Hacking a Pacemaker

jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."

Bionic eye

[sm62704]

I'm sure glad the device in my eye (see my sig for details) is focused by the eye's muscles rather than electronics/motors. Some things shouldn't be networkable.

Oh yeah, the oblig: We are cyborg. You will be assimilated. resistance is not only futile but you won't resist, you'll beg to join us..

Re:Bionic eye

[sm62704]

I would think the safest thing would be to have to physically interface with it to program any electronics in it. Once they've sewn one into my chest (thank God heart disease doesn't run in my family) I wouldn't want it to be programmable!

Re:Bionic eye

[Misagon]

Some things shouldn't be networkable. Not networkable. A pacemaker communicates only with the diagnostic equipment.
Pacemakers are [i]implanted[/i] under the skin. The only way to interface with them is through induction or radio signals. The signals have ranges measured in centimeters.

Re:Bionic eye

[Ihlosi]

I want them to get the pacing rate right BEFORE they sew it in.

Finding out which settings you like or don't like unfortunately involves putting a pacemaker into you first. Of course, you could go with a completely dumb device, but your heart would be paced too fast when you're asleep and too slow when you're physically active.

Re:Bionic eye

[darkfire5252]

Yes, I want it to be programmable. But I want the designer to keep in mind that it's my life at stake. We know how to do these things securely.

Public-Private Key cryptography. The manufacturer has a public key, and it's embedded into the device. The manufacturer's private key is kept secret in the same way as the PKI people do it; there are multiple parties required to do anything to the key, there is armed security 24/7, and the key is treated as if people's lives depend on it because that's the situation. There's a process to go through for a hospital to get certified to update the device. When the hospital certifies a doctor to update the device, the doctor's public key is signed by the manufacturer's private key. The doctor keeps his private key on a smart card that requires a PIN with the full knowledge that people could die if he loses it. Preferably the smart cards are kept under lock and key at the hospital next to the lethal drugs and the morphine. When an update command is done, a specially formatted message is signed by the doctor's private key, and the message is send along with the doctor's certificate (the doctor's public key signed by the manufacturer's private key). If there's no valid certificate or the message format is not correct, no command interpretation takes place. If everything checks out, the command is logged in onboard flash memory and the device updates. If someone's pacemaker is updated in a manner that kills them, there is an audit trail pointing to exactly who's at fault. I don't care how much more expensive it is, particularly when the answer is 'not very.'

People's lives are at stake here, the manufacturers should be held liable and negligible if they aren't using already existing methods that essentially guarantee security.

Re:Bionic eye

[bay43270]

Also, your pacing needs change as you grow and as your heart develops. Not all pacemakers go into 70-year-olds.

So they can crack RSA and then get the pacemaker?

[dbIII]

RSA encryption is used in these devices. There certainly is a lot of techofear journalism about lately.

Re:remote kill?

[Snowgen]

does this mean that someone can eventually kill people remotely?

The technology for that already exists; it's called a "gun". It replaced an older technology called an "arrow", which in turn was the replacement for an even older technology called the "javelin". There was also an older technology called a "sling" which was a peripheral device designed to increase the effectiveness of the original technology call the "rock".

People have been remotely killing other people for millions of years.

A better method

[yamamushi]

The article details how the researchers had to be within 2 inches of the pacemaker, and several thousands of dollars worth of equipment. I suspect there is an easier way to deactivate a pacemaker, find out what frequency they operate at. I've got an FM radio blocker, that is basically just a 100mhz oscillator, a potentiometer, and a battery. It works by canceling out a given frequency, thus letting me silence my neighbors stereo from 50ft away. I know the technique works for the 2.4ghz band, for blocking out wireless phone signals and whatnot. I suppose finding an oscillator in the high ghz range would suffice for 'killing' a pacemaker.

It's not that bad

(Posting this as AC since I don't want to get in trouble).

I think the summary is more alarming than the actual article. The researchers had to be at two inches from the device in order to tamper with it.

It's probably not such a big deal now, but some more thought should definitely go into future products. 30000$ sound like much, but it certainly sounds like a bargain if you can kill the Vice President of the USA without even touching him.

I mean, imagine the following scenario:

1. Bad guys want to kill Cheney. That seems quite plausible.

2. They find out the exact model of his pacemaker. That sounds feasible with some knowledge of the field, money, time and determination.

3. They buy one and hire some researchers to crack it and to create an automated system which is portable and works reliably. Say, a laptop with some transmitter attached or something similar. This is quite hard, but should be feasible as well with enough money and time.

4. The researchers manage to increase the range from 2 inches to 20 inches. This is probably the hardest part.

5. The bad guys put the laptop in a briefcase, wires running up the sleeve and the transmitter in the other sleeve (close to the hand). This is easy.

6. Now they just have to get close enough to Cheney. I have no idea about how hard this is.

7. He has a "heart attack". Bodyguards/security come running and push all the people away. People go away because they don't want trouble, including the guy with the briefcase. I think this is quite realistic.

8. Cheney dies. Maybe they find out that the pacemaker was tampered with, maybe not. If not, the plan worked out perfectly. If yes, they will have some video on a security camera showing the bad guy, who is in another country by now. Maybe they catch him, maybe not.

This sounds pretty far fetched (and it is), but it could be possible with some minor advances. So some more thought should go into these devices.

Pacemakers have batteries which have enough power to supply some encryption hardware. What should be done to prevent this scenario is something like this:

1. Create a key pair for every pacemaker. The public key is on the pacemaker, the private key gets printed on a 2d barcode on a piece of plastic. The patient gets the barcode which he carries in his wallet. The patient's doctor/hospital also gets a barcode.

2. The devices used to communicate with the pacemaker have a slot for the barcode.

3. The pacemaker ignores any request not signed with the private key. Problem solved!

Re:Don't fear.... much

[TheRealMindChild]

Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.

Not only that, but let's say the President of the United States has a pacemaker... $30000 is pittance for someone who wants him dead.

Re:So they can crack RSA and then get the pacemake

[frog_strat]

Working on the communications software for one of these devices, I can say for sure there is no encryption on at least one of them. A decision was made by the company to not worry about this issue at the moment.

Re:Don't fear.... much

[MMC+Monster]

Recent models of pacemakers and defibrillators from the major companies (Guidant, Medtronic, etc.) allow remote telemetry from home: You have a device sitting on a table next to the patient's bed which will check the device every night (or one night a week, etc.) and report back to the physician any abnormalities. Some also allow wireless programability, but not from home: The nurse waves the wand over the device, then the patient goes in another room and gets seen by the physician while the settings on the device are changed. The range is less than 50 feet, based on personal experience. Now, this can theoretically be done from home (if someone has the right device), and you can make changes without any passwords.

Before you ask, you should *not* start passwords-protecting these devices, as you may have a patient traveling and rendered unconscious and need to make setting changes and not have time (or ability) to call the manufacturer.

When my pacemaker is tested

[InterGuru]

Every six months my pacemaker is checked. Part of the test is to speed and slow down the pacemaker and my heart for a short time.

It is a truly heartfelt experience.

Bookwormhole.net -- a site for book lovers.