Keeping Pacemakers Safe From Hackers

An anonymous reader writes "Researchers from the Swiss Federal Institute of Technology in Zurich and the French National Institute for Research in Computer Science and Control have now developed a scheme for protecting implantable medical devices against wireless attacks. The approach relies on using ultrasound waves to determine the exact distance between a medical device and the wireless reader attempting to communicate with it." I had no idea that things have gotten so bad that hearts are being hacked.

Hacking hearts

[devnullkac]

If I could hack her heart, she'd really love me...

Re:Hacking hearts

[nametaken]

That's not love, it's angina.

Re:Hacking hearts

[The+Ultimate+Fartkno]

You keep your filthy talk to yourself, mister!

Re:Hacking hearts

[Narpak]

You'd be pretty heartless to hack a peacemaker.

Re:Hacking hearts

[spun]

You keep your filthy talk to yourself, mister!

Hey, now, that's unfair. I know Angina, she's a talented thespian with a very fine epidermis.

Re:Hacking hearts

[MrSenile]

If you attacked a pacemaker, they'd wind up pretty heartless as well.

Re:Hacking hearts

[jayme0227]

Hey, now, that's unfair. I know Angina, she's a talented thespian with a very fine epidermis.

What does her sexual orientation have to do with anything? You homophobic or something?

Re:Hacking hearts

[StikyPad]

I think I've seen her.. there's a vas deferens between her left and right legs, right?

Re:Hacking hearts

[spun]

Can we mention cunning linguist in there somewhere?

I don't need to stoop that low, as I am a master debater.

No Locked Hardware!

[gedrin]

Think anyone will complain that they won't be able to have full access to the hardware they purchased?

Re:No Locked Hardware!

[iamacat]

If your life, health and well being depends on being able to tune the device, having DRMed firmware would suck pretty badly. If some doctor tunes the pacemaker to enable short burst higher rates so that, for example, I can climb a flight of stairs comfortably, I should have a right to install the update.

Re:No Locked Hardware!

[jpmorgan]

These are implantable medical devices we're talking about. Forget DRM, to achieve the kind of world you're dreaming of would require a massive overhaul of the medical regulatory system. Personally, I question the wisdom of a world where patients can replace firmware on their medical devices with stuff they find on the internet. The medical profession frowns upon self medication for a reason.

Re:No Locked Hardware!

[iamacat]

Well, it's my life to risk and my informed decision to make. What if the bug which is killing me is in the original firmware?

Re:No Locked Hardware!

[Mitchell314]

Idiots, the lot of them. Duct tape is much better than staples for sealing wounds. Much less painful too.

Re:No Locked Hardware!

[DrugCheese]

The medical profession frowns upon self medication for a reason.

Yeah, because they're missing out on the MONEY.

Hearts Being Hacked

[BJ_Covert_Action]

I had no idea that things have gotten so bad that hearts are being hacked.

Well the article talks about how the threats have been demonstrated in the lab by a fella named Kevin Fu, but it doesn't mention it being a major problem right now:

The potential risks of enabling radio communication in implantable medical devices were first highlighted by Kevin Fu, an assistant professor of computer science at the University of Massachusetts, Amherst, and Tadayoshi Kohno, an assistant professor of computer science at the University of Washington. They showed how to glean personal information from such a device, how to drain its batteries remotely, and how to make it malfunction in dangerous ways. The two researchers stress that the threat is minimal now, but argue that it is vital to find ways to protect wireless medical devices before malicious users discover and exploit vulnerabilities.

So this defense seems primarily like foresight rather than a hindsight, "Shit fixitfixitfixtfixit!" moment...So in response to your pondering, I don't think too many hearts are being hacked right now, nor that things have gotten that bad. Rather, it just seems like two security researchers are doing their job to keep the defensive actions one step ahead of offensive actions...

Re:Hearts Being Hacked

[skgrey]

Spinal implants and other non-heart related implants do allow wireless communications. That's how I turn on and off my spinal implant. Granted it only seems to support a distance of within a foot of the implanted battery pack to the controller, but still. I honestly don't know if it's the controller or the receiver that requires that distance though.

Guess which website I'll be visiting tonight?

Re:Hearts Being Hacked

[Ungrounded+Lightning]

To take control and use that for various purposes, like money making or DoS? Not really meaningful.

You're still thinking in a "people playing with computer networks" category.

Criminals could use it for extortion.

Criminal gangs and governments could use it for murder / assassination of high-value targets.

Terrorists ditto and they could also use killing or disrupting the health of random people or groups of them as a terror tactic.

Remember the gadget that sent out the infrared "turn off" code for a bunch of different makes of TVs and monitors? And how much fun some people had wandering around trade shows with it? Now imagine a radio key-fob that sends "cause fibrillation" to pacemakers, in the pocket of your friendly neighborhood terrorist as he walks or drives around the city (or just sends the signal occasionally via a BIG transmitter.)

Re:Hearts Being Hacked

[Hatta]

the threats have been demonstrated in the lab by a fella named Kevin Fu

FFFFFFFFFFFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUU...........

Re:Hearts Being Hacked

[maxwell+demon]

It's not very often that hackers (by definition, intelligent people) do something purely and solely for the reason of being an asshole.

I guess the fear is not about hackers trying to be assholes, but actually planned murder using the pacemaker as "weapon". Indeed, if the attacker can change the pacemaker to operate normally again afterwards, it might actually be the perfect murder.

Heard a 'calibration' process

[mjensen]

Coworker had a pacemaker put in. Said she held on to two connectors and they could change the rate by sending signals through one arm, through the pacemaker to the receiver in the other.

I joked with the tone generator (for phone equipment) with other employees, but not with her.

From someone with an implant..

[skgrey]

I have a spinal implant, which is basically an implanted tens-unit, that I use to block the pain from the degenerative disease I have. Although the device has a top level setting, it still hurts if I crank it up that far. If someone was able to remotely turn on my device and turn the intensity up and shorten the waveform they could bring me to my knees. If I couldn't turn it off I'd be in some serious trouble, since I couldn't flee.

As much as it's not life-threatening in my case, it's still pretty damn scary. I can't imagine having a pacemaker that could be disrupted remotely. Although talk about a great tool for the CIA for remote-kills.

Re:From someone with an implant..

[StikyPad]

I'm not a doctor, but I've been watching Glenn Beck, and here's what I think he'd have to say:

Why bother fixing it? They're just going to implant tiny remote-controlled exploding devices in the chest cavities of all citizens once the Socialist "healthcare" program takes effect. Come on, people, WAKE UP!!! I mean.... *guffaw*...... *rolls eyes*..... Whore!! I'm not saying *you* are a whore, but certainly we can all agree that whores want free healthcare, therefore people who want free healthcare are whores! *Expression of poignant thought*

Don't forget, today is 11/13, the two month anniversary of 913!!!! Grassroots Tea Party forever!!

I can see it now...

[Abstrackt]

Someday, some geek will try to overclock his artificial heart...

Re:I can see it now...

[Dunbal]

Someday, some geek will try to overclock his artificial heart...

      Heck people overclock their normal hearts today anyway. It's called cocaine...

      I've actually seen someone with a cocaine induced long QT syndrome. A hairy day in the ER that was, considering he was psychotic at the time... it took quite a few of us to hold him still enough to get the IV going.

Re:I can see it now...

[maxwell+demon]

Most mammals have an inverse relationship between rate and lifetime. (And barring the use of medicine, probably humans too.) Almost as if there were a limited number of beats allocated...

And then you die from a null pointer exception?

Re:I can see it now...

[mysidia]

Is it too much to ask that such a critical device have two firmwares, the 'user installed firmware', a 'backup firmware', and a monitor ROM?

If the monitor ROM detects the device going out of certain parameters, or detects an exception in the user firmware, it switches to an emergency firmware ROM with assured "safe settings", and starts emitting a radio signal to be picked up by authorities, and possibly alarm tone to warn the user..

Does someone have him for a class.

[NoYob]

The potential risks of enabling radio communication in implantable medical devices were first highlighted by Kevin Fu, an assistant professor of computer science at the University of Massachusetts, Amherst,...

It must have been rough in college for him.

CS Professor: Now when you call function Foo.

Fu: What professor?

Um, nothing. Back to Foo.

Sir?

Nothing. Anyway the function, let's call it, "Bar" instead. Now when you call "Bar"

John Barr, another student: "What sir?

Professor: Is there anyone named ABC?! Good! Now when you call function ABC ...

Winning the hearts and minds

[slackoon]

One half of winning the hearts and minds of the people could be done using only a wireless PDA

Re:And somewhere...

[Tsar]

Who, oh, do you mean the draft dodging guy who smokes hashish and sleeps with hippie chicks while writing crazy ass cyberpunk drivel?

I'm quite sure he's referring to William Gibson, the Tony-Award-winning playwright and novelist who died last year at the age of 94, still writing. His best-known work is "The Miracle Worker," a true American stage classic.

Why anyone on Slashdot would refer to that other William Gibson is beyond me.

63 comments and still..

[StikyPad]

This gives a whole new meaning to heart attack.

Someone had to say it.

Just ask my dad

My dad got a defibrillator fitted a year back. It has bluetooth and 5mb of memory. I didn't want to connect to it since killing a parent at Christmas would probably sour the mood.

3 months ago he got it updated and was ill for 4 weeks until a new patch came(although I suspect he milked it a bit for attention). Apparently an overflow in the software was causing small discharges! We don't need to protect against hackers, protecting against the programmers would be a good start. At least I can go around and say that my doctor flashed my dad. :D ..AC because I don't want my family medical history on the net.

Oblig

[Maelwryth]

Don't go hacking my heart
I could if I tried
Honey please forget my wireless
Baby I'm not that kind
Don't go hacking my heart
You take the beat out of me
Honey when you knocked on my port
My heart gave you my key
Nobody knows it
When I was down
I was your pawn
Nobody knows it
Right from the start
You stopped my heart
You stopped my heart
So don't go hacking my heart
I won't go hacking your heart
Don't go hacking my heart


On a slighly different note. I wonder if Captain Crunch could freak an ear implant?

Re:*Sigh*

I'm sure they "got it". It's just not funny. Thespian. Lesbian. Yeah, they both end in "ian". And you're pretending to be "dumb guy". Hilarious. Yeah. They got it.

Old term new meaning: FATAL ERROR

[dazedNconfuzed]

I have one. I get "tuneups" every six months. Pretty cool how they can change its settings with a wireless interface and a few taps of a touchscreen.

Last time I was in for a data dump on my pacemaker, my cardiologist excitedly explained "there are a _google_ combinations of settings on this device!" Then he paused, and grudgingly conceded most of them would kill me.

Even if allowed to replace implanted medical firmware, such hacking would be unpopular. We all know how reliable fixes, tweaks & updates to software are (i.e.: NOT). A single "oops" could leave the user unconscious in seconds and dead in minutes; even if not a terminal error, screwups can range anywhere from very uncomfortable to subtly distressing. During early diagnostic runs post-implantation, several times I found myself in a fetal position as a bug (!) caused repeated serious abdominal convulsions (didn't hurt, but did cause uncontrolled laughing in a "MTV Jackass" kinda way); nobody ever figured out why (technician: "did I do that?", me: "YEAH!!"). Later I found sleeping on my left side was undesirable, as natural abdominal compression caused diaphragm twitching with each pulse - harmless, but distressing enough to stop the practice (later resolved by reducing lead voltage and increasing pulse width, affecting battery life). When asked what the failure condition symptoms would be, my cardiac surgeon said simply "you'll pass out" (implying not waking up - ever).

Yes, the libertarian principles exist to demand patients have self-funded access to medical gear allowing reprogramming of implanted pacemakers or other medical devices. Absolutely I stand in support of such a notion. In practice, however, methinks this will be - shall we say - a self-correcting issue: those who do, and make mistakes, will die.