you need no vantage point, no hiding place, you don't need to wait till they are in some opportune location, there's no risk of detection, if you attempt and fail, they won't even know. Even with a sniper rife, you still need a window with line of sight. With this, you don't need to be in a book repository, or behind a grassy knoll, you could be stood in the front row of the crowd and no one would even know.

Re:remote kill?

[bay43270]

What's the range on a pacemaker? about 3 inches? So you don't think the victim would be tipped off by the guy walking around behind him holding a device three inches from his chest, tethered to a computer?

Re:remote kill?

[geekyMD]

Leave no evidence? These things have year long log files of everything they do and is done to them.

The FIRST thing a medical examiner would do is interrogate the pacemaker and find out why it stopped. This technique is closer to a sniper rifle: everybody would know the guy got murdered, they just wouldn't know who did it.

Re:remote kill?

[greyhueofdoubt]

All those people who were found dead in front of their computers? The ones we assumed must have had heart attacks? At age 30?

Goatse.

The dirtiest kind of clean crime scene.

-b

pacemakers

[gEvil+(beta)]

Hacking a pacemaker? What could possibly go wr... *thud*

Re:pacemakers

[BillGod]

I want to give this a try. Can I borrow someones grandpa?

Re:pacemakers

[segwonk]

When I want to hack someone's pacemaker, I do it the old fashioned way: I bring them near my microwave oven.

-- jw

Oh no, another exploit

[techgu]

What a surprise that you can hack something that has electronics?

If there is a will there is a way.

Re:Oh no, another exploit

[zappepcs]

and if they hack your pace maker, you had better have a will.

Nevermind that, the burning question is will Clinton use this to scare us out of voting for McCain? He should be due for a pace maker soon if he doesn't already have one.

Re:Oh no, another exploit

[tristian_was_here]

"hey Grandad I have something for you"

Don't fear.... much

[NIckGorton]

From TFA:

a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker. They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal

hundreds of thousands of people in this country with implanted defibrillators or pacemakers to regulate their damaged hearts -- they include Vice President Dick Cheney -- have no need yet to fear hackers No need to fear they tell us because:
One:

The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists from the University of Washington and the University of Massachusetts to interpret the data gathered from the implant's signals. And two:

"To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide," Um, that was until a NYTimes article described that it could be done and (more importantly) a /. article linked to that NYTimes article so tons of geeks worldwide see the information. While security through obscurity doesn't really work, there is something to be said for people just not noticing that a thing is hackable.

Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.

If I had an AICD, I sure as hell wouldn't want to be around Cheney, lest the signal from mine be confused with his. Of course maybe that is why he has a man sized safe in his office is a Faraday cage.

Re:Don't fear.... much

[TheRealMindChild]

Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.

Not only that, but let's say the President of the United States has a pacemaker... $30000 is pittance for someone who wants him dead.

Re:Don't fear.... much

[Ihlosi]

Not only that, but let's say the President of the United States has a pacemaker... $30000 is pittance for someone who wants him dead.

Now you only need to get that $30000 worth of lab equipment (= big and bulky) within a few inches of your intended victims chest ...

Re:Don't fear.... much

[MMC+Monster]

Recent models of pacemakers and defibrillators from the major companies (Guidant, Medtronic, etc.) allow remote telemetry from home: You have a device sitting on a table next to the patient's bed which will check the device every night (or one night a week, etc.) and report back to the physician any abnormalities. Some also allow wireless programability, but not from home: The nurse waves the wand over the device, then the patient goes in another room and gets seen by the physician while the settings on the device are changed. The range is less than 50 feet, based on personal experience. Now, this can theoretically be done from home (if someone has the right device), and you can make changes without any passwords.

Before you ask, you should *not* start passwords-protecting these devices, as you may have a patient traveling and rendered unconscious and need to make setting changes and not have time (or ability) to call the manufacturer.

Re:Don't fear.... much

let's say the President of the United States has a pacemaker... $30000 is pittance for someone who wants him dead. No it isn't, i don't have anywhere near that kind of money...

Re:Don't fear.... much

[NIckGorton]

I'm not so sure about that (speaking as an ER physician who would generally be the one saying WTF is the password???)

In the worst case scenarios, either 1) put a donut magnet over it and it can be stopped or 2) give me a scalpel and 30 seconds and I can cut the leads, and then we can externally pace and/or defibrillate the person.

So I am not sure that the risk of being password protected would outweigh the risk of not being password protected. I'd want mine password protected, then put the password on a medic-alert bracelet that I wear.

Re:Don't fear.... much

[NIckGorton]

put a donut magnet over it and it can be stopped And to clarify, I mean stop many potential hacks. The magnet doesn't turn a pacer off, just flips a reed switch and renders it dumb so that it just paces at a set background rate. And I suspect that if it were hacked and the person arrived to the ER still alive (or at least freshly dead) you could solve a lot of that with a magnet.

Re:Don't fear.... much

[sledge_hmmer]

From TFA:

The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists from the University of Washington and the University of Massachusetts to interpret the data gathered from the implant's signals. And the device the researchers tested, a combination defibrillator and pacemaker called the Maximo, was placed within two inches of the test gear.

*emphasis mine*

I don't think the $30,000 in equipment will be a problem. On the other hand I do wonder if getting within two inches of the President with $30000 of equipment will be possible. To put it mildly, you might stick out a wee bit.

"Oh Mr. Secret Service....ignore the giant antenna, oscilloscope, power pack and laptop. I am Stephen Hawking and I am here to shake hands with the President".

Re:Don't fear.... much

[MMC+Monster]

Speaking as a cardiologist, if I get a person with a defibrillator with multiple runs of shocks for ventricular tachycardia, I would sure like to make adjustments on the device to be more efficient.(for instance, more aggressive anti-tachycardia pacing or higher output first shock, etc.) While I could call up the company to get the password on a weekend or night, I'm not sure how they would authenticate my identity.

Re:Don't fear.... much

[ipooptoomuch]

You could disguise yourself as a DJ. They dress funny. Or you could get him to walk past a large truck and hide all the equipment inside (its wireless isnt it).

But why?

[Tsoat]

Even if you could hack it wirelessly the only benefits I see are bragging rights cool they may be just doesn't seem worth the time and effort

Re:But why?

[kalirion]

Unless you're looking to kill someone by pressing a button, of course.

Re:But why?

[ConfusedMonkey]

We have those already, they're called "guns". They even have an additional advantage of being lethal from 300 yards away rather than having to be pressed against someone's chest.

Re:But why?

[MttJocy]

Guns however create pesky ballistic evidence, a wireless signal passed to the device may show up in it's log somewhere if an old guy with a pacemaker dying of a heart attack was even autopsied but it could still be just taken as natural causes, not only that but even if you could prove the device was tampered with it could be difficult to link such a signal with the transceiver that sent it directly, unlike trying to link a bullet to a gun. Now bear in mind people have tried some pretty mental schemes in an attempt to get away with murder and it doesn't seam that ridiculous that someone could actually try something that elaborate in order to attempt to kill someone without it being traced back to the attacker. Of course there is still the fact that not having the pacemaker has pretty good odds of killing you anyway, having one without the wireless technology would mean it would need to be altered by surgery which also carries a risk of death which is far higher than the risk of hacking so it is overreacting really to get overly worried about it all the same.

Re:But why?

[ConfusedMonkey]

For ballistic evidence to actually mean something the ballistic "fingerprint" has to be tied to a registered weapon. Under current law you can go to a gun show and buy a new weapon without having to register it or even go through a waiting period. A $300 firearm is quite a bit more practical, accessible and disposable than $30,000 of lab equipment. The fact that a pacemaker can be communicated with by anyone who gets extremely close with specialized equipment is an interesting point but as a potential risk it's pretty much negligible.

Re:But why?

[MttJocy]

I could be wrong but my understanding was that the weapon had to be tied to a suspect, that does not require a registration (in fact simply being the registered owner of the weapon would not prove you pulled the trigger although if it was not reported stolen it would hurt you in trial most likely) but physical evidence linking the suspect to the weapon (fingerprints, hair fibres/dna, fiber evidence from clothing), combined with ballistics linking the weapon to the murder would be somewhat problematic for the suspect.

Re:But why?

[ConfusedMonkey]

All ballistics does is connect a bullet with a specific gun via the rifling cuts the weapon placed on the bullet. An unregistered weapon can be cleaned then dumped and after that point there's nothing connecting the shooter to the weapon. The police can even find a dumped weapon but that's where the case goes dead; when a firearm is unregistered there's nothing connecting it to a specific person. Stolen or unregistered firearms purchased through a strawman from gun shows are one of the primary reasons so many shootings go unprosecuted in the US every year. A lot of the stuff you see on CSI is an exaggeration, it's fairly easy to clean a machined, metal surface.

Hmmm

[tarogue]

Doesn't Dick Cheney have a pace maker?

Re:Hmmm

[Ihlosi]

Doesn't Dick Cheney have a pace maker?

Yes, but the purpose of this device is unclear. What exactly is it pacing ?

Re:Hmmm

[BakaHoushi]

I find this joke to be old and rather insulting, really. Of course Dick Cheney has a heart.

However, the notion that the heart is somehow related to empathy and love is also false. Instead, he had that section of his brain surgically removed. It helps him collect himself faster after his 3pm puppy kicking and orphanage closing.

Re:Hmmm

[Mr2cents]

I heard it was a present from the Wizard of Oz, but it didn't help.

Re:Hmmm

[jamstar7]

I find this joke to be old and rather insulting, really. Of course Dick Cheney has a heart.

Yup, he has the heart of a 20 year old.

It's in a jar on his desk.

Life imitates art

[theGreater]

From http://www.snpp.com/episodes/BABF01

% The Simpsons happen upon Krusty, who is having a Y2K crisis of his
% own. His pacemaker is stuck in the "hummingbird" mode. Krusty
% lifts himself in the air briefly by flapping his arms, before
% collapsing on the ground.

See also:

http://en.wikipedia.org/wiki/Treehouse_of_Horror_X#Life.27s_a_Glitch.2C_Then_You_Die

-theGreater.

This story is shocking...

A real heart stopper if you will.

Easy fix

[InvisblePinkUnicorn]

Just make a pacemaker for the pacemaker. That way, if it ever shuts down, it'll have a tiny little heart inside it to get it going again.

Re:Easy fix

[kdemetter]

feeling very tempted to make beowulf cluster joke about it

Re:Easy fix

[niteice]

Recursive Beowulf clusters?

Yeah but hacking a pacemaker

[sleeponthemic]

Would be heartless.

Medtronic Inc.

[metalman]

For a device that serves a life-or-death function for many individuals, some of these headlines about Medtronic Inc. are not the most heart-warming. Especially this recall of defective heart parts.

I'm not that worried about this

[director_mr]

I'm not that worried about this for 2 reasons: Hackers usually want something that is easily available to hack. These pacemakers are not so common as to be everywhere and easy to access. It would take some work to find and set up a situation where you can hack a pacemaker. The second reason is there are a lot easier ways to kill people than this. If someone goes through this much effort to kill you, they could have done it any number of different ways already. So if you die this way, think of it as living longer than you would have otherwise.

Just shut it off

[epilido]

Most pacemakers and defibrillators can be turned off with just a magnet. This is designed to allow medical staff to stop a defective device. Yep I have done it myself and seen it done many times for diagnostic reasons in the hospital. M

Re:Just shut it off

[Arancaytar]

Indeed - most technology exhibits that contain strong magnets have warnings about pacemakers. And a strong electromagnet could be hidden anywhere (didn't this site discuss them in door frames to avoid seizing of harddrive data, in fact?). The wireless networking may seem scary, but unless the range of the receiver is much greater than it needs to be, this doesn't sound like it would make pacemakers much more fragile than they already are.

I guess it's psychological. We humans don't like being reminded of how easily we can be killed, both by accident and by malice - especially when it involves software, which we associate with bugs and BSODs. ...

Wait, aren't most of the world's missile systems software-guided? Nuclear war: Cancel, Allow?

Re:Just shut it off

[NIckGorton]

Actually what the magnet does is turn off the sensing function (by flipping a reed switch in the pacer), and demotes a highly functional piece of electronics into something much dumber. (It just paces at a set rate without having any look at what the heart is doing.)

This can be used to stop a lot of 'runaway pacer' issues (which almost never happen with modern devices), and I suspect a lot of potential hacks. However it doesn't precisely shut it off. But it does solve a lot of problems.

Wait for it

[Bombula]

"It wasn't me grabbing her ass your honor, someone hacked my arm!"

So they can crack RSA and then get the pacemaker?

[dbIII]

RSA encryption is used in these devices. There certainly is a lot of techofear journalism about lately.

A better method

[yamamushi]

The article details how the researchers had to be within 2 inches of the pacemaker, and several thousands of dollars worth of equipment. I suspect there is an easier way to deactivate a pacemaker, find out what frequency they operate at. I've got an FM radio blocker, that is basically just a 100mhz oscillator, a potentiometer, and a battery. It works by canceling out a given frequency, thus letting me silence my neighbors stereo from 50ft away. I know the technique works for the 2.4ghz band, for blocking out wireless phone signals and whatnot. I suppose finding an oscillator in the high ghz range would suffice for 'killing' a pacemaker.

Re:A better method

[sempernoctis]

I suspect there is an easier way to deactivate a pacemaker

It's called electromagnetic pulse (EMP) and has been around for quite a while. I'm sure there are documented occasions of it taking out a pacemaker before.

Re:A better method

[pnewhook]

It's called electromagnetic pulse (EMP) and has been around for quite a while. I'm sure there are documented occasions of it taking out a pacemaker before.

Yes, in science fiction novels.

EMP *theory* has been around for quite a while, but the devices aren't real (unless you count atomic explosions).

To be clear for everyone here on Slashdot, there is no such thing as an EMP device. It's theoretical science fiction, just like wormholes and space elevators. Get over it.

Re:A better method

[EMCEngineer]

That is not strictly true. You can create EMP-like pulses in a lab setting. If you have the right antenna and a big enough amplifier you can fry most electronics. The difference is you are very limited in distance of effectiveness, and susceptible frequency range will change with different devices and orientations.

So in a strictly theoretical sense, yes you can kill electronics with RF. On the practicle side, it's like saying you can build a rail gun at home. Sure you can build a 5th grade science class level one that shoots marbles, but that's not what people mean when they say rail gun.

Re:A better method

[Rick+Genter]

Great concept, brilliant novel, and I highly recommend the books. One little problem with this in "real life", as I understand, is that most pacemakers are typically *idle* (doing nothing). They only "fire" if they sense the heart is stopped, going too slowly, or beating arrhythmically; for example, fibrilation instead of a steady beat. I also wouldn't be surprised if there was firmware with hard limits (upper/lower) so that the "adjustable" rate cannot be re-programmed to lethal levels.

That depends on the model and the medical situation. In my case, it is as you describe: it only fires if the heart doesn't do so in time (my at rest heart rate was about 30 before the implant; now it's set at 80).

Some people, however, depend upon their implanted pacemaker to make their heart beat. My father is facing this situation; his doctor is considering a procedure where the nerve that acts as the heart's natural pacemaker is severed and his heart will not beat if his pacemaker doesn't fire.

As far as "lethal" levels, mine can be set anywhere from 30 to 200. I imagine setting it to 200 and leaving it there would take its toll after a while...

Re:A better method

[pnewhook]

Yes, I agree.

And for practical applications, lab demonstrations are still just demonstrations of theory. They may generate an EM pulse that can be detected but unless you got a crapload of money to buy a lot of high power components, it wont do much. Even then just put a Faraday cage around it and it'll be protected.

Unless you are in military research, you cannot go out and buy nor make an EMP device like many here on Slashdot think you can. It just doesn't exist.

Re:A better method

[sempernoctis]

If you go to any search engine and search for "How to make an EMP device", you will find several pages that may not give detailed instructions, but all seem to agree that localized one-use EMP devices based on chemical explosives can reasonably be constructed. Sources include Wikipedia, Howstuffworks, and Popular Mechanics. If not usable by the average person off the street, they at least agree that from terrorists it is a more significant threat than an actual nuclear attack.

Re:A better method

[pnewhook]

Yes, as I said you can make a device that creates an electromagnetic pulse. But the pulse is really small and doesn't do anything. You cannot make an EMP device that blows up electronics or stops cars or kills a person instantaneously - it doesn't exist as that power of an EMP device is pure science fiction. Even the terrorists aren't that gullible.

I don't care what Wikipedia says, anyone with a decent physics or engineering background will te4ll you that a chemical explosive is not going to make a magnetic pulse.

Re:A better method

[Ihlosi]

I don't care what Wikipedia says, anyone with a decent physics or engineering background will te4ll you that a chemical explosive is not going to make a magnetic pulse.

The exact design involves an inductor (coil) which is filled with an explosive. To generate the EMP, a high current is fed through the inductor (which stores quite a bit of energy), then the explosive charge is detonated and the energy stored in the inductor is released when it is blown up in the right way.

It's probably also quite deadly to any bystanders due to all the shrapnel from the coil.

Re:A better method

[pnewhook]

Ok, so the chemical explosive did not make the pulse, the inductor made the magnetic field and the explosive just destroyed the inductor which resulted in a sharp pulse termination.

It's kinda like saying the booze got my girlfriend pregnant.

Easy solution

[DotNetFreak]

Why don't they build firewalls into the pacemakers? And perhaps close off ports 21, 80 and 135. Hmmm...

Re:Easy solution

[CrashPoint]

Why don't they build firewalls into the pacemakers?

Because then you'd get heartburn. Geez.

Vivid imagery

[Wilson_6500]

But device makers have begun designing them to connect to the Internet, which allows doctors to monitor patients from remote locations.

"Excuse me, sir? The plane is about to taxi, and I'm going to need you to shut down your wireless internet device."

Some day in my lifetime, a person's heart might have "flight mode." That idea bowls me over. I'm assuming this is some kind of cellular internet connection the devices use. Fifteen seconds of google didn't really turn up much info, but then again I wasn't looking very heard.

Re:Vivid imagery

The device itself doesn't connect to the internet, there is a "base station" in the patient's home which the device connects to on a regular basis, and this station transmits data over the internet.

Re:Vivid imagery

[Misch]

At least for mine, it looks like a coupler-style modem with 2 leads that attach to your wrists. There's a magnet included as well (at least on mine) that cause a different signal to be sent.

My base unit doesn't have internet connectivity, though I suppose it potentially could be done that way someday.

More interestingly: get away with it

[davidwr]

I heard Uncle Joe is about to write me out of his will. He has a pacemaker. He's old, there won't be an autopsy. Hmmm......

Re:More interestingly: get away with it

[SgtChaireBourne]

That was my first thought, too, when I read that they were 'unaware' of any problems. Usually with other technology products that means only that no problems have hit the 1st page of the NYT.

Obligitory Bionic Man Reference..

[clonan]

So can I get the pacemaker make a heartbeat sound like the jumping sound effect....

"nah nah nah nahhhhhhhhh"

It's not that bad

(Posting this as AC since I don't want to get in trouble).

I think the summary is more alarming than the actual article. The researchers had to be at two inches from the device in order to tamper with it.

It's probably not such a big deal now, but some more thought should definitely go into future products. 30000$ sound like much, but it certainly sounds like a bargain if you can kill the Vice President of the USA without even touching him.

I mean, imagine the following scenario:

1. Bad guys want to kill Cheney. That seems quite plausible.

2. They find out the exact model of his pacemaker. That sounds feasible with some knowledge of the field, money, time and determination.

3. They buy one and hire some researchers to crack it and to create an automated system which is portable and works reliably. Say, a laptop with some transmitter attached or something similar. This is quite hard, but should be feasible as well with enough money and time.

4. The researchers manage to increase the range from 2 inches to 20 inches. This is probably the hardest part.

5. The bad guys put the laptop in a briefcase, wires running up the sleeve and the transmitter in the other sleeve (close to the hand). This is easy.

6. Now they just have to get close enough to Cheney. I have no idea about how hard this is.

7. He has a "heart attack". Bodyguards/security come running and push all the people away. People go away because they don't want trouble, including the guy with the briefcase. I think this is quite realistic.

8. Cheney dies. Maybe they find out that the pacemaker was tampered with, maybe not. If not, the plan worked out perfectly. If yes, they will have some video on a security camera showing the bad guy, who is in another country by now. Maybe they catch him, maybe not.

This sounds pretty far fetched (and it is), but it could be possible with some minor advances. So some more thought should go into these devices.

Pacemakers have batteries which have enough power to supply some encryption hardware. What should be done to prevent this scenario is something like this:

1. Create a key pair for every pacemaker. The public key is on the pacemaker, the private key gets printed on a 2d barcode on a piece of plastic. The patient gets the barcode which he carries in his wallet. The patient's doctor/hospital also gets a barcode.

2. The devices used to communicate with the pacemaker have a slot for the barcode.

3. The pacemaker ignores any request not signed with the private key. Problem solved!

Re:It's not that bad

That is true, but when somebody gets shot you know for sure that someone killed them. When somebody who already has heart problems has a heart attack you may not.

Re:It's not that bad

[Dr.+Manhattan]

1. Bad guys want to kill Cheney. That seems quite plausible.

2. They find out the exact model of his pacemaker. That sounds feasible with some knowledge of the field, money, time and determination.

3. They have a bunch of researchers examine it for EMP sensitivity. Then build something like this to blast it from a distance. With a bit of math plus trial-and-error it should be possible to find some frequencies it's sensitive to. Bonus points if you get it to deliver a jolt to the heart as it dies. Actually, existing HERF guns will do a decent job of this anyway...

Re:It's not that bad

[WK2]

An EMP will cause the device to fail. He will get the best first aid, and then be rushed to the hospital. He will most likely survive. Causing a fatal jolt to his heart, on the other hand, will kill him.

Re:It's not that bad

[mbstone]

I mean, imagine the following scenario:

1. Bad guys want to kill Cheney. That seems quite plausible.

2. Secret Service anticipates this. NSA and the Office of the Sergeant at Arms of the U.S. Senate are tasked to establish and test a set of security controls.

3. Pursuant to applicable FISMA, OMB, NIST and DoD regulations, it is determined that Cheney's pacemaker must undergo Certification and Accreditation under DIACAP (Doing Information Assurance on Cheney's Automatic Pacemaker) throughout the VP's Life Cycle.

4. Since the responsible government employees want to CYA, it is determined that the C&A work will be done by Contractors. An RFP is put together and posted to FedBizOpps.

5. A consortium of contractors including SAIC, Booz Allen, and Northrop Grumman are awarded the contract, with the real work to be done by a Section 8(a) minority small business contractor out of Bethesda.

6. The DIACAP team is assembled, a set of 8500.2 security controls is agreed upon, and the Veep is called in for several days of Security Control Assessments.

7. The contractors decide that a full SCA is too much hassle, so an SP 800-26 risk assessment checklist is completed instead.

8. Cheney leaves Bethesda Naval Hospital hardwired to a golf cart full of equipment at a cost of $35 million.

Re:It's not that bad

[rdavidson3]

Gives a whole new meaning to "Don't tase me bro!"

Re:It's not that bad

[l0cust]

I mean, imagine the following scenario:

1. Good guys want to kill Cheney. That seems quite plausible. There, fixed it. So, when is the movie release?

Oh, great timing

[elrous0]

Dick Cheney is preparing to leave office and NOW you tell us?!?!

Insider

[More+Trouble]

Would I need a "team of experts" and $30K of gear if I had worked as an engineer for Medtronic?

That kind of attitude is the problem

[Moraelin]

Well, sad to say and please don't take it as an offense, it's that kind of attitude that's the cause of half the problems today. Products are made by engineers couldn't care less about security, with their budget dictated by a boss who couldn't care less about security, and end up configured by users who couldn't care less about security. Because they all operate under that assumption that if it's even remotely related to computers or electronics, it can be hacked anyway, so why bother?

Well, no, there are ways to prevent that.

Let's start with the simplest: you can't remote-hack a computer which isn't connected to the net. Pull your network cable out of the computer and that's it, you can't be hacked by some guy in China any more.

Of course, you don't want to do that to your home computer, but we're talking pacemakers and the like. Why _does_ a pacemaker need a WiFi interface anyway? No, seriously. It's not like you want the users to surf for porn and post to Slashdot on their pacemakers. It's not even an appliance, as far as the user is concerned, it's a standalone device like their computer chair or the windshield wipers on their car. You have no freaking need for those to be networked, in any form or shape.

And here's an even more sobering thought: even if you wanted some control from outside, you're near your pacemaker the whole time. In fact, it's inside you. There's no time when you're on the other side of the town than your pacemaker is. So even if you're one of the die-hards that can argue with a straight face why you might need to log in to your fridge from work, the same doesn't apply to pacemakers. You're near it all the time. Any interface to it or from it can be contact-based just as well.

Second, even if you do want it networked, there _are_ ways to minimize bugs drastically. Code _can_ be proven correct, test cases can cover the code to ridiculous extents, and the thing can be riddled with pre- and post-condition checks right in the code and be able to fail safely to its normal offline mode. Yes, it's damn expensive to do that to something the size of Vista. But we're talking a pacemaker. It's just not the same number of lines of code. (Or if it does have millions of lines of code, maybe you just need to fire the guy who programmed it;)

More importantly, we already do _both_ of those for life-and-death systems like flight control systems on airplanes or brake computers on cars. They're both built and reviewed to be as good as bulletproof, _and_ not wired to talk to the outside world, unless one physically plugs in a special connector and a special computer into it. You don't want a car's brakes to be hijacked by wireless by the guy in the next car, so you just don't give them a wireless connection. Do you see any reason why we wouldn't apply the same thinking to a pacemaker? It's even more likely to kill than hijacking someone's brakes. There is no airbag to save you when your pacemaker fails.

So what I'm saying is: let's all stop and think twice before shrugging and dismissing security as impossible anyway. Sometimes it's very feasible to make it bulletproof, and, really, it has no excuse to not be so.

Re:That kind of attitude is the problem

[Ihlosi]

Why _does_ a pacemaker need a WiFi interface anyway?

Because sticking a JTAG connector through someones chest is fairly painful. You're welcome to experiment on yourself to confirm this.

Also, it's not a WiFi interface. It's a short-range (it goes through your chest, and water absorbs radio waves like crazy), custom, wireless interface. You have no freaking need for those to be networked, in any form or shape.

And you're, what ? An M.D. ? A biomedical engineer ?

Tell you what: Have fun with your dumb fixed-rate 75 bpm pacemaker, but don't expect to be running up any stairs anytime soon.

Any interface to it or from it can be contact-based just as well.

It basically is, genius. Or do you want it so contact-based that they have to shoot a couple of amps through your chest in order to make the pacemaker respond ? Hint: Think of a vital organ that's very, very close to the pacemaker and reacts very badly to having current shot through it.

More importantly, we already do _both_ of those for life-and-death systems like flight control systems on airplanes or brake computers on cars. They're both built and reviewed to be as good as bulletproof, _and_ not wired to talk to the outside world, unless one physically plugs in a special connector and a special computer into it.

They're also conveniently located outside the human body, so plugging a special connector into them doesn't involve going through someones tissue first.

Re:That kind of attitude is the problem

No, your mom's the problem.

Literally.

Re:That kind of attitude is the problem

You have no freaking need for those to be networked, in any form or shape. As long as you don't mind major surgery to make minor adjustments, I guess that's true.

There's no time when you're on the other side of the town than your pacemaker is. So even if you're one of the die-hards that can argue with a straight face why you might need to log in to your fridge from work, the same doesn't apply to pacemakers. These things have a range of centimeters. So unless you live in a really small town...

Re:That kind of attitude is the problem

[Asic+Eng]

Why _does_ a pacemaker need a WiFi interface anyway?

Well it's not a pacemaker, it's a combination pacemaker/defibrilator. The second part is the reason why it can "deliver potentially fatal jolts" - that's just the range a defibrilator operates in. A connection via the internet allows a doctor to be notified of problems while the patient is at home, and the doctor could even take corrective actions right away. That's presumably why one of the doctors involved in this investigation said "If I needed a defibrillator, I'd ask for one with wireless technology." This is great research though - while it may not be possible to prevent any attack, it's quite possible to put safeguards in place and these guys are pushing the FDA and the industry to make that happen.

Re:That kind of attitude is the problem

[radarsat1]

It basically is, genius. Or do you want it so contact-based that they have to shoot a couple of amps through your chest in order to make the pacemaker respond ? Hint: Think of a vital organ that's very, very close to the pacemaker and reacts very badly to having current shot through it.

While I agree with your post, don't forget that electricity and radio are not the only ways to communicate..

This seems like a situation where ultrasonic (or even just sonic) communication might be very useful! You could attach a voice coil to the inside shell of the pace maker. Then have a device which you press up against the chest of the patient. The pace maker and the device could easily communicate through physical vibrations without penetrating the skin! I wonder if this is already done..

After all, it's not like telling a pace maker to go to a new BPM setting requires a high bit rate.

Re:That kind of attitude is the problem

[kappa701]

If my doctors have given me correct information the radio transmitter in most pacemakers need to be activated by a magnet to work. The transmitters they put on top of the patients chest above the pacemakers activate the wireless signal, and need to stay on the chest to keep the signal. This is not only for security, but it also helps the pacemakers save battery. And changing a pacemaker battery is a bit like changing one in a MacBook Air, it is minor surgery. And so far they have not made rechargeable ones that last much longer then regular ones before the battery looses it's charging ability.

Re:That kind of attitude is the problem

[Ihlosi]

This seems like a situation where ultrasonic (or even just sonic) communication might be very useful!

If you had unlimited power, maybe. Just maybe.

You could attach a voice coil to the inside shell of the pace maker.

The acoustic impedance mismatch between the case of the pacemaker and the surrounding tissue will make this virtually impossible. You might get away with having the US transmitter on the outside, but this opens up the device for all kinds of nasty biocompatibility / degradation issues and most likely drains more power than a RF transmitter. So, interesting in theory, but not really feasible in practice.

Re:That kind of attitude is the problem

[DataBroker]

So what I'm saying is: let's all stop and think twice before shrugging and dismissing security as impossible anyway. Sometimes it's very feasible to make it bulletproof, and, really, it has no excuse to not be so.

The excuse is that people are not willing to spend the difference it would cost to make it bulletproof. There are diminishing returns (even on life-saving devices) which people won't recognize or spend on.

Imagine walking into a doctor's office being presented with two (apparently) identical devices. One costs $1000, and the other costs $10,000. Yes, it's your life, but spending another $9000 to make it more secure isn't going to be the option most people choose.

Beyond that, imagine trying to convince an HMO the medical necessity for spending more money on the secure version. I'd suspect that the manufacturers have already considered that and decided to be competitive instead.

Re:That kind of attitude is the problem

[MMC+Monster]

Pacemakers have a limited battery life. Changing the battery requires surgery. (They are working on recharging, but the technology isn't there yet.) Wireless communication requires orders of magnitude less energy for the device than wireless.

Re:That kind of attitude is the problem

> Of course, you don't want to do that to your home computer, but we're talking pacemakers and the like. Why _does_ a pacemaker need a WiFi interface anyway? No, seriously. It's not like you want the users to surf for porn and post to Slashdot on their pacemakers.

Speak for yourself, buddy!

Re:That kind of attitude is the problem

[techgu]

Being realistic I don't think is a problem.

The intent is not that = Oh, Security doesn't matter.

The intent is that if it was made with electronics, there is an exploit for it, regardless how stupid and/or insignificant it may be.

People are not going to live in bubbles that have fail-safe bubbles built-in.

If there is no risk in life what is point in living.

There is still a risk in using/having a pacemaker; they are not full-proof. And even if the individual avoids all known risks involving their new life style, there is no guarantee that a pacemaker or any other device will be 100% effect at 100% of the time.

Regardless of anything else, there will be new exploits regardless of what security measures are built-in, because everything has to have some level of usability. If you wanted your computer to be completely secure unplug it and then destroy it, then there is not question about the security risk.

The real problem is that some people think that we can become immortal through our own creations. Quality of life should not be measured by time alone.

Re:That kind of attitude is the problem

[jiadran]

More importantly, we already do _both_ of those for life-and-death systems like flight control systems on airplanes or brake computers on cars. They're both built and reviewed to be as good as bulletproof[..]

As good as bulletproof? I remember a few cases in the media:

• There was a problem with ABS with some cars in the late 90s. Tipping the break slightly was enough to trigger a full ABS break.
• There was a problem with the airbag system in some cars (also in the late 90s): a slight crash would already trigger the airbags.
• A pilot in training asked the instructor what would happen if he was to retract the wheels while the airplane was on the ground. The instructor replied that the aircraft's control system was designed to prevent the actual retraction of the wheels. So the pilot in training tried and the system didn't prevent the action
• There was the story of a British driver maybe two years ago who couldn't stop his drive-by-wire car until it run out of gas.

I have a M.Sc. in designing embedded systems, and I can confirm that tools exist that, if properly used, allow to design systems with very high safety guarantees. But they have to be used, and they have to be used properly. And even then it is still possible to make mistakes...

Re:That kind of attitude is the problem

[JWSmythe]

    Can you find citations for those last two? The first two, there are so many vehicle recalls, I can't even begin to guess which ones they are.

    It seems unreasonable for the gear to retract while on the ground. Well, it would depend on the aircraft. If the gear retracted horizontally, the hydraulics would have to pull the weight of the aircraft sideways against the tires. So... I called a friend who's a pilot. He's flown more planes than I've driven cars, and he's flown more years than I've been alive (sorry for calling you old, I know you'll see this). He said there was a problem like that in WWII era aircraft. He hasn't heard of anything like it in anything resembling modern aircraft.

    On the second one, I remember that one. It was a girl in the US. I believe she was driving a Saturn. She had tried to return it as a lemon, mostly because she couldn't afford it. She ended up calling 911 one day saying she couldn't stop the car. The police found her circling at about 15mph in a parking lot. She claimed she couldn't:

1) get it out of gear (put it in neutral)
2) push the brakes hard enough to slow down
3) turn off the key
4) active the emergency brake

    The police watched her circle for an hour or so. It was the safest thing to do, since she wasn't an immediate danger to anyone (circling in an empty parking lot is relatively safe). The car eventually ran out of gas. A service tech from the dealership was there with a can of gas. He put gas in it, started it up, and it drove normally.

    It was all user failure, not systems failure.

Re:That kind of attitude is the problem

[Loconut1389]

No, there was a guy somewhere else who claimed he couldn't stop on the highway. IIRC they found nothing wrong with that car either.

After a quick search, it was France:
http://slashdot.org/article.pl?sid=04/10/05/1539203

Re:That kind of attitude is the problem

[JWSmythe]

    What's funny is, this happened to me once. :)

    I hit the gas driving through a parking lot. When I let off the gas a little, it didn't stop accelerating.

    It wasn't a big mystery though. It was a TBI engine (throttle body on top of the engine, like a carburator). The wing nut that held the air cleaner on had stripped, and came off. When I hit the gas, the top of the air cleaner got wedged under the throttle linkage. I threw it in neutral, and shut off the key. It took me a while to get the air cleaner top out, because it was a van, and the engine was hot.

    But that doesn't have much to do with the topic, does it.. :)

Re:That kind of attitude is the problem

[Loconut1389]

me too- only it was majorly cold and my throttle stuck open- only about 2000 RPM, but enough to make me keep going- I put it in neutral and revved and let off a few times and it unstuck.

FWD:hmmm

[RiotingPacifist]

TO: osama.bin.laden@cave.net
Doesn't Dick Cheney have a pace maker?

your sincerely, a helpful Brit.

Yee-ha!

[clickety6]

I'm gonna overclock this sucker!
Better than a triple espresso!

Build your own joke:

[RandoX]

Punchline: Heartworm.

Gives a whole new meaning to Force-Feedback

[Qbertino]

Imagine hooking up your pacemaker to your favorite FPS via bluetooth or something. Every time you get hit your heart misses a beat. Literally.

I can also just imagine installing Vista remotely onto the pacemakers of all those Windows fanboys. ... :-) Hehehe ...

Not interesting

I don't see it as a big threat. In fact, I have a pacemaker implanted and HNNNNNNGGGGG.....

Gives a new meaning...

[Swampcritter]

to the term 'reboot', doesn't it? *Laugh*

Re:So they can crack RSA and then get the pacemake

[frog_strat]

Working on the communications software for one of these devices, I can say for sure there is no encryption on at least one of them. A decision was made by the company to not worry about this issue at the moment.

Some health care insurance / hospitals may want to

[Joe+The+Dragon]

Some health care insurance / hospitals may want to cut you off if you can't pay or they found out that you had a pre existing condition they make you pay up and say pay or we cut you off.
Some of them have said that a kidney transplant is to experimental and they let a someone die just to get out of paying for it.

There was movie about some put bombs in Pacemakers

[Joe+The+Dragon]

There was a movie about someone putting bombs in Pacemakers

http://en.wikipedia.org/wiki/Dead_in_a_Heartbeat

Toyota Camrys and Defibrillators

[frog_strat]

Some testing was conducted to see if the various transmitters on a Toyota Camry could interfere with operation of a defibrillator. Interference was detected that caused the defibrillator to miss sensing important heart events, and also to fire when there was no event. The study recommended staying a few meters away from certain areas of the car. Similar article on hybrid intereference: http://trusted.md/feed/items/system/2008/02/25/pacemakers_defibrillators_and_hybrid_cars

About remote "Kill" signals

[Missing_dc]

There are many posts about high profile evil types with pacemakers and what-ifs to reprogram said pacemakers. They all seem a little silly to me since, as I recall, microwave ovens produce a signal that can kill the pacemaker user. Conceivably, it would not be very difficult to create a waveguide antenna to shape the output from a high-power microwave horn from a commercial microwave oven into an aim-able beam. With a few of these running at the same time a DOS attack would be very feasible. Disclaimer: IANAP (physicist), and have only dabbled in wifi antennas (about the same frequency of microwave ovens), nor do I recommend employing these tactics against anyone, no matter how despicable they are. Especially when a firing squad works just as well, its just not as geeky.

Anyone ever read "format C:"?

[Erez.Hadad]

I don't remember the author's name. Anyway, this book (should be 10 years old at least) has a pseudo sci-fi/apocalyptic plot in which the bad guy, who owns the most powerful software company on earth, uses its latest operating system to take control of all the desktops and collect information on all the people. I won't disclose the ending (but it's groovily psychedelic and dripping with LSD/religious fanaticism). However, I will point out the scenario where bad guy uses a PDA with his devilish OS to hack the pacemaker of one of his rivals and kills him through a fake heart-attack.

The government have escrow keys

[Chrisq]

All new pacemakers are to be fitted with government escrow keys to the control interface. After all, if you have nothing to hide then you have nothing to worry about, have you......

When my pacemaker is tested

[InterGuru]

Every six months my pacemaker is checked. Part of the test is to speed and slow down the pacemaker and my heart for a short time.

It is a truly heartfelt experience.

Bookwormhole.net -- a site for book lovers.

Re:When my pacemaker is tested

[Misch]

I know. I was in for a checkup recently and came to the realization that of all the things I have been able to toy and tinker with, my doctor was essentially programming my heart.

I almost cried as I realized I had just been outgeeked, since I would never be allowed to operate the control panel. My doctor has toys that I cannot play with.

Re:When my pacemaker is tested

Please don't put advertising links in your comments. Your site is already linked from the Homepage link above your comment.

Hacking the VP

[tobiasly]

Yes, that's a very real concern that the secret service has been terrified of for years. Most people know that Cheney has a pacemaker, but the real secret is that they forgot to turn off SSID broadcast and its password is "Linksys".

Re:Hacking the VP

[Mister+Whirly]

It has been changed for security purposes. The SSID is now "Geezer" and the password is "psychograndpa". It also displays a warning when logging in "WARNING - unauthorized users will be shot in the face with a shotgun!"

opportunity for extortion

[ch-chuck]

Nice pacemaker you have there - shame if anything should happen to it.

Re:opportunity for extortion

[Punko]

Nice 4 digit ID you have there - shame if anything should happen to your pacemaker . . .

Come on...Seriously

[holmedog]

You know what else can stop your heart? And, at a much larger distance? My rifle. I find this kind of subject to just be more of the terror sensationalism.

I mean, sure, if your heart was hooked to the internet and easily hackable, I would be worried. But, right now, if I want to kill someone it would still be done with a good old fashioned bullet. Much cheaper (maybe a dollar?) and a hell of a lot faster.

Re:Come on...Seriously

[ultranova]

You know what else can stop your heart? And, at a much larger distance? My rifle. I find this kind of subject to just be more of the terror sensationalism.

You know what else rifles do ? They make a lot of noise and splatter a lot of blood eveyrwhere, making the cause of death extremely clear to even the dumbest coroner or bystander. Not only that, but nearly everyone in the world knows what a rifle is and looks like, so if someone was shot dead and you were seen with a rifle in your hands anywhere near, it would make you an immediate suspect.

Compare this to someone seemingly getting a heart attack, and you being seen somewhere near with a walkie-talkie. Do you think you just might have a bit less of a chance to be caught ?

Finally, the mental barrier against shooting someone is much higher than the mental barrier against playing with their pacemaker precisely because you know the former will cause a mess. The latter doesn't cause any obvious injury, so I can just see some brats playing around, turning the beats per minute up to 200 and leaving them there just to have a little harmless fun... And then the heart stops from overexertion, and that's that. Remember that Slashdot story a while ago about the kid who played around with tram controls and ended up derailing one ? People do stupid shit like that.

Heart Attack

[jlebrech]

Brings a different meaning to the words "Heart Attack"

Project Kira.

[MrMage]

Death Note, anyone?

(Sorry about the Anime reference, but wow.)

A whole new market for E-Vest folks?

[punterjoe]

The Faraday vest - what a concept! EMI shielding is the new kevlar.

Re:A whole new market for E-Vest folks?

[sexybomber]

It'd have to be a Faraday Suit to be effective. The electronics to be protected have to be completely surrounded by the cage/mesh/suit/etc., else the electrical signals/current will just enter through the open side. Having a Faraday vest wouldn't do squat unless the mesh extended *through your abdomen*.

Friday, Jan. 26, 2007?

[antdude]

Hmm, old story but interesting.

Flight mode is BS - Air Rage is real

[GameboyRMH]

The ban on wireless/electronic devices in flight is actually to prevent "air rage." Picture being on a flight with a teenage girl babbling at the top of her lungs on the cell phone 6 inches from your head the whole way. That was an extreme example, but people are ticked off by other things such as a bunch of hyped up little boys in a heated 4-player Mario Kart game - that's why handheld gaming devices were expressly forbidden from use in flight about a decade ago.

Look at the list today - cell phones and handheld gaming devices, which all conveniently use wireless communication nowadays, so only multiplayer games are bad juju.

Unfortunately

[wsanders]

.. I see this more like, "Cheney hacks pacemaker to extract confessions from suspect cardiac patients".

Still, I'd like to see proof of concept. There is no such thing as "guaranteed short range" in wireless. My Bluetooth headset has a 50-foot range in the right locations.

by Edwin Black

[GameboyRMH]

http://www.formatnovel.com/formatc/html/reviews.php

4th Google result of "format C: book"

Ah, the smart-arse non-sequiturs

[Moraelin]

Ah, the smart-arse non-sequiturs. How I missed those. So let's demolish them one by one, then. And maybe then we'll see some actual thought process instead.

Tell you what: Have fun with your dumb fixed-rate 75 bpm pacemaker, but don't expect to be running up any stairs anytime soon.

So basically you're telling me that you have to have an external thing strapped to your chest, full time, for it deal with that? I thought they were programmed by a cardiologist once, and left on their own afterwards.

Because sticking a JTAG connector through someones chest is fairly painful. You're welcome to experiment on yourself to confirm this.

_If_ any model needs it to be done that often, there _are_ ways to have things sticking out of someone's skin (think: dental implants) or have an electrode go out to right under the skin (think: some hearing implants.) So, you know, they require contact or near contact to work at all.

Also, it's not a WiFi interface. It's a short-range (it goes through your chest, and water absorbs radio waves like crazy), custom, wireless interface.

That still doesn't excuse its being an insecure protocol. If the only thing it has going for its security is that it's a custom proprietary protocol, then at best it's "security by obscurity." I.e., an antipattern by any other name.

It basically is, genius. Or do you want it so contact-based that they have to shoot a couple of amps through your chest in order to make the pacemaker respond ? Hint: Think of a vital organ that's very, very close to the pacemaker and reacts very badly to having current shot through it.

Again, there are ways to place electrodes for that, so they don't involve shooting a couple of amps through the chest.

So, basically, to wrap this up: I don't know what your qualifications are, but security is obviously not one of them. You can tell that when someone starts stringing straw men, non-sequiturs and a few other fallacies as why they didn't and shouldn't think about security. Whether it's about pacemakers or "why XSS vulnerabilities are overhyped and inevitable, and you shouldn't ask me to learn to encode strings" types, it's the same basic phenomenon.

At the end of the day, I still don't see why those things shouldn't be more secure. And I still don't see how your arguments have anything to do with security. No, it doesn't have to be fixed rate to be secure. No, you don't need to shoot a few amps through someone's chest. Etc. You just need to spend some time designing and reviewing it for security too, which is where most people fail. In all domains, so I'm not just picking on pacemakers. Pretty much invariably the failure isn't that security is impossible, it's that it didn't occur to anyone to even think (much) about it.

I mean, seriously, it didn't take me more than 5 minutes to think up solutions to those issues you raise, and I'm not even claiming to be the smartest guy around. I'm sure you or the companies manufacturing them too can come up with even better ones. But for that to happen, you have to snap out of the reflex of defending insecure designs as inevitable and impossible to change. You just need to devote some honest thinking and research to security too. That's all.

Or even shorter, as I was saying: it's that fatalism that's the problem. Too many people are too quick to throw both hands up and accept that everything is hackable anyway, rather than even try to do better.

Re:Ah, the smart-arse non-sequiturs

[pnewhook]

At the end of the day, I still don't see why those things shouldn't be more secure.

Simply because there is no point in making them more secure - there's no need. If there is no need then it should n't be done.

These devices are not practically hackable. To reprogram one you need direct skin contact - it cannot be reprogrammed from across the room. I doubt anyone will not notice this being done to them.

The device doesn't have the capacity to do encryption like you are implying. If you made one that did it would draw way more power and therefore need battery replacements way more often. The only thing you've then accomplished is you've increased the device cost, increased the number of times the patient has to go in for regular maintenance, and increased the cost of the health care system.

And your suggestion of hanging wires out of a person is just moronic. I'm not even going to waste time responding to the problems with that.

Re:Ah, the smart-arse non-sequiturs

[Ihlosi]

Ah, the smart-arse non-sequiturs.

Feel free to demonstrate your cluelessness. At least I've got a couple of degrees to back up my smart-assness, while you're just talking out of your arse.

So basically you're telling me that you have to have an external thing strapped to your chest, full time, for it deal with that? I thought they were programmed by a cardiologist once, and left on their own afterwards.

Well, you're thinking wrong. They can be tweaked whenever you don't like what the thing is doing. Getting defibbed while having sex with your SO/girl-/boy-/friend ? Move the tachycardia limit up a bit. Heart rate not going down enough when you're at rest ? Have it tweaked. Want to know whether you really got defibrillated at night or just had a bad dream (yep, that's a psychological effect of these things) ? Ask your cardiologist to read out the status log. Want to know whether your pump is getting worse ? Ask your cardiologist whether it recorded any arrythmia episodes. Want to see how the battery is holding up ? You guessed it.

There are tons of reasons to talk to your pacemaker.

_If_ any model needs it to be done that often, there _are_ ways to have things sticking out of someone's skin (think: dental implants)

Erm, are you serious ? _Anything_ that sticks through the skin is a serious infection risk. Basically, there's _no_ way of having something stick through the skin permanently without some kind of problem popping up sooner or later. Dental impacts don't stick through your skin, they're anchored directly in the jawbone. Your're talking out of your arse again.

or have an electrode go out to right under the skin (think: some hearing implants.) So, you know, they require contact or near contact to work at all.

Sorry, there aren't any cable ducts in the human body. The pacemaker is put fairly close under the skin, and talking to it requires "near contact", if you're not using a really sensitive antenna. I'm sure that with the lab equipment mentioned in the article, you could also remotely mess with the hearing implants you mention.

That still doesn't excuse its being an insecure protocol.

Given that there are tons of ways to adversely affect pacemakers, the insecure protocol is the least of your worries. Also, encryption needs memory and power, and changing the battery on a pacemaker requires a surgical procedure, which also carries some risk and is a significant inconvenience.

So, basically, to wrap this up: I don't know what your qualifications are, but security is obviously not one of them.

Small, ultra low-power embedded systems, biomedical engineering and medicine obviously aren't any of yours. If you want to knock out a pacemaker, you don't need to be able to talk to it. Why plug a really remote security vulnerability, when there's gaping holes next to it that basically cannot be plugged unless you stick the patient into a metal cage ?

At the end of the day, I still don't see why those things shouldn't be more secure.

Because you'd be subjecting the patient to more battery changes, for example ? You'd just swap a very remote hazard for very concrete one. And most patients don't like being cut open multiple times.

I mean, seriously, it didn't take me more than 5 minutes to think up solutions to those issues you raise, and I'm not even claiming to be the smartest guy around.

How about you leave pacemaker design to people who actually have the skill set to design a working pacemaker ? Your contraption would be a serious risk to patient health. Sticking an electrode through the skin, sheesh. Why that's not a good idea is biomedical engineering 101. And it'd probably go through batteries like there's no tomorrow.

Re:Ah, the smart-arse non-sequiturs

[I_Love_Pocky!]

I appreciate your enthusiasm, but thank god you aren't designing these devices. I work for one of the competitors to Medtronic (the company whose devices were studied). We have encryption in our RF communication. We DO take security into consideration, but there are trade offs that have to be considered. Battery life is generally the most important consideration. Every time surgery needs to be performed to physically access the device (usually because of a depleted battery) there is a risk of complications. These aren't insignificant risks either. Keep in mind the people getting these devices have health problems of some sort or they wouldn't be getting them. With that in mind, security solutions in this domain have to be very well thought out so as to avoid draining the battery significantly. So please, don't for a second presume that we are a bunch of monkeys sitting around on our asses ignoring real concerns. The real issue is that there are far more concerns than you are aware of. We do evaluate these concerns and try to build the best devices possible with the fewest compromises.

Re:Ah, the smart-arse non-sequiturs

[DragonWriter]

To reprogram one you need direct skin contact - it cannot be reprogrammed from across the room. I doubt anyone will not notice this being done to them.

At least, not in conditions where they would notice someone walking up with a large knife. I mean, if you are a deep sleeper, you might not notice the contact needed to reprogram a pacemaker, but then, you wouldn't notice the guy sneaking up to stab you in the heart, who can produce, from your perspective, the same end result, with far less in the way of specialized equipment or knowledge.

If you can't secure the physical space around your body, communications security on your pacemaker is inadequate to keep you safe from anyone seeking to do you harm; conversely, if you can secure that physical space around your body, the communications security is superfluous.

Re:Ah, the smart-arse non-sequiturs

[JWSmythe]

Wow, a response from someone who actually knows something about the topic? Isn't there a rule against that here? :)

    So, I guess you're the only person that I've run across so far that I could possibly ask questions...

    The article said that the data is unencrypted, but needs physical contact to the chest due to the low power transmitter. Could that be overcome with high gain equipment?

    Like with WiFi, I put a 200mw card on a 24dBi antenna, and maintained a connection to a device at over a mile,
where the device on the other side that was only suppose to have a 300 foot range. That's assuming I wanted to maintain a full duplex connection.

    Would it be assumable that the "hack" could broadcast a high power update. For example, a 1w transmitter, with a high gain antenna, repeatedly sending the update "max bpm=4" would be a fatality. I could assume that it isn't quite so easy, but even if it's a multi-step process, if those are known steps the correct updates could be sent. For example, if it was "go to update mode" --> "update max bpm" --> "set max bpm", those could be sent in sequence with the appropriate delays in place. Think a chat or expect script.

    With the encryption that you say your company uses, wouldn't it simply be a matter of acquiring a single sending device, and reverse engineering it? While hospitals seem secure, people end up in places they don't belong, or can socially engineer themselves in. How hard is it to get on the janitorial staff, and come into work one day with a lock pick set, and walk out with the programmer?

    All these are silly questions, since if you can get in range for a decent power transmitter, an assassination could be done so many other ways. It would simply leave less of a fingerprint for someone to follow, and give the person more time to get away before his action is noticed. I'm assuming a high profile figure, not your average patient.

    Really, it wouldn't become a problem anyways, until someone sat outside a cardiac care unit and swept the place with a high power signal. One instance like that is enough to say there's a real problem. Then again, how long were patients told to avoid microwave ovens, and how many problems happened before the notices started going out?

Re:Ah, the smart-arse non-sequiturs

[I_Love_Pocky!]

I can't speak to how Medtronic implements their RF communication, but as I said ours is encrypted and boosting the signal to "hack" someone does not get around the encryption.

With the encryption that you say your company uses, wouldn't it simply be a matter of acquiring a single sending device, and reverse engineering it?
No. The individual communication session is protected by a unique key. Still, if you physically had a programmer (the sending device you mentioned), you could use it without any hacks to change a patient's settings just as a doctor could, but it would require physical proximity on the order of a few cm. This sort of communication does not occur using RF. You can't spoof this with a high gain antenna or any such thing because the communication isn't occurring using radio frequencies at all. And as you said, at this range you could kill a person any number of other ways.

Re:Ah, the smart-arse non-sequiturs

[JWSmythe]

    I was thinking that boosting the signal would increase the range. Any encryption would still need to be worked around.

    I'm confused by your statements. You say that you can't comment on the RF communications of Medtronics, but then you say the communication isn't RF. If it's not wired, and it's not RF, how does it talk? Electrical impulses through the skin, using the body as the conductor?

    It's ok if you can't say, I understand. :) At least we got more of an expert opinion in here than we usually do. :)

Re:Ah, the smart-arse non-sequiturs

[glittalogik]

While hospitals seem secure...

Ha! Not even. I've gotten into the Royal Prince Alfred Hospital in Sydney at 2 in the morning by hitting the buzzer at the a/h entrance and saying "let me in, please!" I had fair cause, as I'd locked myself out and my flatmate was overnighting in the urology ward, so it was either that or sleep on the street, but once I was in I could have gone wherever the hell I wanted. Maybe US hospitals have slightly tighter security, but a touch of social engineering works wonders in the wee hours when half the staff have probably been pulling 20hr shifts.

Re:Ah, the smart-arse non-sequiturs

For the past several decades, communications with implanted pacemakers/defibs has used a wireless protocol at a low frequency (under 200KHz) based on two inductive loop antennas. One is located in a wand connected to the programmer, the other is a loop antenna in the implanted device. Because of the low power available in the battery of the implant, successfully communicating required those loops to be parallel to each other and very close. The magnetic field generated by the transmitting loop has to induce enough current in the other loop to be sensed (in the presence of noise). The industry calls this "inductive" telemetry.

Since it is wireless, in theory you could extend the range of reception and transmission, but the nature of this transmission medium would require really huge loops with lots of power. Mounting an attack over this protocol from any reasonable distance that would allow the attacker to remain anonymous would be extremely difficult.

In the past few years, as remote monitoring has come into play, high frequency, longer range telemetry links have been added. These are on the MICS band, in the case of the Medtronic devices - that is around 400MHz. That gives longer range -- several feet to 10s of feet, and can be extended with reasonable expenditure. The industry calls this "RF" telemetry. Because of the ease of increased range with "RF" telemetry, security of these links are of paramount interest. A demonstrated hack on an RF telemetry link would be big news. That would imply someone could harm a patient from a distance....

The paper referenced here hacked the old inductive telemetry link. Any practical application of such a hack would require the hacker to basically touch the patient. If they are willing to do that, there are far simpler ways to harm the patient. Heck - the Medtronic "Maximo" device they studied was an old device - probably removed from a patient - that didn't even have an "RF" telemetry capability. The paper was sensationalism to the extreme....

Gotta remain a Coward... as I am in the industry...
A. Coward

Re:Ah, the smart-arse non-sequiturs

[JWSmythe]

    Hey, you gave great info. Thanks for posting, even as an AC. :)

    Wouldn't these be susceptible to the same type of attacks as the ones that steal access card data. You know, the proximity cards that you have to swipe within an inch or so of the scanner on a secure room door. Weren't they proven to be readable from 10' or so with the right equipment, which would fit in a person's pocket? They're the same idea. An inductive loop in the card which powers the chip to transmit it's ID, which has to be within range of the scanner to work.

    I use one on a regular basis. It's on my tags lanyard, where I have 5 different cards (each for a special purpose). All I have to do is flip the right card out, and almost touch it to the scanner to make it work. If I leave them all together, they all energize and conflict.

    I'm making a lot of assumptions, but I'm curious. Hopefully I'll never need a pacemaker to have to ask the doc about it. :)

Re:Ah, the smart-arse non-sequiturs

[JWSmythe]

    I was being nice. :)

    I've been in and out of hospitals, never for myself luckily. Since I smoke, they get used to the fact I'll be outside every hour for a smoke break. Sometimes more often if I need to make a phone call.

    Usually they're cautious when I first enter, and then they remember me on subsequent entrances, so I moved around without problems.

    It's easier to tailgate in with a group who looks like they belong there. But if you want to be slick, getting in the door with a reason to walk into any room, a janitor is the way to go. You may know you want to walk out with a device, but do you already know what room it's stored in? It may take a few days of keeping your eyes open to spot the target, even if you already know the department it should be in.

    One particular government run hospital was too easy. I got lost, and as long as I looked like I knew where I was going, no one asked me anything. And oddly enough, that was up to a cardiology ward. I was looking for a person, not a device, but it took 3 different floors, and several wards to find the right place. He was happy we showed up though.

In the not too distant future...

[Number6.2]

...a blue-hair receives a text message from her grandkids...

        H4 H4 H1 GR4NNY W3 H4XX0RS U! W3 RuL3!

(Meanwhile, Granny clutches at her chest as her pace maker pulses out the drum solo from "In A Gadda Da Vida")

Dealing with the threat

[SamP2]

I agree with those that said that in order to "hack" the pacemaker you have to be at a very close range to the victim. At this range, you could just as easily stab or shoot them. As a more general rule, apart from a select few VIP figures, there is nothing we can do to prevent someone from carrying out a murder if they want to, the only thing we can do is punish them after the fact and hope it serves as deterrent for others.

What IS a problem is that unlike other means to kill a person at close range, this method is rather subvert, and unless you are an expert at recognizing behavior and/or expect the victim to be targeted, you will probably not even notice the attack took place. Picture this: a man walks by another man, with a wireless device in his pocket and already pre-configured to carry out the attack. They each go their own ways, and seconds later the other man has a heart attack. The pacemaker is likely not to keep any logs that can reveal the nature of the "hack". So unless you find the equipment used for "hacking" and can tie it to the attacker, you have very little evidence to charge them with.

At this point the technique is so unknown that it is unlikely to be used as an attack option by anyone other than professional assassins. But this can change. If someone writes software that can work on a device like a PDA or cellphone, we may well have "script kiddies" who know nothing about hacking but just download and use the software for any reason they have.

We have a much milder precedent of this kind of abuse - some new traffic lights have wireless detectors to detect a special signal used by emergency vehicles and turn the lights green. Some people abuse this technology to just get a green light whereever they drive. Few get caught, and those who do get really laughable sentences, like a small fine with no jail time, perhaps a license suspension, but that's about it.

So in the long run, yes, I think we should have some kind of encryption or other security on the pacemakers. Of course, this has to be balanced with cost and speed issues for doctors to be able to treat patients.

As for punishment for this kind of offense, a "hacking" charge is just the icing on the cake. Tampering with life support equipment, whether via hacking or not, can result in charges from aggravated assault to attempted murder/manslaughter. I wouldn't envy someone who gets caught doing this, whatever their intentions are, as chances are they'll spend a lot of years behind bars for this.

Re:Dealing with the threat

[Rick+Genter]

I agree with those that said that in order to "hack" the pacemaker you have to be at a very close range to the victim. At this range, you could just as easily stab or shoot them. As a more general rule, apart from a select few VIP figures, there is nothing we can do to prevent someone from carrying out a murder if they want to, the only thing we can do is punish them after the fact and hope it serves as deterrent for others.

What IS a problem is that unlike other means to kill a person at close range, this method is rather subvert, and unless you are an expert at recognizing behavior and/or expect the victim to be targeted, you will probably not even notice the attack took place. Picture this: a man walks by another man, with a wireless device in his pocket and already pre-configured to carry out the attack. They each go their own ways, and seconds later the other man has a heart attack. The pacemaker is likely not to keep any logs that can reveal the nature of the "hack". So unless you find the equipment used for "hacking" and can tie it to the attacker, you have very little evidence to charge them with.

I have a Medtronic pacemaker implanted. A few points:

1) When the doctor wants to communicate with it, he lays the transceiver on my chest, directly over the pacemaker. It works through my shirt, but the total distance is probably no more than 2 to 3 cms. Yes, it may work at a greater distance, but I doubt it's much more than 10 to 15 cms. One of the things about pacemakers is that they run at very low power. So, yes, it would be easier to shoot me than to hack my pacemaker.

2) The pacemaker has decent data storage. Any change to its settings is logged internally. All sorts of other biometrics (highest heart rate detected and when, %age of beats for which pacing was required, etc.) are logged as well and available for download. I'd be surprised if they *couldn't* tell that the pacemaker had been hacked, and when.

Hack? Sure..

[Sloosh13]

But will it play Doom?

I used to work on them too...

The main reason that things like encryption aren't needed is that it's industry standard practice to have pacemakers not respond to communications of any kind unless their communication mode is enabled by placing a big magnet on or near the patient's chest. This is why pacemaker owners are warned against magnets.

Unless you have some means to apply a magnet to the pacemaker, you can't really communicate with it, and if you're in a position to apply a magnet to within a few inches of the pacemaker and you intend the patient harm, why not just use a knife instead of bothering with reprogramming the pacemaker?

Thus, encrypting the communication wouldn't really be very useful except in very obscure scenarios (e.g. a doctor is reprogramming the pacemaker and has placed the magnet, and you send a vastly higher-power signal from a remote location, and somehow manage to avoid the checksumming that occurs, as well as the doctor's equipment re-interrogating the pacemaker to make sure that the program made it down OK.)

magnets

[BenBoy]

You know, they used to require a large-ish magnet to initiate communication with these things; the magnet would flip a little reed switch inside the device, and only then would the device be able to communicate. This has changed (or is in the process of changing) for all of the major mfg's of ICD's (and their little brothers: pacemakers) recently ... BTW, for those who think that these things shouldn't communicate at all: Um, right ... there are hundreds of settable parameters in these things, and in addition, they're built-in holter monitors (iegm recorders) from which the dr can d/l important diagnostic info. Tweaking settings based on this info can make HUGE quality-of-life differences for the patients involved (see "t-wave oversensing" ... yike!) Disclaimer: I work for a place that makes PM's and ICD's.

Re:Bionic eye Talk about a bloodless coup

[davidsyes]

and hacking someone to death without spilling a drop of blood (assuming the pacemaker is not set to over-pressurise and inflate the target...).

Hmmm, that gives rise to "talk about being "pounded" to death"....

Can beat (ring) tones be generated so as to deliver a message to the soon-to-be-deceased?

(hehehe: captcha: salvager)

Insulin pumps too!

[wizman]

My girlfriend is a type 1 diabetic. Instead of regular injections, she uses an insulin pump. This pump is an external device, about the size of a pager, that feeds insulin into her body via a short tube.

Several months ago she upgraded to a new pump. This new model (a Medtronic MiniMed) wirelessly communicates with a number of devices. It receives blood glucose data from a continuous glucose monitor. It also receives her regular readings from her standard "prick your finger" blood sugar tests via her test kit. And, it has a wireless key fob that allows her to adjust the pumps settings without having to dig through pockets and clothes to get at the unit.

My first comment to her was "With all of this wireless control, how easy is it for someone to use this wireless interface to put you into a diabetic coma, or worse, kill you?" She thinks it's a fairly ridiculous concept, citing encryption, receiver range, and "Why would anyone want to kill me?", among other reasons.

Well, I say that anything that has any type of wireless interface is hackable. There are, of course, no published documents that I can find detailing what steps have been taken to secure these devices. I'm seriously concerned as to whether or not the companies that make insulin pumps, pace makers, implants, etc, may not be taking these concerns seriously.

Imagine...

[flyingfsck]

Imagine a cylon network of those...

what about the dangers of...

[n0rton]

drive-by MRI's?

New meaning to old classic...

[FriendOfPi]

Ping of death anyone?

Hotrodding?

[afabbro]

I read this subject in the original sense of hacking - like someone would get in under the covers and hot-rod it to increase his aerobic performance.

is the work really worth it?

[dingleberrie]

If you stole the programming equipment from Medronic, then no, you wouldn't need 30K of gear.

Part of the cost would be attributable to the fact that these items operate in the MICS band (402-405 MHz), which is a specific band isolated for medical implantable use. To generate and listen to signals at this frequency, you would typically need some type of engineering test equipment or a custom built circuit. This is regardless of any encryption or whatnot. It's more of a security through obscurity model.

Secondly, assuming you had access to the protocol details and a familiarity with wireless set-ups, you need to really want to hurt someone. Most engineers working for medical device companies don't seek that kind of thrill. For those that do, there are plenty of other ways to cause damage that is so much easier.

Re:So they can crack RSA and then get the pacemake

[dbIII]

Now that is a little bit of a worry in 2008 - don't tell me Diebold make these things :)

On the other hand I know of a few that do - bizzarely the old Z80 chip still lives on in these things and does have the grunt for RSA encyrption within workable time frames.