Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Reverse-Engineers Pacemaker Transmitter To Deliver Deadly Shocks

Posted by Soulskill on from the cheerful-news-of-the-day dept.

Bismillah writes "Pacemakers seem to be hackable now too, if researcher Barnaby Jack is to be believed. And the consequences of that are deadly. Anonymous assassinations within 30 feet of the pacemaker seem to be possible. From the article: 'In a video demonstration, which Jack declined to release publicly because it may reveal the name of the manufacturer, he issued a series of 830 volt shocks to the pacemaker using a laptop. The pacemakers contained a "secret function" which could be used to activate all pacemakers and implantable cardioverter-defibrillators (ICDs) in a 30 foot -plus vicinity. ... In reverse-engineering the terminals – which communicate with the pacemakers – he discovered no obfuscation efforts and even found usernames and passwords for what appeared to be the manufacturer’s development server. That data could be used to load rogue firmware which could spread between pacemakers with the "potential to commit mass murder."'"

42 of 216 comments (clear)

  1. Vulnerability in pacemaker firmware? by DikSeaCup · · Score: 5, Funny

    Shocking!

    --
    I talk about stuff.
    1. Re:Vulnerability in pacemaker firmware? by dkleinsc · · Score: 5, Funny

      I'm shocked, shocked!%N#)NO CARRIER

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    2. Re:Vulnerability in pacemaker firmware? by durrr · · Score: 5, Informative

      There's pacemakers that only do the pacing.
      There's ICDs; Implantable cardioverter-defibrillators that restores proper rythm after detecting arrythmias.
      And there's combinations of the two. Most likely the pacemaker in question here is a combination device or they're actually talking about ICDs and not pacemakers.

      A classic heart attack involves blocking of coronary arteries however and a defibrillator won't do shit for that. Defibrillations are made to terminate an arrythmic beat and restore the normal sinus rythm.

    3. Re:Vulnerability in pacemaker firmware? by Anonymous Coward · · Score: 3, Funny

      Remember to disable fsck on startup!

    4. Re:Vulnerability in pacemaker firmware? by Ginger+Unicorn · · Score: 2

      This is the second post I've seen in three weeks where someone has implied that pacemaker-induced heart failiure would somehow cause their modem to hang up. It doesn't make sense, damnit!

      --
      (1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
  2. Why are these approved? by Errol+backfiring · · Score: 5, Interesting

    ... he discovered no obfuscation efforts and even found usernames and passwords ...

    How come such pacemakers were ever approved by the FDA?

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    1. Re:Why are these approved? by Anonymous Coward · · Score: 3, Insightful

      Because the FDA doesn't care about security. It's not in their mission or charter, and they don't test for it. Hopefully with issues such as this, that issue will be rectified.

    2. Re:Why are these approved? by Anonymous Coward · · Score: 5, Insightful

      Because the FDA doesn't care about security. It's not in their mission or charter, and they don't test for it. Hopefully with issues such as this, that issue will be rectified.

      Uh, not their mission or charter? Care to tell me exactly what the fuck their mission and charter is, if it's somehow not trying to keep citizens safe from products produced by companies with crystal-clear motives (greed, profit), driven by executives with less-than-average morals?

      Computer security may not specifically be their primary mission, but product security sure as hell is. And if it's not, then dismantle the whole damn organization, because clearly what the public thinks they do, and what they actually exist for, are two completely different things.

    3. Re:Why are these approved? by cultiv8 · · Score: 5, Informative

      This has been known since at least 2008. The Economist has an interesting article about the FDA slowly moving towards open source medical devices to improve the overall security and reliability of software in medical devices.

      --
      sysadmins and parents of newborns get the same amount of sleep.
    4. Re:Why are these approved? by Errol+backfiring · · Score: 2

      I worked for a company that does medical test (for the approval of new medicines) and there were quite a few rules for writing the software needed. This is "secondary" software in the sense that it only captures data and no life depends on it directly. I would expect unencrypted communication channels to prosthetics to be severely outlawed.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    5. Re:Why are these approved? by RobinH · · Score: 2

      Actually the benefit of wireless is absolutely obvious: you can monitor battery levels, even update firmware in the event of a serious bug, without doing surgery, and without having wires protruding through the skin (which is itself a major infection risk).

      --
      "I have never let my schooling interfere with my education." - Mark Twain
    6. Re:Why are these approved? by aXis100 · · Score: 3, Insightful

      Yeah, but there's a difference between short range wireless (several cm) and long range (10's of metres) that makes a huge difference to the possible attach vectors.

    7. Re:Why are these approved? by cdrguru · · Score: 2

      It takes a real paranoid person to think that someone would "just for fun" want to hack into a pacemaker. We haven't gotten over the idea that people are generally good and nobody would want to do this, even if they could.

      The truth is that if you could kill someone with a mouseclick, you might - I don't care who you are, that is just the way people are in reality. We have operated under the assumption that "nobody would do this" for far too long.

    8. Re:Why are these approved? by DragonWriter · · Score: 2

      Yeah, but there's a difference between short range wireless (several cm) and long range (10's of metres) that makes a huge difference to the possible attach vectors.

      There actually isn't a fundamental difference between short-range and long-range wireless: its all broadcast, and range depends on both the the sensitivity of the receiver and the power of the transmitter. You can't make a system "short-range only" when you control only one endpoint.

    9. Re:Why are these approved? by Rich0 · · Score: 2

      Certainly part of their mission, but quality in the FDA realm has a peculiar definition. Quality is measured by presence/absence of paperwork for the most part. Sure, there are guides on what kinds of paperwork need to exist, but for the most part the FDA is much better at finding issues with the paperwork that is there than they are with finding issues with the paperwork that isn't there.

      Most FDA types are doctors or scientists or such. You don't really get people thinking in terms of computer security.

      I work with software tested to "FDA standards" all the time, though not with medical devices. I'm fairly confident that if I wanted to bypass the security in almost any of this software it would be fairly trivial to do so. Like most industrial control software, the software in health applications tends to be secure against casual intrusion. A doctor trying to guess passwords probably couldn't hack in, but there are a million other ways to get in that the people doing this kind of work don't think of. Lots of software implements the business logic on a client installed locally, which is almost impossible to secure.

      There is obviously a risk balance, but any attack mountable over RF against a life support device of any kind HAS to be rigorously prevented. You don't want somebody with a directional antenna to kill 300 people in a large hospital from halfway across town.

  3. I think I understand the lack of security by ndogg · · Score: 2

    I'm sure the developer was thinking, "Who would even think of trying to hack a pacemaker? Who would even want to?"

    Unfortunately, it only takes one sociopath.

    --
    // file: mice.h
    #include "frickin_lasers.h"
    1. Re:I think I understand the lack of security by fph+il+quozientatore · · Score: 2

      I'm sure the developer was thinking, "Who would even think of trying to hack a pacemaker? Who would even want to?" Unfortunately, it only takes one sociopath.

      Think about intelligence agencies and secret service. The same people that already killed with Polonium poisoning in the past, for instance.
      It's a very clean and safe way to dispose of someone after all: who can tell it from a real heart attack after the fact?

      --
      My first program:

      Hell Segmentation fault

    2. Re:I think I understand the lack of security by skids · · Score: 2

      There's a good chance the developer fuly intended to implement security. The conversation probably went like this:

      PHB: Is it done yet?
      Dev: All the basic functions work but now we need to do a secu....
      PHB: Ship it!

      --
      Someone had to do it.
  4. Re:Function creep...? by richardcavell · · Score: 5, Informative

    Cardiologists commonly communicate electronically with the pacemaker after its insertion to adjust numerous parameters of its function. The pacemaker can also deliver information to the cardiologist about its usage history, battery state, etc. (Doctor) Richard Cavell

  5. Crank 3 by revelation60 · · Score: 5, Funny

    Sounds like it could be the plot of the new Crank movie!

  6. Isn't it plain and obvious... by shiftless · · Score: 5, Insightful

    ...the state of computer "engineering" is complete and utter shit if a fucking pacemaker can be hacked and compromised? What the mother fuck? Are you fucking kidding me? Shouldn't those be among the best designed, safest, most reliable and secure of devices? God help us all. Just wait until they drag us into this war with Iran here soon, and China and Russia decide to team up to end our bullshit and we end up descending into WW3.

    Can you imagine the utter chaos in the U.S. when all our magic electronic boxes suddenly stop working, or worse, work silently behind our backs to sabotage and/or kill us? According to another /. article, it's 300+ days on average (sometimes years) between the finding of a typical "zero day" exploit and when it was actually found (kept hidden, and potentially exploited) by attackers. Who wants to bet money China and Russia both have teams of hackers dedicated to finding exploits for all common software and systems in the U.S., extensively documenting and writing code against them, nicely sorting and tabulating it all out and filing it away in an archive, then keeping this info close at hand at all times for when the right opportunity presents itself?

    Right now we are more vulnerable than ever. Hands up: who here is looking forward to jumping into a world war with both feet, then being surprised by how much we don't know about our own security vulnerabilities, learning the hard way from powerful foreign countries that just might kick our asses, or at the very least cause massive damage (bombing, etc) to the mainland U.S.? We're learning now that pacemakers have huge gaping security holes. Holy fucking Christ. What else is out there waiting to be compromised and exploited?

    1. Re:Isn't it plain and obvious... by mwvdlee · · Score: 4, Funny

      Holy fucking Christ. What else is out there waiting to be compromised and exploited?

      Your sanity?

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    2. Re:Isn't it plain and obvious... by thedonger · · Score: 3

      Shouldn't those be among the best designed, safest, most reliable and secure of devices?

      I'm surprised they would allow remote access without a direct connection. It's vulnerable enough in that it relies on electronic timing and can be affected by external electromagnetic forces; but, to make it accessible via wireless/RF/whatever just seems like a bad idea through and though.

      --
      Help fight poverty: Punch a poor person.
    3. Re:Isn't it plain and obvious... by MarkGriz · · Score: 5, Funny

      utter shit if a fucking pacemaker
      What the mother fuck?
      Are you fucking kidding me?
      end our bullshit and we end up descending into WW3.
      work silently behind our backs to sabotage and/or kill us?
      powerful foreign countries that just might kick our asses
      Holy fucking Christ.

      Ask your doctor if Xanax is right for you

      --
      Beauty is in the eye of the beerholder.
    4. Re:Isn't it plain and obvious... by Jack9 · · Score: 4, Informative

      > Then maybe you need to go work for a body piercer, who has more than enough experience installing hardware into people without so much risk of infection.

      The epidermis is highly resistant to infection compared to internal organ tissue which largely has no nerves and no significant way to deal with infection. The primary cause of death for cardiac surgery patients is infection.

      > Pretty sad a piercer would have more experience than someone that supposedly worked for a medical device manufacturer.

      The sad part is your ignorance.

      --

      Often wrong but never in doubt.
      I am Jack9.
      Everyone knows me.
    5. Re:Isn't it plain and obvious... by ColdWetDog · · Score: 2

      Last time I checked (and to be honest, I didn't look that hard given the location of the particular piercing), these afficiondos don't go for the deep structures like the heart. There are qualitative and quantitative differences between putting a piece of metal in your skin and a wire into your heart. Guess which one is easier?

      That said, I've seen plenty of infected piercings. The nice thing is you can remove them and the problem goes away. Removing the heart has other consequences.

      --
      Faster! Faster! Faster would be better!
    6. Re:Isn't it plain and obvious... by ColdWetDog · · Score: 2

      I think this guy is well into Thorazine territory.

      --
      Faster! Faster! Faster would be better!
    7. Re:Isn't it plain and obvious... by ZeroSumHappiness · · Score: 2

      As a pile-on to what others before me have said, piercings usually go into healthy individuals. Pacemakers and similar devices usually go into people who are highly vulnerable to immune system compromise.

    8. Re:Isn't it plain and obvious... by gnasher719 · · Score: 2

      In the USA, there are plenty of people - millions actually - who have the means to kill anyone wearing a pacemaker quite easily. These people are called "gun owners". Now the number has increased by one - some idiot hacker who figures out how to hack into the pacemaker software. So what has changed?

    9. Re:Isn't it plain and obvious... by TheCarp · · Score: 3, Insightful

      Yes but, there are consequences. When someone gets shot, investigations happen, people with motive are questioned. Mode of death and circumstances affect alot.

      As an example, I have some friends with a farm and a good amount of land behind it. They have a camping ground for events and a number of structures etc in the woods from the many many years of farm and other uses.

      They allowed someone that was going through hard times to stay in their woods, living in one of the primitive stuctures. He helped out at the farm, feeding the animals. One day, they noticed the animals hadn't been fed, later on, they went out to check on him.... he had attempted to kill himself, but was still barely alive.

      The parametics and police were decidedly unhappy about having to head out into the woods....but did tell my friends that its a really good thing that they found him when they did, because if he had died, and they came to find the dead body, the investigation would have been a very different matter, whereas, since he was (even if just barely) alive when the police arrived, they could just call it an accidental OD or possible suicide and not have to investigate.

      Now, if it were a gunshot?... you know they would investigate. However.... guy with a pacemaker has a heart attack? Thats natural causes man.

      This could have happened already, many times over, and nobody would be any wiser.... no need to investigate such an "obvious" death.

      --
      "I opened my eyes, and everything went dark again"
  7. Dick Cheney by inode_buddha · · Score: 3, Funny

    Dick Cheney has a pacemaker...

    --
    C|N>K
  8. Re:Function creep...? by kenh · · Score: 4, Interesting

    There is the other side of this - if the pacemaker was protected by a password, what if a cardiologist other than the one that installed it had to access/update/configure it? Either there would have to be a commonly-known access code (negating all attempts at securing the device) OR the doctor would have to contact the Mfg. or some central password authority to get the codes to access the device, and that might be an unacceptable delay in a life-or-death scenario.

    Sure, you could ask patients to carry password cards OR tattoo the password on a body part if you really felt the need to password-protect the device.

    Not so sure about one pacemaker updating another pacemaker, as the description mentions - does the pacemaker really have a strong enough transmitter to download a new firmware image onto another pacemaker in another body?

    --
    Ken
  9. Hmmm... sounds familiar by StefanSavage · · Score: 5, Informative

    Seems like this was demonstrated four years ago, no?

    Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.
    D. Halperin, T.S. Heydt-Benjamin, B. Ransford, S.S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W.H. Maisel.
    IEEE Symposium on Security and Privacy, May 18-21, 2008.

    See: http://www.secure-medicine.org/icd-study/icd-study.pdf

  10. Solution.... by coinreturn · · Score: 5, Funny

    Tin foil vest.

  11. Herp Derp article author by Smerta · · Score: 5, Informative
    (1) It was most likely an ICD (or pacemaker/ICD combination), not a pacemaker.

    Pacemakers are used to establish a regular heartbeat (pacing) at a specific interval. Implantable Cardiac Defibrillators (ICDs) are used to deliver high-voltage shocks at a precise moment in time to stop an arrhythmia. Delivered at exactly the wrong time, this can induce an arrhythmia.

    (2) "he issued a series of 830 volt shocks to the pacemaker using a laptop". Sorry pal, thanks for playing, hit the bricks, you're done. The ICD (not pacemaker) is the one issuing the shocks. At least the voltage level sounds about right. All of this starting from a ~3V battery too.

    The wireless interfaces (telemetry) into pacemakers and ICDs are notoriously insecure, from all major device manufacturers. They are playing catch up now. Believe me, there is a lot of heartburn (no pun intended) in the ranks of corporate/executive management in the device companies when it comes to this topic.

    A couple points worth remembering:

    (1) These devices have very long lifetimes. The typical implant is expected to last 6-10 years (usually the battery is the limiting factor). So there are people walking around with devices in them with security problems from 10 years ago in some cases.

    (2) It takes a tremendous amount of money to develop a new device in this class. All the testing, certification, trials, etc. The electronics and firmware are incredibly optimized for their specific function, the test suites are massive, the verification & validation processes are lengthy.

    (3) Regarding (1) above about 10 year old firmware - essentially all devices support near-range telemetry, which allows a physician / tech within physical proximity (a few inches) to download logs about what events the device has seen / experienced. It also allows the device to be updated with firmware patches. Having been around this enough in different places, I'm pretty confident saying that it's always in the form of patches, as opposed to wholesale forklift updates.

    Patches aren't just pushed out like Firefox releases, even the smallest one is a massive amount of effort -- even if the change is a one-line change in code. And more importantly, any patch requires the patient to visit the physician, the physician to be up to date on patches & warnings, etc.. I've seen data first-hand from 2 device manufacturers showing the distribution of devices & updates in the field, and believe me, not everyone is anywhere near up to date. Actually, it probably looks a lot like the Firefox version distribution...

  12. Re:Well I'm convinced it's true by Hank+the+Lion · · Score: 4, Informative

    I built a stun gun capable of generating 900,000 volts on-demand out of a few dollars worth of parts and a 9 volt battery, and it fits in the palm of your hand

    900V or 9 kV I would believe, 900 kV not so much.
    You would need creeping distances of more than 300 mm just to prevent arcing and making the voltage collapse before it even reached the 900 kV.
    "900 kV" and "fits into the palm of your hand" are mutually exclusive, I think.
    (and yes, I've designed and built multi-kV devices myself)

  13. See Karen Sandler's work on this issue. by kfogel · · Score: 3, Informative

    Hackable medical devices are a known problem -- there's a great paper on it from Karen Sandler, at that time at the Software Freedom Law Center (she's given OSCON talks about it too):

    Killed by Code: Software Transparency in Implantable Medical Devices

    And the SFLC's announcement / summary of the paper:

    Software Defects in Cardiac Medical Devices are a Life-or-Death Issue

    --
    http://www.red-bean.com/kfogel
  14. Re:Prank your family! by ColdWetDog · · Score: 2

    ... Reminds me of the TV-B-Gone.

    Father-in-law begone.

    Better.

    --
    Faster! Faster! Faster would be better!
  15. Re:Function creep...? by devnullkac · · Score: 2

    I think you're close. You need a secondary access method that requires direct skin contact near the device in order to bypass the front-line wireless security. Same concept as how most people will protect wireless access to their home network, but rely on physical security to prevent someone replacing their router: if someone can get close enough to get physical access, you'll know it and know to stop it before it's too late.

    --
    What do you mean they cut the power? How can they cut the power, man? They're animals!
  16. Wonderful discovery! by fustakrakich · · Score: 2

    12 years too late...

    --
    “He’s not deformed, he’s just drunk!”
  17. DNS by ThatsNotPudding · · Score: 3, Funny

    Anybody got Dick Cheney's IP address? Just curious; totally unrelated to this story. Honest.

  18. For the Slashdot crowd: Clomipramine by zooblethorpe · · Score: 2

    No, seriously, it sounds like he isn't getting any, in which case he might want to try clomipramine / Anafranil.

    Apparently around 5% of users report spontaneous orgasm when yawning.

    I wish more things in life had side effects like that. Of course, that would necessitate certain changes to one's wardrobe, but I think the minor additional hassle would be well worth it...

    :-P

    --
    "What in the name of Fats Waller is that?"
    "A four-foot prune."