Hacking a Pacemaker

jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."

Some health care insurance / hospitals may want to

[Joe The Dragon]

Some health care insurance / hospitals may want to cut you off if you can't pay or they found out that you had a pre existing condition they make you pay up and say pay or we cut you off.
Some of them have said that a kidney transplant is to experimental and they let a someone die just to get out of paying for it.

Re:That kind of attitude is the problem

[Asic Eng]

Why _does_ a pacemaker need a WiFi interface anyway?

Well it's not a pacemaker, it's a combination pacemaker/defibrilator. The second part is the reason why it can "deliver potentially fatal jolts" - that's just the range a defibrilator operates in. A connection via the internet allows a doctor to be notified of problems while the patient is at home, and the doctor could even take corrective actions right away. That's presumably why one of the doctors involved in this investigation said "If I needed a defibrillator, I'd ask for one with wireless technology." This is great research though - while it may not be possible to prevent any attack, it's quite possible to put safeguards in place and these guys are pushing the FDA and the industry to make that happen.

Re:Bionic eye

[Anonymous Coward]

Changes in your health/body can warrant these adjustments.

Re:Bionic eye

[tsa]

Believe me, you really want the thing to be programmable. They have to try a few settings to find oujt which makes you feel good, and if/when your body changes they can adjust the pacemaker accordingly. Modern pacemakers are marvellous pieces of technology that can give you your life back as long as you program them well!

Re:Don't fear.... much

[NIckGorton]

I'm not so sure about that (speaking as an ER physician who would generally be the one saying WTF is the password???)

In the worst case scenarios, either 1) put a donut magnet over it and it can be stopped or 2) give me a scalpel and 30 seconds and I can cut the leads, and then we can externally pace and/or defibrillate the person.

So I am not sure that the risk of being password protected would outweigh the risk of not being password protected. I'd want mine password protected, then put the password on a medic-alert bracelet that I wear.

Re:Ah, the smart-arse non-sequiturs

[I_Love_Pocky!]

I appreciate your enthusiasm, but thank god you aren't designing these devices. I work for one of the competitors to Medtronic (the company whose devices were studied). We have encryption in our RF communication. We DO take security into consideration, but there are trade offs that have to be considered. Battery life is generally the most important consideration. Every time surgery needs to be performed to physically access the device (usually because of a depleted battery) there is a risk of complications. These aren't insignificant risks either. Keep in mind the people getting these devices have health problems of some sort or they wouldn't be getting them. With that in mind, security solutions in this domain have to be very well thought out so as to avoid draining the battery significantly. So please, don't for a second presume that we are a bunch of monkeys sitting around on our asses ignoring real concerns. The real issue is that there are far more concerns than you are aware of. We do evaluate these concerns and try to build the best devices possible with the fewest compromises.

Re:Bionic eye

[Beardo the Bearded]

Ah, finally, someone understands something! Most programmers think that EVERYTHING that can be programmed has a multi-core architecture with a hard drive, monitor, etc. You haven't seen most of the computers that you use on a daily basis. Do you think your elevator runs a Duo-core? Your apartment buzzer controller isn't made by AMD.

I'm an EE with a lot of embedded experience in RF devices. I've had to make recalls because the standby current* was 50uA instead of 12uA. (For a GPS tracking board with VHF transmitter.)

The level of misunderstanding that's required to think that you can surreptitiously reprogram somebody's pacemaker without their knowledge is astounding. If you've got a pacemaker and someone tries to walk up to you and reprogram your chest, just walk away, man. Walk away. It's not like it's going to take 2 seconds to line everything up correctly. Even if all the technical details are magically sorted, a different brand could make your hack useless. So could temperature, humidity, clothing, chest hair, and any of the other RF voodoo things that you have to deal with.

*(Technically "quiescent" but I'm not sure everyone knows what that means.)

Re:A better method

[EMCEngineer]

That is not strictly true. You can create EMP-like pulses in a lab setting. If you have the right antenna and a big enough amplifier you can fry most electronics. The difference is you are very limited in distance of effectiveness, and susceptible frequency range will change with different devices and orientations.

So in a strictly theoretical sense, yes you can kill electronics with RF. On the practicle side, it's like saying you can build a rail gun at home. Sure you can build a 5th grade science class level one that shoots marbles, but that's not what people mean when they say rail gun.

Re:Dealing with the threat

[Rick Genter]

I agree with those that said that in order to "hack" the pacemaker you have to be at a very close range to the victim. At this range, you could just as easily stab or shoot them. As a more general rule, apart from a select few VIP figures, there is nothing we can do to prevent someone from carrying out a murder if they want to, the only thing we can do is punish them after the fact and hope it serves as deterrent for others.

What IS a problem is that unlike other means to kill a person at close range, this method is rather subvert, and unless you are an expert at recognizing behavior and/or expect the victim to be targeted, you will probably not even notice the attack took place. Picture this: a man walks by another man, with a wireless device in his pocket and already pre-configured to carry out the attack. They each go their own ways, and seconds later the other man has a heart attack. The pacemaker is likely not to keep any logs that can reveal the nature of the "hack". So unless you find the equipment used for "hacking" and can tie it to the attacker, you have very little evidence to charge them with.

I have a Medtronic pacemaker implanted. A few points:

1) When the doctor wants to communicate with it, he lays the transceiver on my chest, directly over the pacemaker. It works through my shirt, but the total distance is probably no more than 2 to 3 cms. Yes, it may work at a greater distance, but I doubt it's much more than 10 to 15 cms. One of the things about pacemakers is that they run at very low power. So, yes, it would be easier to shoot me than to hack my pacemaker.

2) The pacemaker has decent data storage. Any change to its settings is logged internally. All sorts of other biometrics (highest heart rate detected and when, %age of beats for which pacing was required, etc.) are logged as well and available for download. I'd be surprised if they *couldn't* tell that the pacemaker had been hacked, and when.

Re:Bionic eye

[Beardo the Bearded]

Both multiplication and division are "heavy" operations in the embedded world. Incorporating them into the code even once can mean that your code won't fit into the footprint. One chip I used in 2006 has 512 bytes of Flash and 24 bytes of RAM. Not for a trivial application either - there are tens of thousands of that product out in use right now, and people depend on the device to live.

Sure, a few chips have built-in single-line multipliers, but I don't think that's what they use in pacemakers.The pacemaker chips are probably running at 32kHz (kilohertz) for battery efficiency.

I don't think that the very remote chance of a pacemaker hack with technology that doesn't exist is a sufficient threat to require encryption on the pacemaker. If thousands of people start dying as a direct result of this hack, then I might change my mind.