Forgot your password?
typodupeerror
Biotech Medicine Security

Hacking a Pacemaker 228

Posted by CmdrTaco
from the probably-not-the-best-idea dept.
jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."
This discussion has been archived. No new comments can be posted.

Hacking a Pacemaker

Comments Filter:
  • Bionic eye (Score:5, Interesting)

    by sm62704 (957197) on Wednesday March 12, 2008 @08:32AM (#22727368) Journal
    I'm sure glad the device in my eye (see my sig for details) is focused by the eye's muscles rather than electronics/motors. Some things shouldn't be networkable.

    Oh yeah, the oblig: We are cyborg. You will be assimilated. resistance is not only futile but you won't resist, you'll beg to join us..
    • Re:Bionic eye (Score:4, Interesting)

      by Misagon (1135) on Wednesday March 12, 2008 @09:05AM (#22727660)

      Some things shouldn't be networkable.
      Not networkable. A pacemaker communicates only with the diagnostic equipment.
      Pacemakers are [i]implanted[/i] under the skin. The only way to interface with them is through induction or radio signals. The signals have ranges measured in centimeters.
    • by StylusEater (1206014) on Wednesday March 12, 2008 @09:09AM (#22727688)
      I can see the headlines... "Cheney's Pacemaker Hacked by Chinese Militants" ... :-) One can only wish.
      • Or better yet, "Cheney's pacemaker hacked by time travelers from the future." Circa 1999. Now that's a wish.
      • by sm62704 (957197)
        I can see the headlines... "Cheney's Pacemaker Hacked by Chinese Militants" ... :-) One can only wish.

        This is off the topic for the summary (but on topic for your comment) but if Cheney goes duck hunting with Bush we could have the first woman President.

        If Cheney shoots Bush in the face [msn.com] accidentally while duck hunting (well it happened once before, I'd never go hunting with him) and suffers a heart attack as a result, and both die, then House Speaker Nanct Pelosi [wikipedia.org] becomes President Pelosi.

        One can only wish!

        M
      • .. I see this more like, "Cheney hacks pacemaker to extract confessions from suspect cardiac patients".

        Still, I'd like to see proof of concept. There is no such thing as "guaranteed short range" in wireless. My Bluetooth headset has a 50-foot range in the right locations.
  • pacemakers (Score:5, Funny)

    by gEvil (beta) (945888) on Wednesday March 12, 2008 @08:35AM (#22727398)
    Hacking a pacemaker? What could possibly go wr... *thud*
  • by NIckGorton (974753) * on Wednesday March 12, 2008 @08:38AM (#22727416)
    From TFA:

    a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker. They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal

    hundreds of thousands of people in this country with implanted defibrillators or pacemakers to regulate their damaged hearts -- they include Vice President Dick Cheney -- have no need yet to fear hackers
    No need to fear they tell us because:
    One:

    The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists from the University of Washington and the University of Massachusetts to interpret the data gathered from the implant's signals.
    And two:

    "To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide,"
    Um, that was until a NYTimes article described that it could be done and (more importantly) a /. article linked to that NYTimes article so tons of geeks worldwide see the information. While security through obscurity doesn't really work, there is something to be said for people just not noticing that a thing is hackable.

    Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.

    If I had an AICD, I sure as hell wouldn't want to be around Cheney, lest the signal from mine be confused with his. Of course maybe that is why he has a man sized safe in his office is a Faraday cage.
    • Re: (Score:3, Interesting)

      Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.

      Not only that, but let's say the President of the United States has a pacemaker... $30000 is pittance for someone who wants him dead.
      • by Ihlosi (895663)
        Not only that, but let's say the President of the United States has a pacemaker... $30000 is pittance for someone who wants him dead.

        Now you only need to get that $30000 worth of lab equipment (= big and bulky) within a few inches of your intended victims chest ...

    • Re: (Score:3, Interesting)

      by MMC Monster (602931)
      Recent models of pacemakers and defibrillators from the major companies (Guidant, Medtronic, etc.) allow remote telemetry from home: You have a device sitting on a table next to the patient's bed which will check the device every night (or one night a week, etc.) and report back to the physician any abnormalities. Some also allow wireless programability, but not from home: The nurse waves the wand over the device, then the patient goes in another room and gets seen by the physician while the settings on t
      • by NIckGorton (974753) * on Wednesday March 12, 2008 @11:03AM (#22728960)
        I'm not so sure about that (speaking as an ER physician who would generally be the one saying WTF is the password???)

        In the worst case scenarios, either 1) put a donut magnet over it and it can be stopped or 2) give me a scalpel and 30 seconds and I can cut the leads, and then we can externally pace and/or defibrillate the person.

        So I am not sure that the risk of being password protected would outweigh the risk of not being password protected. I'd want mine password protected, then put the password on a medic-alert bracelet that I wear.
        • put a donut magnet over it and it can be stopped
          And to clarify, I mean stop many potential hacks. The magnet doesn't turn a pacer off, just flips a reed switch and renders it dumb so that it just paces at a set background rate. And I suspect that if it were hacked and the person arrived to the ER still alive (or at least freshly dead) you could solve a lot of that with a magnet.
  • But why? (Score:2, Insightful)

    by Tsoat (1221796)
    Even if you could hack it wirelessly the only benefits I see are bragging rights cool they may be just doesn't seem worth the time and effort
    • Re: (Score:3, Insightful)

      by kalirion (728907)
      Unless you're looking to kill someone by pressing a button, of course.
  • From http://www.snpp.com/episodes/BABF01 [snpp.com]

    % The Simpsons happen upon Krusty, who is having a Y2K crisis of his
    % own. His pacemaker is stuck in the "hummingbird" mode. Krusty
    % lifts himself in the air briefly by flapping his arms, before
    % collapsing on the ground.

    See also:

    http://en.wikipedia.org/wiki/Treehouse_of_Horror_X#Life.27s_a_Glitch.2C_Then_You_Die [wikipedia.org]

    -theGreater.
  • Just make a pacemaker for the pacemaker. That way, if it ever shuts down, it'll have a tiny little heart inside it to get it going again.
  • Just shut it off (Score:2, Insightful)

    by epilido (959870) *
    Most pacemakers and defibrillators can be turned off with just a magnet. This is designed to allow medical staff to stop a defective device. Yep I have done it myself and seen it done many times for diagnostic reasons in the hospital. M
    • Indeed - most technology exhibits that contain strong magnets have warnings about pacemakers. And a strong electromagnet could be hidden anywhere (didn't this site discuss them in door frames to avoid seizing of harddrive data, in fact?). The wireless networking may seem scary, but unless the range of the receiver is much greater than it needs to be, this doesn't sound like it would make pacemakers much more fragile than they already are.

      I guess it's psychological. We humans don't like being reminded of how
      • Actually what the magnet does is turn off the sensing function (by flipping a reed switch in the pacer), and demotes a highly functional piece of electronics into something much dumber. (It just paces at a set rate without having any look at what the heart is doing.)

        This can be used to stop a lot of 'runaway pacer' issues (which almost never happen with modern devices), and I suspect a lot of potential hacks. However it doesn't precisely shut it off. But it does solve a lot of problems.
  • Wait for it (Score:5, Funny)

    by Bombula (670389) on Wednesday March 12, 2008 @08:51AM (#22727536)
    "It wasn't me grabbing her ass your honor, someone hacked my arm!"
  • by dbIII (701233) on Wednesday March 12, 2008 @08:52AM (#22727548)
    RSA encryption is used in these devices. There certainly is a lot of techofear journalism about lately.
  • A better method (Score:5, Interesting)

    by yamamushi (903955) <yamamushi@nOSpAM.gmail.com> on Wednesday March 12, 2008 @08:54AM (#22727560) Homepage
    The article details how the researchers had to be within 2 inches of the pacemaker, and several thousands of dollars worth of equipment. I suspect there is an easier way to deactivate a pacemaker, find out what frequency they operate at. I've got an FM radio blocker, that is basically just a 100mhz oscillator, a potentiometer, and a battery. It works by canceling out a given frequency, thus letting me silence my neighbors stereo from 50ft away. I know the technique works for the 2.4ghz band, for blocking out wireless phone signals and whatnot. I suppose finding an oscillator in the high ghz range would suffice for 'killing' a pacemaker.
  • But device makers have begun designing them to connect to the Internet, which allows doctors to monitor patients from remote locations.

    "Excuse me, sir? The plane is about to taxi, and I'm going to need you to shut down your wireless internet device."

    Some day in my lifetime, a person's heart might have "flight mode." That idea bowls me over. I'm assuming this is some kind of cellular internet connection the devices use. Fifteen seconds of google didn't really turn up much info, but then again I wasn't
  • So can I get the pacemaker make a heartbeat sound like the jumping sound effect....

    "nah nah nah nahhhhhhhhh"
  • It's not that bad (Score:2, Interesting)

    by Anonymous Coward
    (Posting this as AC since I don't want to get in trouble).

    I think the summary is more alarming than the actual article. The researchers had to be at two inches from the device in order to tamper with it.

    It's probably not such a big deal now, but some more thought should definitely go into future products. 30000$ sound like much, but it certainly sounds like a bargain if you can kill the Vice President of the USA without even touching him.

    I mean, imagine the following scenario:

    1. Bad guys want to kill Cheney
    • Re: (Score:3, Funny)

      by mbstone (457308)
      I mean, imagine the following scenario:

      1. Bad guys want to kill Cheney. That seems quite plausible.


      2. Secret Service anticipates this. NSA and the Office of the Sergeant at Arms of the U.S. Senate are tasked to establish and test a set of security controls.

      3. Pursuant to applicable FISMA, OMB, NIST and DoD regulations, it is determined that Cheney's pacemaker must undergo Certification and Accreditation under DIACAP (Doing Information Assurance on Cheney's Automatic Pacemaker) throughout the VP's Life Cycl
  • Dick Cheney is preparing to leave office and NOW you tell us?!?!
  • Insider (Score:3, Insightful)

    by More Trouble (211162) on Wednesday March 12, 2008 @09:04AM (#22727652)
    Would I need a "team of experts" and $30K of gear if I had worked as an engineer for Medtronic?
  • Yee-ha! (Score:5, Funny)

    by clickety6 (141178) on Wednesday March 12, 2008 @09:13AM (#22727706)


    I'm gonna overclock this sucker!
    Better than a triple espresso!
  • Punchline: Heartworm.
  • Imagine hooking up your pacemaker to your favorite FPS via bluetooth or something. Every time you get hit your heart misses a beat. Literally.

    I can also just imagine installing Vista remotely onto the pacemakers of all those Windows fanboys. ... :-) Hehehe ...
  • by Joe The Dragon (967727) on Wednesday March 12, 2008 @09:33AM (#22727900)
    Some health care insurance / hospitals may want to cut you off if you can't pay or they found out that you had a pre existing condition they make you pay up and say pay or we cut you off.
    Some of them have said that a kidney transplant is to experimental and they let a someone die just to get out of paying for it.
  • There was a movie about someone putting bombs in Pacemakers

    http://en.wikipedia.org/wiki/Dead_in_a_Heartbeat [wikipedia.org]
  • by InterGuru (50986) <[moc.urugretni] [ta] [dhj]> on Wednesday March 12, 2008 @09:50AM (#22728092) Homepage
    Every six months my pacemaker is checked. Part of the test is to speed and slow down the pacemaker and my heart for a short time.

    It is a truly heartfelt experience.

    Bookwormhole.net [bookwormhole.net] -- a site for book lovers.
    • by Misch (158807)
      I know. I was in for a checkup recently and came to the realization that of all the things I have been able to toy and tinker with, my doctor was essentially programming my heart.

      I almost cried as I realized I had just been outgeeked, since I would never be allowed to operate the control panel. My doctor has toys that I cannot play with.
  • Hmm, old story but interesting.
  • ...a blue-hair receives a text message from her grandkids...

            H4 H4 H1 GR4NNY W3 H4XX0RS U! W3 RuL3!

    (Meanwhile, Granny clutches at her chest as her pace maker pulses out the drum solo from "In A Gadda Da Vida")

  • I agree with those that said that in order to "hack" the pacemaker you have to be at a very close range to the victim. At this range, you could just as easily stab or shoot them. As a more general rule, apart from a select few VIP figures, there is nothing we can do to prevent someone from carrying out a murder if they want to, the only thing we can do is punish them after the fact and hope it serves as deterrent for others.

    What IS a problem is that unlike other means to kill a person at close range, this m
    • Re: (Score:3, Informative)

      by Rick Genter (315800)

      I agree with those that said that in order to "hack" the pacemaker you have to be at a very close range to the victim. At this range, you could just as easily stab or shoot them. As a more general rule, apart from a select few VIP figures, there is nothing we can do to prevent someone from carrying out a murder if they want to, the only thing we can do is punish them after the fact and hope it serves as deterrent for others.

      What IS a problem is that unlike other means to kill a person at close range, this m

  • Insulin pumps too! (Score:3, Insightful)

    by wizman (116087) on Wednesday March 12, 2008 @02:40PM (#22731770)
    My girlfriend is a type 1 diabetic. Instead of regular injections, she uses an insulin pump. This pump is an external device, about the size of a pager, that feeds insulin into her body via a short tube.

    Several months ago she upgraded to a new pump. This new model (a Medtronic MiniMed) wirelessly communicates with a number of devices. It receives blood glucose data from a continuous glucose monitor. It also receives her regular readings from her standard "prick your finger" blood sugar tests via her test kit. And, it has a wireless key fob that allows her to adjust the pumps settings without having to dig through pockets and clothes to get at the unit.

    My first comment to her was "With all of this wireless control, how easy is it for someone to use this wireless interface to put you into a diabetic coma, or worse, kill you?" She thinks it's a fairly ridiculous concept, citing encryption, receiver range, and "Why would anyone want to kill me?", among other reasons.

    Well, I say that anything that has any type of wireless interface is hackable. There are, of course, no published documents that I can find detailing what steps have been taken to secure these devices. I'm seriously concerned as to whether or not the companies that make insulin pumps, pace makers, implants, etc, may not be taking these concerns seriously.

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...