Slashdot Mirror
Hacking a Pacemaker
jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."
I'm sure glad the device in my eye (see my sig for details) is focused by the eye's muscles rather than electronics/motors. Some things shouldn't be networkable.
Oh yeah, the oblig: We are cyborg. You will be assimilated. resistance is not only futile but you won't resist, you'll beg to join us..
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Hacking a pacemaker? What could possibly go wr... *thud*
This guy's the limit!
One: The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists from the University of Washington and the University of Massachusetts to interpret the data gathered from the implant's signals. And two: "To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide," Um, that was until a NYTimes article described that it could be done and (more importantly) a
Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.
If I had an AICD, I sure as hell wouldn't want to be around Cheney, lest the signal from mine be confused with his. Of course maybe that is why he has a man sized safe in his office is a Faraday cage.
Even if you could hack it wirelessly the only benefits I see are bragging rights cool they may be just doesn't seem worth the time and effort
Yes, but the purpose of this device is unclear. What exactly is it pacing ?
Most pacemakers and defibrillators can be turned off with just a magnet. This is designed to allow medical staff to stop a defective device. Yep I have done it myself and seen it done many times for diagnostic reasons in the hospital. M
"It wasn't me grabbing her ass your honor, someone hacked my arm!"
A-Bomb
RSA encryption is used in these devices. There certainly is a lot of techofear journalism about lately.
The technology for that already exists; it's called a "gun". It replaced an older technology called an "arrow", which in turn was the replacement for an even older technology called the "javelin". There was also an older technology called a "sling" which was a peripheral device designed to increase the effectiveness of the original technology call the "rock".
People have been remotely killing other people for millions of years.
The article details how the researchers had to be within 2 inches of the pacemaker, and several thousands of dollars worth of equipment. I suspect there is an easier way to deactivate a pacemaker, find out what frequency they operate at. I've got an FM radio blocker, that is basically just a 100mhz oscillator, a potentiometer, and a battery. It works by canceling out a given frequency, thus letting me silence my neighbors stereo from 50ft away. I know the technique works for the 2.4ghz band, for blocking out wireless phone signals and whatnot. I suppose finding an oscillator in the high ghz range would suffice for 'killing' a pacemaker.
- Aetheral Research -
I heard Uncle Joe is about to write me out of his will. He has a pacemaker. He's old, there won't be an autopsy. Hmmm......
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
(Posting this as AC since I don't want to get in trouble).
I think the summary is more alarming than the actual article. The researchers had to be at two inches from the device in order to tamper with it.
It's probably not such a big deal now, but some more thought should definitely go into future products. 30000$ sound like much, but it certainly sounds like a bargain if you can kill the Vice President of the USA without even touching him.
I mean, imagine the following scenario:
1. Bad guys want to kill Cheney. That seems quite plausible.
2. They find out the exact model of his pacemaker. That sounds feasible with some knowledge of the field, money, time and determination.
3. They buy one and hire some researchers to crack it and to create an automated system which is portable and works reliably. Say, a laptop with some transmitter attached or something similar. This is quite hard, but should be feasible as well with enough money and time.
4. The researchers manage to increase the range from 2 inches to 20 inches. This is probably the hardest part.
5. The bad guys put the laptop in a briefcase, wires running up the sleeve and the transmitter in the other sleeve (close to the hand). This is easy.
6. Now they just have to get close enough to Cheney. I have no idea about how hard this is.
7. He has a "heart attack". Bodyguards/security come running and push all the people away. People go away because they don't want trouble, including the guy with the briefcase. I think this is quite realistic.
8. Cheney dies. Maybe they find out that the pacemaker was tampered with, maybe not. If not, the plan worked out perfectly. If yes, they will have some video on a security camera showing the bad guy, who is in another country by now. Maybe they catch him, maybe not.
This sounds pretty far fetched (and it is), but it could be possible with some minor advances. So some more thought should go into these devices.
Pacemakers have batteries which have enough power to supply some encryption hardware. What should be done to prevent this scenario is something like this:
1. Create a key pair for every pacemaker. The public key is on the pacemaker, the private key gets printed on a 2d barcode on a piece of plastic. The patient gets the barcode which he carries in his wallet. The patient's doctor/hospital also gets a barcode.
2. The devices used to communicate with the pacemaker have a slot for the barcode.
3. The pacemaker ignores any request not signed with the private key. Problem solved!
Would I need a "team of experts" and $30K of gear if I had worked as an engineer for Medtronic?
Well, sad to say and please don't take it as an offense, it's that kind of attitude that's the cause of half the problems today. Products are made by engineers couldn't care less about security, with their budget dictated by a boss who couldn't care less about security, and end up configured by users who couldn't care less about security. Because they all operate under that assumption that if it's even remotely related to computers or electronics, it can be hacked anyway, so why bother?
Well, no, there are ways to prevent that.
Let's start with the simplest: you can't remote-hack a computer which isn't connected to the net. Pull your network cable out of the computer and that's it, you can't be hacked by some guy in China any more.
Of course, you don't want to do that to your home computer, but we're talking pacemakers and the like. Why _does_ a pacemaker need a WiFi interface anyway? No, seriously. It's not like you want the users to surf for porn and post to Slashdot on their pacemakers. It's not even an appliance, as far as the user is concerned, it's a standalone device like their computer chair or the windshield wipers on their car. You have no freaking need for those to be networked, in any form or shape.
And here's an even more sobering thought: even if you wanted some control from outside, you're near your pacemaker the whole time. In fact, it's inside you. There's no time when you're on the other side of the town than your pacemaker is. So even if you're one of the die-hards that can argue with a straight face why you might need to log in to your fridge from work, the same doesn't apply to pacemakers. You're near it all the time. Any interface to it or from it can be contact-based just as well.
Second, even if you do want it networked, there _are_ ways to minimize bugs drastically. Code _can_ be proven correct, test cases can cover the code to ridiculous extents, and the thing can be riddled with pre- and post-condition checks right in the code and be able to fail safely to its normal offline mode. Yes, it's damn expensive to do that to something the size of Vista. But we're talking a pacemaker. It's just not the same number of lines of code. (Or if it does have millions of lines of code, maybe you just need to fire the guy who programmed it;)
More importantly, we already do _both_ of those for life-and-death systems like flight control systems on airplanes or brake computers on cars. They're both built and reviewed to be as good as bulletproof, _and_ not wired to talk to the outside world, unless one physically plugs in a special connector and a special computer into it. You don't want a car's brakes to be hijacked by wireless by the guy in the next car, so you just don't give them a wireless connection. Do you see any reason why we wouldn't apply the same thinking to a pacemaker? It's even more likely to kill than hijacking someone's brakes. There is no airbag to save you when your pacemaker fails.
So what I'm saying is: let's all stop and think twice before shrugging and dismissing security as impossible anyway. Sometimes it's very feasible to make it bulletproof, and, really, it has no excuse to not be so.
A polar bear is a cartesian bear after a coordinate transform.
I'm gonna overclock this sucker!
Better than a triple espresso!
----------------------------------- My Other Sig Is Hilarious -----------------------------------
Killing people remotely is not hard, doing it without anyone knowing it was you, without any indication at the time that it was anything other than natural causes, requiring no opportunity other than being within wireless range and leaving no evidence behind whatsoever. That's the novel part.
What if Tetris was invented by Nazis?
I find this joke to be old and rather insulting, really. Of course Dick Cheney has a heart.
However, the notion that the heart is somehow related to empathy and love is also false. Instead, he had that section of his brain surgically removed. It helps him collect himself faster after his 3pm puppy kicking and orphanage closing.
Working on the communications software for one of these devices, I can say for sure there is no encryption on at least one of them. A decision was made by the company to not worry about this issue at the moment.
Some health care insurance / hospitals may want to cut you off if you can't pay or they found out that you had a pre existing condition they make you pay up and say pay or we cut you off.
Some of them have said that a kidney transplant is to experimental and they let a someone die just to get out of paying for it.
Every six months my pacemaker is checked. Part of the test is to speed and slow down the pacemaker and my heart for a short time.
It is a truly heartfelt experience.
Bookwormhole.net -- a site for book lovers.
Yes, that's a very real concern that the secret service has been terrified of for years. Most people know that Cheney has a pacemaker, but the real secret is that they forgot to turn off SSID broadcast and its password is "Linksys".
Sorry friend, that niche is already filled: http://www.lessemf.com/personal.html
Yup, he has the heart of a 20 year old.
It's in a jar on his desk.
Understanding the scope of the problem is the first step on the path to true panic.
I appreciate your enthusiasm, but thank god you aren't designing these devices. I work for one of the competitors to Medtronic (the company whose devices were studied). We have encryption in our RF communication. We DO take security into consideration, but there are trade offs that have to be considered. Battery life is generally the most important consideration. Every time surgery needs to be performed to physically access the device (usually because of a depleted battery) there is a risk of complications. These aren't insignificant risks either. Keep in mind the people getting these devices have health problems of some sort or they wouldn't be getting them. With that in mind, security solutions in this domain have to be very well thought out so as to avoid draining the battery significantly. So please, don't for a second presume that we are a bunch of monkeys sitting around on our asses ignoring real concerns. The real issue is that there are far more concerns than you are aware of. We do evaluate these concerns and try to build the best devices possible with the fewest compromises.
My girlfriend is a type 1 diabetic. Instead of regular injections, she uses an insulin pump. This pump is an external device, about the size of a pager, that feeds insulin into her body via a short tube.
Several months ago she upgraded to a new pump. This new model (a Medtronic MiniMed) wirelessly communicates with a number of devices. It receives blood glucose data from a continuous glucose monitor. It also receives her regular readings from her standard "prick your finger" blood sugar tests via her test kit. And, it has a wireless key fob that allows her to adjust the pumps settings without having to dig through pockets and clothes to get at the unit.
My first comment to her was "With all of this wireless control, how easy is it for someone to use this wireless interface to put you into a diabetic coma, or worse, kill you?" She thinks it's a fairly ridiculous concept, citing encryption, receiver range, and "Why would anyone want to kill me?", among other reasons.
Well, I say that anything that has any type of wireless interface is hackable. There are, of course, no published documents that I can find detailing what steps have been taken to secure these devices. I'm seriously concerned as to whether or not the companies that make insulin pumps, pace makers, implants, etc, may not be taking these concerns seriously.
I have a Medtronic pacemaker implanted. A few points:
1) When the doctor wants to communicate with it, he lays the transceiver on my chest, directly over the pacemaker. It works through my shirt, but the total distance is probably no more than 2 to 3 cms. Yes, it may work at a greater distance, but I doubt it's much more than 10 to 15 cms. One of the things about pacemakers is that they run at very low power. So, yes, it would be easier to shoot me than to hack my pacemaker.
2) The pacemaker has decent data storage. Any change to its settings is logged internally. All sorts of other biometrics (highest heart rate detected and when, %age of beats for which pacing was required, etc.) are logged as well and available for download. I'd be surprised if they *couldn't* tell that the pacemaker had been hacked, and when.
Don't underestimate the power of The Source
I can't speak to how Medtronic implements their RF communication, but as I said ours is encrypted and boosting the signal to "hack" someone does not get around the encryption.
With the encryption that you say your company uses, wouldn't it simply be a matter of acquiring a single sending device, and reverse engineering it?
No. The individual communication session is protected by a unique key. Still, if you physically had a programmer (the sending device you mentioned), you could use it without any hacks to change a patient's settings just as a doctor could, but it would require physical proximity on the order of a few cm. This sort of communication does not occur using RF. You can't spoof this with a high gain antenna or any such thing because the communication isn't occurring using radio frequencies at all. And as you said, at this range you could kill a person any number of other ways.