Hacking a Pacemaker 228
jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."
Bionic eye (Score:5, Interesting)
Oh yeah, the oblig: We are cyborg. You will be assimilated. resistance is not only futile but you won't resist, you'll beg to join us..
remote kill? (Score:1, Interesting)
Re:Bionic eye (Score:1, Interesting)
So they can crack RSA and then get the pacemaker? (Score:3, Interesting)
Re:remote kill? (Score:5, Interesting)
The technology for that already exists; it's called a "gun". It replaced an older technology called an "arrow", which in turn was the replacement for an even older technology called the "javelin". There was also an older technology called a "sling" which was a peripheral device designed to increase the effectiveness of the original technology call the "rock".
People have been remotely killing other people for millions of years.
A better method (Score:5, Interesting)
Re:Bionic eye (Score:3, Interesting)
It's not that bad (Score:2, Interesting)
I think the summary is more alarming than the actual article. The researchers had to be at two inches from the device in order to tamper with it.
It's probably not such a big deal now, but some more thought should definitely go into future products. 30000$ sound like much, but it certainly sounds like a bargain if you can kill the Vice President of the USA without even touching him.
I mean, imagine the following scenario:
1. Bad guys want to kill Cheney. That seems quite plausible.
2. They find out the exact model of his pacemaker. That sounds feasible with some knowledge of the field, money, time and determination.
3. They buy one and hire some researchers to crack it and to create an automated system which is portable and works reliably. Say, a laptop with some transmitter attached or something similar. This is quite hard, but should be feasible as well with enough money and time.
4. The researchers manage to increase the range from 2 inches to 20 inches. This is probably the hardest part.
5. The bad guys put the laptop in a briefcase, wires running up the sleeve and the transmitter in the other sleeve (close to the hand). This is easy.
6. Now they just have to get close enough to Cheney. I have no idea about how hard this is.
7. He has a "heart attack". Bodyguards/security come running and push all the people away. People go away because they don't want trouble, including the guy with the briefcase. I think this is quite realistic.
8. Cheney dies. Maybe they find out that the pacemaker was tampered with, maybe not. If not, the plan worked out perfectly. If yes, they will have some video on a security camera showing the bad guy, who is in another country by now. Maybe they catch him, maybe not.
This sounds pretty far fetched (and it is), but it could be possible with some minor advances. So some more thought should go into these devices.
Pacemakers have batteries which have enough power to supply some encryption hardware. What should be done to prevent this scenario is something like this:
1. Create a key pair for every pacemaker. The public key is on the pacemaker, the private key gets printed on a 2d barcode on a piece of plastic. The patient gets the barcode which he carries in his wallet. The patient's doctor/hospital also gets a barcode.
2. The devices used to communicate with the pacemaker have a slot for the barcode.
3. The pacemaker ignores any request not signed with the private key. Problem solved!
Re:Bionic eye (Score:4, Interesting)
Pacemakers are [i]implanted[/i] under the skin. The only way to interface with them is through induction or radio signals. The signals have ranges measured in centimeters.
Re:Don't fear.... much (Score:3, Interesting)
Not only that, but let's say the President of the United States has a pacemaker... $30000 is pittance for someone who wants him dead.
Re:So they can crack RSA and then get the pacemake (Score:5, Interesting)
Re:Bionic eye (Score:3, Interesting)
Finding out which settings you like or don't like unfortunately involves putting a pacemaker into you first. Of course, you could go with a completely dumb device, but your heart would be paced too fast when you're asleep and too slow when you're physically active.
Re:Don't fear.... much (Score:3, Interesting)
Before you ask, you should *not* start passwords-protecting these devices, as you may have a patient traveling and rendered unconscious and need to make setting changes and not have time (or ability) to call the manufacturer.
When my pacemaker is tested (Score:4, Interesting)
It is a truly heartfelt experience.
Bookwormhole.net [bookwormhole.net] -- a site for book lovers.
Re:Bionic eye (Score:4, Interesting)
Public-Private Key cryptography. The manufacturer has a public key, and it's embedded into the device. The manufacturer's private key is kept secret in the same way as the PKI people do it; there are multiple parties required to do anything to the key, there is armed security 24/7, and the key is treated as if people's lives depend on it because that's the situation. There's a process to go through for a hospital to get certified to update the device. When the hospital certifies a doctor to update the device, the doctor's public key is signed by the manufacturer's private key. The doctor keeps his private key on a smart card that requires a PIN with the full knowledge that people could die if he loses it. Preferably the smart cards are kept under lock and key at the hospital next to the lethal drugs and the morphine. When an update command is done, a specially formatted message is signed by the doctor's private key, and the message is send along with the doctor's certificate (the doctor's public key signed by the manufacturer's private key). If there's no valid certificate or the message format is not correct, no command interpretation takes place. If everything checks out, the command is logged in onboard flash memory and the device updates. If someone's pacemaker is updated in a manner that kills them, there is an audit trail pointing to exactly who's at fault. I don't care how much more expensive it is, particularly when the answer is 'not very.'
People's lives are at stake here, the manufacturers should be held liable and negligible if they aren't using already existing methods that essentially guarantee security.
Ah, the smart-arse non-sequiturs (Score:2, Interesting)
So basically you're telling me that you have to have an external thing strapped to your chest, full time, for it deal with that? I thought they were programmed by a cardiologist once, and left on their own afterwards.
_If_ any model needs it to be done that often, there _are_ ways to have things sticking out of someone's skin (think: dental implants) or have an electrode go out to right under the skin (think: some hearing implants.) So, you know, they require contact or near contact to work at all.
That still doesn't excuse its being an insecure protocol. If the only thing it has going for its security is that it's a custom proprietary protocol, then at best it's "security by obscurity." I.e., an antipattern by any other name.
Again, there are ways to place electrodes for that, so they don't involve shooting a couple of amps through the chest.
So, basically, to wrap this up: I don't know what your qualifications are, but security is obviously not one of them. You can tell that when someone starts stringing straw men, non-sequiturs and a few other fallacies as why they didn't and shouldn't think about security. Whether it's about pacemakers or "why XSS vulnerabilities are overhyped and inevitable, and you shouldn't ask me to learn to encode strings" types, it's the same basic phenomenon.
At the end of the day, I still don't see why those things shouldn't be more secure. And I still don't see how your arguments have anything to do with security. No, it doesn't have to be fixed rate to be secure. No, you don't need to shoot a few amps through someone's chest. Etc. You just need to spend some time designing and reviewing it for security too, which is where most people fail. In all domains, so I'm not just picking on pacemakers. Pretty much invariably the failure isn't that security is impossible, it's that it didn't occur to anyone to even think (much) about it.
I mean, seriously, it didn't take me more than 5 minutes to think up solutions to those issues you raise, and I'm not even claiming to be the smartest guy around. I'm sure you or the companies manufacturing them too can come up with even better ones. But for that to happen, you have to snap out of the reflex of defending insecure designs as inevitable and impossible to change. You just need to devote some honest thinking and research to security too. That's all.
Or even shorter, as I was saying: it's that fatalism that's the problem. Too many people are too quick to throw both hands up and accept that everything is hackable anyway, rather than even try to do better.
Re:Bionic eye (Score:4, Interesting)