Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking a Pacemaker

Posted by CmdrTaco on from the probably-not-the-best-idea dept.

jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."

8 of 228 comments (clear)

  1. Bionic eye by sm62704 · · Score: 5, Interesting

    I'm sure glad the device in my eye (see my sig for details) is focused by the eye's muscles rather than electronics/motors. Some things shouldn't be networkable.

    Oh yeah, the oblig: We are cyborg. You will be assimilated. resistance is not only futile but you won't resist, you'll beg to join us..

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
    1. Re:Bionic eye by Misagon · · Score: 3, Interesting

      Some things shouldn't be networkable. Not networkable. A pacemaker communicates only with the diagnostic equipment.
      Pacemakers are [i]implanted[/i] under the skin. The only way to interface with them is through induction or radio signals. The signals have ranges measured in centimeters.
      --
      "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
    2. Re:Bionic eye by darkfire5252 · · Score: 3, Interesting

      Yes, I want it to be programmable. But I want the designer to keep in mind that it's my life at stake. We know how to do these things securely.

      Public-Private Key cryptography. The manufacturer has a public key, and it's embedded into the device. The manufacturer's private key is kept secret in the same way as the PKI people do it; there are multiple parties required to do anything to the key, there is armed security 24/7, and the key is treated as if people's lives depend on it because that's the situation. There's a process to go through for a hospital to get certified to update the device. When the hospital certifies a doctor to update the device, the doctor's public key is signed by the manufacturer's private key. The doctor keeps his private key on a smart card that requires a PIN with the full knowledge that people could die if he loses it. Preferably the smart cards are kept under lock and key at the hospital next to the lethal drugs and the morphine. When an update command is done, a specially formatted message is signed by the doctor's private key, and the message is send along with the doctor's certificate (the doctor's public key signed by the manufacturer's private key). If there's no valid certificate or the message format is not correct, no command interpretation takes place. If everything checks out, the command is logged in onboard flash memory and the device updates. If someone's pacemaker is updated in a manner that kills them, there is an audit trail pointing to exactly who's at fault. I don't care how much more expensive it is, particularly when the answer is 'not very.'

      People's lives are at stake here, the manufacturers should be held liable and negligible if they aren't using already existing methods that essentially guarantee security.

    3. Re:Bionic eye by bay43270 · · Score: 3, Interesting

      Also, your pacing needs change as you grow and as your heart develops. Not all pacemakers go into 70-year-olds.

  2. Re:remote kill? by Snowgen · · Score: 4, Interesting

    does this mean that someone can eventually kill people remotely?

    The technology for that already exists; it's called a "gun". It replaced an older technology called an "arrow", which in turn was the replacement for an even older technology called the "javelin". There was also an older technology called a "sling" which was a peripheral device designed to increase the effectiveness of the original technology call the "rock".

    People have been remotely killing other people for millions of years.

  3. A better method by yamamushi · · Score: 5, Interesting

    The article details how the researchers had to be within 2 inches of the pacemaker, and several thousands of dollars worth of equipment. I suspect there is an easier way to deactivate a pacemaker, find out what frequency they operate at. I've got an FM radio blocker, that is basically just a 100mhz oscillator, a potentiometer, and a battery. It works by canceling out a given frequency, thus letting me silence my neighbors stereo from 50ft away. I know the technique works for the 2.4ghz band, for blocking out wireless phone signals and whatnot. I suppose finding an oscillator in the high ghz range would suffice for 'killing' a pacemaker.

    --
    - Aetheral Research -
  4. Re:So they can crack RSA and then get the pacemake by frog_strat · · Score: 5, Interesting

    Working on the communications software for one of these devices, I can say for sure there is no encryption on at least one of them. A decision was made by the company to not worry about this issue at the moment.

  5. When my pacemaker is tested by InterGuru · · Score: 3, Interesting

    Every six months my pacemaker is checked. Part of the test is to speed and slow down the pacemaker and my heart for a short time.

    It is a truly heartfelt experience.

    Bookwormhole.net -- a site for book lovers.