Hacking a Pacemaker

jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."

Bionic eye

[sm62704 (957197)]

I'm sure glad the device in my eye (see my sig for details) is focused by the eye's muscles rather than electronics/motors. Some things shouldn't be networkable.

Oh yeah, the oblig: We are cyborg. You will be assimilated. resistance is not only futile but you won't resist, you'll beg to join us..

Re:Bionic eye

[Misagon (1135)]

Some things shouldn't be networkable.

Not networkable. A pacemaker communicates only with the diagnostic equipment.
Pacemakers are [i]implanted[/i] under the skin. The only way to interface with them is through induction or radio signals. The signals have ranges measured in centimeters.

Re:Bionic eye

[StylusEater (1206014)]

I can see the headlines... "Cheney's Pacemaker Hacked by Chinese Militants" ... :-) One can only wish.

Re:

[sm62704 (957197)]

I would think the safest thing would be to have to physically interface with it to program any electronics in it. Once they've sewn one into my chest (thank God heart disease doesn't run in my family) I wouldn't want it to be programmable!

Re:Bionic eye

[Ihlosi (895663)]

Once they've sewn one into my chest (thank God heart disease doesn't run in my family) I wouldn't want it to be programmable!

Um, yes you do. Do you want them to have to cut you open because you don't like the maximum pacing rate and want to have it reduced by 5 bpm ?

Re:

[sm62704 (957197)]

I want them to get the pacing rate right BEFORE they sew it in.

Re:

[Ihlosi (895663)]

I want them to get the pacing rate right BEFORE they sew it in.

Finding out which settings you like or don't like unfortunately involves putting a pacemaker into you first. Of course, you could go with a completely dumb device, but your heart would be paced too fast when you're asleep and too slow when you're physically active.

Re:Bionic eye

[bay43270 (267213)]

Also, your pacing needs change as you grow and as your heart develops. Not all pacemakers go into 70-year-olds.

Re:Bionic eye

[darkfire5252 (760516)]

Yes, I want it to be programmable. But I want the designer to keep in mind that it's my life at stake. We know how to do these things securely.

Public-Private Key cryptography. The manufacturer has a public key, and it's embedded into the device. The manufacturer's private key is kept secret in the same way as the PKI people do it; there are multiple parties required to do anything to the key, there is armed security 24/7, and the key is treated as if people's lives depend on it because that's the situation. There's a process to go through for a hospital to get certified to update the device. When the hospital certifies a doctor to update the device, the doctor's public key is signed by the manufacturer's private key. The doctor keeps his private key on a smart card that requires a PIN with the full knowledge that people could die if he loses it. Preferably the smart cards are kept under lock and key at the hospital next to the lethal drugs and the morphine. When an update command is done, a specially formatted message is signed by the doctor's private key, and the message is send along with the doctor's certificate (the doctor's public key signed by the manufacturer's private key). If there's no valid certificate or the message format is not correct, no command interpretation takes place. If everything checks out, the command is logged in onboard flash memory and the device updates. If someone's pacemaker is updated in a manner that kills them, there is an audit trail pointing to exactly who's at fault. I don't care how much more expensive it is, particularly when the answer is 'not very.'

People's lives are at stake here, the manufacturers should be held liable and negligible if they aren't using already existing methods that essentially guarantee security.

Re:

[Ihlosi (895663)]

Public-Private Key cryptography.

Sure. Will you ship your secure, encrypted pacemaker with an external power supply to plug it in ?

Sheesh. These things don't come with a multi-core desktop CPU. They're ultra low-power systems, optimized for battery life because changing the battery requires surgery, which already puts your life at stake (Sorry - cutting your chest open isn't trivial. And the chance of something bad happening during or after surgery (infection, complications with the anesthesia, etc), as

Re:Bionic eye

[Beardo the Bearded (321478)]

Ah, finally, someone understands something! Most programmers think that EVERYTHING that can be programmed has a multi-core architecture with a hard drive, monitor, etc. You haven't seen most of the computers that you use on a daily basis. Do you think your elevator runs a Duo-core? Your apartment buzzer controller isn't made by AMD.

I'm an EE with a lot of embedded experience in RF devices. I've had to make recalls because the standby current* was 50uA instead of 12uA. (For a GPS tracking board with VHF transmitter.)

The level of misunderstanding that's required to think that you can surreptitiously reprogram somebody's pacemaker without their knowledge is astounding. If you've got a pacemaker and someone tries to walk up to you and reprogram your chest, just walk away, man. Walk away. It's not like it's going to take 2 seconds to line everything up correctly. Even if all the technical details are magically sorted, a different brand could make your hack useless. So could temperature, humidity, clothing, chest hair, and any of the other RF voodoo things that you have to deal with.

*(Technically "quiescent" but I'm not sure everyone knows what that means.)

Re:

[Beardo the Bearded (321478)]

Both multiplication and division are "heavy" operations in the embedded world. Incorporating them into the code even once can mean that your code won't fit into the footprint. One chip I used in 2006 has 512 bytes of Flash and 24 bytes of RAM. Not for a trivial application either - there are tens of thousands of that product out in use right now, and people depend on the device to live.

Sure, a few chips have built-in single-line multipliers, but I don't think that's what they use in pacemakers.The pacemaker

Re:Bionic eye

[nahdude812 (88157)]

And once the private key is cracked or exposed, do you operate on everyone with that model pacemaker?

The thing is that this private key needs to be sent to every hospital and doctor's office which wants to make adjustments to the pacemaker. They'll have it, whether it's embedded in a chip or written in a config file. You have to make this information public in some sense, the very best you could hope to do is use some kind of DRM to protect the key from exposure, but as we all know, such exercises are fated to failure.

And what happens when a pacemaker manufacturer discontinues a line and stops manufacturing the equipment to tune certain kinds of pacemakers (such as would be expected to happen should a key be discovered), do these patients just have to hope that the equipment used for tuning their pacemaker outlives them?

Also, will doctors and hospitals have to buy dozens of different pacemaker adjustment machines, one of every type, even those they don't install themselves so that they can treat patients who move into the area? What happens when the patient needs emergency adjustment of his pacemaker but doesn't remember the model he has (or isn't conscious)?

Finally, these devices don't exactly have little general purpose CPU's in them. One of their biggest concerns is decent battery life. If we put something in there as computationally intensive as strong private/public key cryptography, you're going to significantly hurt the battery life of these devices.

This problem is not as simple as it seems on the surface. It turns out that human life is fragile, and there are many ways in which you can kill someone, some of them even require little effort to kill many people. Hacking this device in a way that endangers other humans would not even need new laws to be punishable since we fortunately already have laws which surround murder, reckless endangerment, and other such things which actually or reasonably could result in the death or injury of other humans.

Re:Bionic eye

[darkfire5252 (760516)]

Look up public private key cryptography and get back to me. Asymmetric cryptography does not require revealing the private key to hospitals....

Re:

[geekyMD (812672)]

You sir, are a moron. You suggest: 1) Requiring doctors to carry smart cards with encryption data 2) Requiring doctors to keep said cards with "the morphine" (showing you have never seen how a hospital manages secure resources) 3) Said hideously rare and necessarily hard to obtain cards would be required to save a life in dire emergent situations. This shows: 1) You have never seen how an emergency room or hospital inpatient floor works. 2) You have no idea how a pacemaker interrogator works. Furthermore

Re:

[pnewhook (788591)]

Yes, its all nice and simple to the software guy that doesn't know what he is talking about.

Yes what you are asking is possible but it's prohibitively expensive, pointless, and adds ZERO benefit to the patient. In fact because of the extra power draw of this pointless device the patient will have to undergo extra surgeries to replace the battery more ofter thereby further jeopardizing the patient safety.

Re:Bionic eye

[tsa (15680)]

Believe me, you really want the thing to be programmable. They have to try a few settings to find oujt which makes you feel good, and if/when your body changes they can adjust the pacemaker accordingly. Modern pacemakers are marvellous pieces of technology that can give you your life back as long as you program them well!

pacemakers

[gEvil (beta) (945888)]

Hacking a pacemaker? What could possibly go wr... *thud*

Don't fear.... much

[NIckGorton (974753)]

From TFA:

a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker. They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal

hundreds of thousands of people in this country with implanted defibrillators or pacemakers to regulate their damaged hearts -- they include Vice President Dick Cheney -- have no need yet to fear hackers

No need to fear they tell us because:
One:

The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists from the University of Washington and the University of Massachusetts to interpret the data gathered from the implant's signals.

And two:

"To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide,"

Um, that was until a NYTimes article described that it could be done and (more importantly) a /. article linked to that NYTimes article so tons of geeks worldwide see the information. While security through obscurity doesn't really work, there is something to be said for people just not noticing that a thing is hackable.

Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.

If I had an AICD, I sure as hell wouldn't want to be around Cheney, lest the signal from mine be confused with his. Of course maybe that is why he has a man sized safe in his office is a Faraday cage.

Re:

[TheRealMindChild (743925)]

Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.

Not only that, but let's say the President of the United States has a pacemaker... $30000 is pittance for someone who wants him dead.

Re:

[MMC Monster (602931)]

Recent models of pacemakers and defibrillators from the major companies (Guidant, Medtronic, etc.) allow remote telemetry from home: You have a device sitting on a table next to the patient's bed which will check the device every night (or one night a week, etc.) and report back to the physician any abnormalities. Some also allow wireless programability, but not from home: The nurse waves the wand over the device, then the patient goes in another room and gets seen by the physician while the settings on t

Re:Don't fear.... much

[NIckGorton (974753)]

I'm not so sure about that (speaking as an ER physician who would generally be the one saying WTF is the password???)

In the worst case scenarios, either 1) put a donut magnet over it and it can be stopped or 2) give me a scalpel and 30 seconds and I can cut the leads, and then we can externally pace and/or defibrillate the person.

So I am not sure that the risk of being password protected would outweigh the risk of not being password protected. I'd want mine password protected, then put the password on a medic-alert bracelet that I wear.

But why?

[Tsoat (1221796)]

Even if you could hack it wirelessly the only benefits I see are bragging rights cool they may be just doesn't seem worth the time and effort

Re:

[kalirion (728907)]

Unless you're looking to kill someone by pressing a button, of course.

Life imitates art

[theGreater (596196)]

From http://www.snpp.com/episodes/BABF01 [snpp.com]

% The Simpsons happen upon Krusty, who is having a Y2K crisis of his
% own. His pacemaker is stuck in the "hummingbird" mode. Krusty
% lifts himself in the air briefly by flapping his arms, before
% collapsing on the ground.

See also:

http://en.wikipedia.org/wiki/Treehouse_of_Horror_X#Life.27s_a_Glitch.2C_Then_You_Die [wikipedia.org]

-theGreater.

Easy fix

[InvisblePinkUnicorn (1126837)]

Just make a pacemaker for the pacemaker. That way, if it ever shuts down, it'll have a tiny little heart inside it to get it going again.

Just shut it off

[epilido (959870)]

Most pacemakers and defibrillators can be turned off with just a magnet. This is designed to allow medical staff to stop a defective device. Yep I have done it myself and seen it done many times for diagnostic reasons in the hospital. M

Wait for it

[Bombula (670389)]

"It wasn't me grabbing her ass your honor, someone hacked my arm!"

So they can crack RSA and then get the pacemaker?

[dbIII (701233)]

RSA encryption is used in these devices. There certainly is a lot of techofear journalism about lately.

Re:So they can crack RSA and then get the pacemake

[frog_strat (852055)]

Working on the communications software for one of these devices, I can say for sure there is no encryption on at least one of them. A decision was made by the company to not worry about this issue at the moment.

A better method

[yamamushi (903955)]

The article details how the researchers had to be within 2 inches of the pacemaker, and several thousands of dollars worth of equipment. I suspect there is an easier way to deactivate a pacemaker, find out what frequency they operate at. I've got an FM radio blocker, that is basically just a 100mhz oscillator, a potentiometer, and a battery. It works by canceling out a given frequency, thus letting me silence my neighbors stereo from 50ft away. I know the technique works for the 2.4ghz band, for blocking out wireless phone signals and whatnot. I suppose finding an oscillator in the high ghz range would suffice for 'killing' a pacemaker.

Insider

[More Trouble (211162)]

Would I need a "team of experts" and $30K of gear if I had worked as an engineer for Medtronic?

Yee-ha!

[clickety6 (141178)]

I'm gonna overclock this sucker!
Better than a triple espresso!

Some health care insurance / hospitals may want to

[Joe The Dragon (967727)]

Some health care insurance / hospitals may want to cut you off if you can't pay or they found out that you had a pre existing condition they make you pay up and say pay or we cut you off.
Some of them have said that a kidney transplant is to experimental and they let a someone die just to get out of paying for it.

When my pacemaker is tested

[InterGuru (50986)]

Every six months my pacemaker is checked. Part of the test is to speed and slow down the pacemaker and my heart for a short time.

It is a truly heartfelt experience.

Bookwormhole.net [bookwormhole.net] -- a site for book lovers.

Insulin pumps too!

[wizman (116087)]

My girlfriend is a type 1 diabetic. Instead of regular injections, she uses an insulin pump. This pump is an external device, about the size of a pager, that feeds insulin into her body via a short tube.

Several months ago she upgraded to a new pump. This new model (a Medtronic MiniMed) wirelessly communicates with a number of devices. It receives blood glucose data from a continuous glucose monitor. It also receives her regular readings from her standard "prick your finger" blood sugar tests via her test kit. And, it has a wireless key fob that allows her to adjust the pumps settings without having to dig through pockets and clothes to get at the unit.

My first comment to her was "With all of this wireless control, how easy is it for someone to use this wireless interface to put you into a diabetic coma, or worse, kill you?" She thinks it's a fairly ridiculous concept, citing encryption, receiver range, and "Why would anyone want to kill me?", among other reasons.

Well, I say that anything that has any type of wireless interface is hackable. There are, of course, no published documents that I can find detailing what steps have been taken to secure these devices. I'm seriously concerned as to whether or not the companies that make insulin pumps, pace makers, implants, etc, may not be taking these concerns seriously.

Re:Hmmm

[Ihlosi (895663)]

Doesn't Dick Cheney have a pace maker?

Yes, but the purpose of this device is unclear. What exactly is it pacing ?

Re:

[BakaHoushi (786009)]

I find this joke to be old and rather insulting, really. Of course Dick Cheney has a heart.

However, the notion that the heart is somehow related to empathy and love is also false. Instead, he had that section of his brain surgically removed. It helps him collect himself faster after his 3pm puppy kicking and orphanage closing.

Re:

[jamstar7 (694492)]

I find this joke to be old and rather insulting, really. Of course Dick Cheney has a heart.

Yup, he has the heart of a 20 year old.

It's in a jar on his desk.

Re:remote kill?

[Snowgen (586732)]

does this mean that someone can eventually kill people remotely?

The technology for that already exists; it's called a "gun". It replaced an older technology called an "arrow", which in turn was the replacement for an even older technology called the "javelin". There was also an older technology called a "sling" which was a peripheral device designed to increase the effectiveness of the original technology call the "rock".

People have been remotely killing other people for millions of years.

Re:remote kill?

[Oktober Sunset (838224)]

Killing people remotely is not hard, doing it without anyone knowing it was you, without any indication at the time that it was anything other than natural causes, requiring no opportunity other than being within wireless range and leaving no evidence behind whatsoever. That's the novel part.

Hacking the VP

[tobiasly (524456)]

Yes, that's a very real concern that the secret service has been terrified of for years. Most people know that Cheney has a pacemaker, but the real secret is that they forgot to turn off SSID broadcast and its password is "Linksys".

That kind of attitude is the problem

[Moraelin (679338)]

Well, sad to say and please don't take it as an offense, it's that kind of attitude that's the cause of half the problems today. Products are made by engineers couldn't care less about security, with their budget dictated by a boss who couldn't care less about security, and end up configured by users who couldn't care less about security. Because they all operate under that assumption that if it's even remotely related to computers or electronics, it can be hacked anyway, so why bother?

Well, no, there are w

Re:That kind of attitude is the problem

[Ihlosi (895663)]

Why _does_ a pacemaker need a WiFi interface anyway?

Because sticking a JTAG connector through someones chest is fairly painful. You're welcome to experiment on yourself to confirm this.

Also, it's not a WiFi interface. It's a short-range (it goes through your chest, and water absorbs radio waves like crazy), custom, wireless interface. You have no freaking need for those to be networked, in any form or shape.

And you're, what ? An M.D. ? A biomedical engineer ?

Tell you what: Have fun with your dumb fixed-rate 75 bpm pacemaker, but don't expect to be running up any stairs anytime soon.

Any interface to it or from it can be contact-based just as well.

It basically is, genius. Or do you want it so contact-based that they have to shoot a couple of amps through your chest in order to make the pacemaker respond ? Hint: Think of a vital organ that's very, very close to the pacemaker and reacts very badly to having current shot through it.

More importantly, we already do _both_ of those for life-and-death systems like flight control systems on airplanes or brake computers on cars. They're both built and reviewed to be as good as bulletproof, _and_ not wired to talk to the outside world, unless one physically plugs in a special connector and a special computer into it.

They're also conveniently located outside the human body, so plugging a special connector into them doesn't involve going through someones tissue first.

Re:Ah, the smart-arse non-sequiturs

[I_Love_Pocky! (751171)]

I appreciate your enthusiasm, but thank god you aren't designing these devices. I work for one of the competitors to Medtronic (the company whose devices were studied). We have encryption in our RF communication. We DO take security into consideration, but there are trade offs that have to be considered. Battery life is generally the most important consideration. Every time surgery needs to be performed to physically access the device (usually because of a depleted battery) there is a risk of complications. These aren't insignificant risks either. Keep in mind the people getting these devices have health problems of some sort or they wouldn't be getting them. With that in mind, security solutions in this domain have to be very well thought out so as to avoid draining the battery significantly. So please, don't for a second presume that we are a bunch of monkeys sitting around on our asses ignoring real concerns. The real issue is that there are far more concerns than you are aware of. We do evaluate these concerns and try to build the best devices possible with the fewest compromises.

Re:

[I_Love_Pocky! (751171)]

I can't speak to how Medtronic implements their RF communication, but as I said ours is encrypted and boosting the signal to "hack" someone does not get around the encryption.

With the encryption that you say your company uses, wouldn't it simply be a matter of acquiring a single sending device, and reverse engineering it?
No. The individual communication session is protected by a unique key. Still, if you physically had a programmer (the sending device you mentioned), you could use it without any hack

Re:

[Asic Eng (193332)]

Why _does_ a pacemaker need a WiFi interface anyway?

Well it's not a pacemaker, it's a combination pacemaker/defibrilator. The second part is the reason why it can "deliver potentially fatal jolts" - that's just the range a defibrilator operates in. A connection via the internet allows a doctor to be notified of problems while the patient is at home, and the doctor could even take corrective actions right away. That's presumably why one of the doctors involved in this investigation said "If I needed a defi

Re:Easy solution

[CrashPoint (564165)]

Why don't they build firewalls into the pacemakers?

Because then you'd get heartburn. Geez.

Re:

[Rick Genter (315800)]

I agree with those that said that in order to "hack" the pacemaker you have to be at a very close range to the victim. At this range, you could just as easily stab or shoot them. As a more general rule, apart from a select few VIP figures, there is nothing we can do to prevent someone from carrying out a murder if they want to, the only thing we can do is punish them after the fact and hope it serves as deterrent for others.

What IS a problem is that unlike other means to kill a person at close range, this m

Re:

[mbstone (457308)]

I mean, imagine the following scenario:

1. Bad guys want to kill Cheney. That seems quite plausible.

2. Secret Service anticipates this. NSA and the Office of the Sergeant at Arms of the U.S. Senate are tasked to establish and test a set of security controls.

3. Pursuant to applicable FISMA, OMB, NIST and DoD regulations, it is determined that Cheney's pacemaker must undergo Certification and Accreditation under DIACAP (Doing Information Assurance on Cheney's Automatic Pacemaker) throughout the VP's Life Cycl