Slashdot Mirror
Hacking a Pacemaker
jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."
One: The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists from the University of Washington and the University of Massachusetts to interpret the data gathered from the implant's signals. And two: "To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide," Um, that was until a NYTimes article described that it could be done and (more importantly) a
Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.
If I had an AICD, I sure as hell wouldn't want to be around Cheney, lest the signal from mine be confused with his. Of course maybe that is why he has a man sized safe in his office is a Faraday cage.
Um, yes you do. Do you want them to have to cut you open because you don't like the maximum pacing rate and want to have it reduced by 5 bpm ?
Killing people remotely is not hard, doing it without anyone knowing it was you, without any indication at the time that it was anything other than natural causes, requiring no opportunity other than being within wireless range and leaving no evidence behind whatsoever. That's the novel part.
What if Tetris was invented by Nazis?
Because sticking a JTAG connector through someones chest is fairly painful. You're welcome to experiment on yourself to confirm this.
Also, it's not a WiFi interface. It's a short-range (it goes through your chest, and water absorbs radio waves like crazy), custom, wireless interface. You have no freaking need for those to be networked, in any form or shape.
And you're, what ? An M.D. ? A biomedical engineer ?
Tell you what: Have fun with your dumb fixed-rate 75 bpm pacemaker, but don't expect to be running up any stairs anytime soon.
Any interface to it or from it can be contact-based just as well.
It basically is, genius. Or do you want it so contact-based that they have to shoot a couple of amps through your chest in order to make the pacemaker respond ? Hint: Think of a vital organ that's very, very close to the pacemaker and reacts very badly to having current shot through it.
More importantly, we already do _both_ of those for life-and-death systems like flight control systems on airplanes or brake computers on cars. They're both built and reviewed to be as good as bulletproof, _and_ not wired to talk to the outside world, unless one physically plugs in a special connector and a special computer into it.
They're also conveniently located outside the human body, so plugging a special connector into them doesn't involve going through someones tissue first.
And once the private key is cracked or exposed, do you operate on everyone with that model pacemaker?
The thing is that this private key needs to be sent to every hospital and doctor's office which wants to make adjustments to the pacemaker. They'll have it, whether it's embedded in a chip or written in a config file. You have to make this information public in some sense, the very best you could hope to do is use some kind of DRM to protect the key from exposure, but as we all know, such exercises are fated to failure.
And what happens when a pacemaker manufacturer discontinues a line and stops manufacturing the equipment to tune certain kinds of pacemakers (such as would be expected to happen should a key be discovered), do these patients just have to hope that the equipment used for tuning their pacemaker outlives them?
Also, will doctors and hospitals have to buy dozens of different pacemaker adjustment machines, one of every type, even those they don't install themselves so that they can treat patients who move into the area? What happens when the patient needs emergency adjustment of his pacemaker but doesn't remember the model he has (or isn't conscious)?
Finally, these devices don't exactly have little general purpose CPU's in them. One of their biggest concerns is decent battery life. If we put something in there as computationally intensive as strong private/public key cryptography, you're going to significantly hurt the battery life of these devices.
This problem is not as simple as it seems on the surface. It turns out that human life is fragile, and there are many ways in which you can kill someone, some of them even require little effort to kill many people. Hacking this device in a way that endangers other humans would not even need new laws to be punishable since we fortunately already have laws which surround murder, reckless endangerment, and other such things which actually or reasonably could result in the death or injury of other humans.
Slay a dragon... over lunch!
Look up public private key cryptography and get back to me. Asymmetric cryptography does not require revealing the private key to hospitals....