Hacking a Pacemaker 228
jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."
Some health care insurance / hospitals may want to (Score:3, Informative)
Some of them have said that a kidney transplant is to experimental and they let a someone die just to get out of paying for it.
Re:That kind of attitude is the problem (Score:3, Informative)
Well it's not a pacemaker, it's a combination pacemaker/defibrilator. The second part is the reason why it can "deliver potentially fatal jolts" - that's just the range a defibrilator operates in. A connection via the internet allows a doctor to be notified of problems while the patient is at home, and the doctor could even take corrective actions right away. That's presumably why one of the doctors involved in this investigation said "If I needed a defibrillator, I'd ask for one with wireless technology." This is great research though - while it may not be possible to prevent any attack, it's quite possible to put safeguards in place and these guys are pushing the FDA and the industry to make that happen.
Re:Bionic eye (Score:1, Informative)
Re:Bionic eye (Score:5, Informative)
Re:Don't fear.... much (Score:5, Informative)
In the worst case scenarios, either 1) put a donut magnet over it and it can be stopped or 2) give me a scalpel and 30 seconds and I can cut the leads, and then we can externally pace and/or defibrillate the person.
So I am not sure that the risk of being password protected would outweigh the risk of not being password protected. I'd want mine password protected, then put the password on a medic-alert bracelet that I wear.
Re:Ah, the smart-arse non-sequiturs (Score:5, Informative)
Re:Bionic eye (Score:4, Informative)
I'm an EE with a lot of embedded experience in RF devices. I've had to make recalls because the standby current* was 50uA instead of 12uA. (For a GPS tracking board with VHF transmitter.)
The level of misunderstanding that's required to think that you can surreptitiously reprogram somebody's pacemaker without their knowledge is astounding. If you've got a pacemaker and someone tries to walk up to you and reprogram your chest, just walk away, man. Walk away. It's not like it's going to take 2 seconds to line everything up correctly. Even if all the technical details are magically sorted, a different brand could make your hack useless. So could temperature, humidity, clothing, chest hair, and any of the other RF voodoo things that you have to deal with.
*(Technically "quiescent" but I'm not sure everyone knows what that means.)
Re:A better method (Score:2, Informative)
So in a strictly theoretical sense, yes you can kill electronics with RF. On the practicle side, it's like saying you can build a rail gun at home. Sure you can build a 5th grade science class level one that shoots marbles, but that's not what people mean when they say rail gun.
Re:Dealing with the threat (Score:3, Informative)
I have a Medtronic pacemaker implanted. A few points:
1) When the doctor wants to communicate with it, he lays the transceiver on my chest, directly over the pacemaker. It works through my shirt, but the total distance is probably no more than 2 to 3 cms. Yes, it may work at a greater distance, but I doubt it's much more than 10 to 15 cms. One of the things about pacemakers is that they run at very low power. So, yes, it would be easier to shoot me than to hack my pacemaker.
2) The pacemaker has decent data storage. Any change to its settings is logged internally. All sorts of other biometrics (highest heart rate detected and when, %age of beats for which pacing was required, etc.) are logged as well and available for download. I'd be surprised if they *couldn't* tell that the pacemaker had been hacked, and when.
Re:Bionic eye (Score:3, Informative)
Sure, a few chips have built-in single-line multipliers, but I don't think that's what they use in pacemakers.The pacemaker chips are probably running at 32kHz (kilohertz) for battery efficiency.
I don't think that the very remote chance of a pacemaker hack with technology that doesn't exist is a sufficient threat to require encryption on the pacemaker. If thousands of people start dying as a direct result of this hack, then I might change my mind.