Hacking a Pacemaker

jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."

Don't fear.... much

[NIckGorton]

From TFA:

a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker. They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal

hundreds of thousands of people in this country with implanted defibrillators or pacemakers to regulate their damaged hearts -- they include Vice President Dick Cheney -- have no need yet to fear hackers

No need to fear they tell us because:
One:

The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists from the University of Washington and the University of Massachusetts to interpret the data gathered from the implant's signals.

And two:

"To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide,"

Um, that was until a NYTimes article described that it could be done and (more importantly) a /. article linked to that NYTimes article so tons of geeks worldwide see the information. While security through obscurity doesn't really work, there is something to be said for people just not noticing that a thing is hackable.

Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.

If I had an AICD, I sure as hell wouldn't want to be around Cheney, lest the signal from mine be confused with his. Of course maybe that is why he has a man sized safe in his office is a Faraday cage.

But why?

[Tsoat]

Even if you could hack it wirelessly the only benefits I see are bragging rights cool they may be just doesn't seem worth the time and effort

Just shut it off

[epilido]

Most pacemakers and defibrillators can be turned off with just a magnet. This is designed to allow medical staff to stop a defective device. Yep I have done it myself and seen it done many times for diagnostic reasons in the hospital. M

More interestingly: get away with it

[davidwr]

I heard Uncle Joe is about to write me out of his will. He has a pacemaker. He's old, there won't be an autopsy. Hmmm......

Re:Bionic eye

[Ihlosi]

Once they've sewn one into my chest (thank God heart disease doesn't run in my family) I wouldn't want it to be programmable!

Um, yes you do. Do you want them to have to cut you open because you don't like the maximum pacing rate and want to have it reduced by 5 bpm ?

Insider

[More Trouble]

Would I need a "team of experts" and $30K of gear if I had worked as an engineer for Medtronic?

That kind of attitude is the problem

[Moraelin]

Well, sad to say and please don't take it as an offense, it's that kind of attitude that's the cause of half the problems today. Products are made by engineers couldn't care less about security, with their budget dictated by a boss who couldn't care less about security, and end up configured by users who couldn't care less about security. Because they all operate under that assumption that if it's even remotely related to computers or electronics, it can be hacked anyway, so why bother?

Well, no, there are ways to prevent that.

Let's start with the simplest: you can't remote-hack a computer which isn't connected to the net. Pull your network cable out of the computer and that's it, you can't be hacked by some guy in China any more.

Of course, you don't want to do that to your home computer, but we're talking pacemakers and the like. Why _does_ a pacemaker need a WiFi interface anyway? No, seriously. It's not like you want the users to surf for porn and post to Slashdot on their pacemakers. It's not even an appliance, as far as the user is concerned, it's a standalone device like their computer chair or the windshield wipers on their car. You have no freaking need for those to be networked, in any form or shape.

And here's an even more sobering thought: even if you wanted some control from outside, you're near your pacemaker the whole time. In fact, it's inside you. There's no time when you're on the other side of the town than your pacemaker is. So even if you're one of the die-hards that can argue with a straight face why you might need to log in to your fridge from work, the same doesn't apply to pacemakers. You're near it all the time. Any interface to it or from it can be contact-based just as well.

Second, even if you do want it networked, there _are_ ways to minimize bugs drastically. Code _can_ be proven correct, test cases can cover the code to ridiculous extents, and the thing can be riddled with pre- and post-condition checks right in the code and be able to fail safely to its normal offline mode. Yes, it's damn expensive to do that to something the size of Vista. But we're talking a pacemaker. It's just not the same number of lines of code. (Or if it does have millions of lines of code, maybe you just need to fire the guy who programmed it;)

More importantly, we already do _both_ of those for life-and-death systems like flight control systems on airplanes or brake computers on cars. They're both built and reviewed to be as good as bulletproof, _and_ not wired to talk to the outside world, unless one physically plugs in a special connector and a special computer into it. You don't want a car's brakes to be hijacked by wireless by the guy in the next car, so you just don't give them a wireless connection. Do you see any reason why we wouldn't apply the same thinking to a pacemaker? It's even more likely to kill than hijacking someone's brakes. There is no airbag to save you when your pacemaker fails.

So what I'm saying is: let's all stop and think twice before shrugging and dismissing security as impossible anyway. Sometimes it's very feasible to make it bulletproof, and, really, it has no excuse to not be so.

Re:remote kill?

[Oktober Sunset]

Killing people remotely is not hard, doing it without anyone knowing it was you, without any indication at the time that it was anything other than natural causes, requiring no opportunity other than being within wireless range and leaving no evidence behind whatsoever. That's the novel part.

Re:That kind of attitude is the problem

[Ihlosi]

Why _does_ a pacemaker need a WiFi interface anyway?

Because sticking a JTAG connector through someones chest is fairly painful. You're welcome to experiment on yourself to confirm this.

Also, it's not a WiFi interface. It's a short-range (it goes through your chest, and water absorbs radio waves like crazy), custom, wireless interface. You have no freaking need for those to be networked, in any form or shape.

And you're, what ? An M.D. ? A biomedical engineer ?

Tell you what: Have fun with your dumb fixed-rate 75 bpm pacemaker, but don't expect to be running up any stairs anytime soon.

Any interface to it or from it can be contact-based just as well.

It basically is, genius. Or do you want it so contact-based that they have to shoot a couple of amps through your chest in order to make the pacemaker respond ? Hint: Think of a vital organ that's very, very close to the pacemaker and reacts very badly to having current shot through it.

More importantly, we already do _both_ of those for life-and-death systems like flight control systems on airplanes or brake computers on cars. They're both built and reviewed to be as good as bulletproof, _and_ not wired to talk to the outside world, unless one physically plugs in a special connector and a special computer into it.

They're also conveniently located outside the human body, so plugging a special connector into them doesn't involve going through someones tissue first.

Re:But why?

[kalirion]

Unless you're looking to kill someone by pressing a button, of course.

Re:That kind of attitude is the problem

[DataBroker]

So what I'm saying is: let's all stop and think twice before shrugging and dismissing security as impossible anyway. Sometimes it's very feasible to make it bulletproof, and, really, it has no excuse to not be so.

The excuse is that people are not willing to spend the difference it would cost to make it bulletproof. There are diminishing returns (even on life-saving devices) which people won't recognize or spend on.

Imagine walking into a doctor's office being presented with two (apparently) identical devices. One costs $1000, and the other costs $10,000. Yes, it's your life, but spending another $9000 to make it more secure isn't going to be the option most people choose.

Beyond that, imagine trying to convince an HMO the medical necessity for spending more money on the secure version. I'd suspect that the manufacturers have already considered that and decided to be competitive instead.

Re:remote kill?

[legoman666]

Sorry friend, that niche is already filled: http://www.lessemf.com/personal.html [lessemf.com]

Re:But why?

[MttJocy]

Guns however create pesky ballistic evidence, a wireless signal passed to the device may show up in it's log somewhere if an old guy with a pacemaker dying of a heart attack was even autopsied but it could still be just taken as natural causes, not only that but even if you could prove the device was tampered with it could be difficult to link such a signal with the transceiver that sent it directly, unlike trying to link a bullet to a gun. Now bear in mind people have tried some pretty mental schemes in an attempt to get away with murder and it doesn't seam that ridiculous that someone could actually try something that elaborate in order to attempt to kill someone without it being traced back to the attacker. Of course there is still the fact that not having the pacemaker has pretty good odds of killing you anyway, having one without the wireless technology would mean it would need to be altered by surgery which also carries a risk of death which is far higher than the risk of hacking so it is overreacting really to get overly worried about it all the same.

Re:Bionic eye

[shaiay]

Even if you can transmit very strong signals to the pacemakers from afar, the answer will be very faint (these things need to run for years on a single battery, they are very low power). Most communication protocols are bidirectional, so you won't really be able to communicate with it.

As an added precaution, some manufacturers (at least Biotronic IMHO) have devices which only communicate when a magnet is placed near (again centimeters) the device, thus closing a magnetic switch and enabling communication.
This is extremely hard to "hack" from afar -- you would need a very strong magnet which would probably cause a lot of other problems.

Re:Bionic eye

[Ihlosi]

Public-Private Key cryptography.

Sure. Will you ship your secure, encrypted pacemaker with an external power supply to plug it in ?

Sheesh. These things don't come with a multi-core desktop CPU. They're ultra low-power systems, optimized for battery life because changing the battery requires surgery, which already puts your life at stake (Sorry - cutting your chest open isn't trivial. And the chance of something bad happening during or after surgery (infection, complications with the anesthesia, etc), as of now, is about infinitely higher than someone hacking your pacemaker to kill you).

If you'd get a pacemaker, would you get the one that requires you to be cut open every five years, or the one that requires you to be cut open every eight years ?

Re:Bionic eye

[nahdude812]

And once the private key is cracked or exposed, do you operate on everyone with that model pacemaker?

The thing is that this private key needs to be sent to every hospital and doctor's office which wants to make adjustments to the pacemaker. They'll have it, whether it's embedded in a chip or written in a config file. You have to make this information public in some sense, the very best you could hope to do is use some kind of DRM to protect the key from exposure, but as we all know, such exercises are fated to failure.

And what happens when a pacemaker manufacturer discontinues a line and stops manufacturing the equipment to tune certain kinds of pacemakers (such as would be expected to happen should a key be discovered), do these patients just have to hope that the equipment used for tuning their pacemaker outlives them?

Also, will doctors and hospitals have to buy dozens of different pacemaker adjustment machines, one of every type, even those they don't install themselves so that they can treat patients who move into the area? What happens when the patient needs emergency adjustment of his pacemaker but doesn't remember the model he has (or isn't conscious)?

Finally, these devices don't exactly have little general purpose CPU's in them. One of their biggest concerns is decent battery life. If we put something in there as computationally intensive as strong private/public key cryptography, you're going to significantly hurt the battery life of these devices.

This problem is not as simple as it seems on the surface. It turns out that human life is fragile, and there are many ways in which you can kill someone, some of them even require little effort to kill many people. Hacking this device in a way that endangers other humans would not even need new laws to be punishable since we fortunately already have laws which surround murder, reckless endangerment, and other such things which actually or reasonably could result in the death or injury of other humans.

Insulin pumps too!

[wizman]

My girlfriend is a type 1 diabetic. Instead of regular injections, she uses an insulin pump. This pump is an external device, about the size of a pager, that feeds insulin into her body via a short tube.

Several months ago she upgraded to a new pump. This new model (a Medtronic MiniMed) wirelessly communicates with a number of devices. It receives blood glucose data from a continuous glucose monitor. It also receives her regular readings from her standard "prick your finger" blood sugar tests via her test kit. And, it has a wireless key fob that allows her to adjust the pumps settings without having to dig through pockets and clothes to get at the unit.

My first comment to her was "With all of this wireless control, how easy is it for someone to use this wireless interface to put you into a diabetic coma, or worse, kill you?" She thinks it's a fairly ridiculous concept, citing encryption, receiver range, and "Why would anyone want to kill me?", among other reasons.

Well, I say that anything that has any type of wireless interface is hackable. There are, of course, no published documents that I can find detailing what steps have been taken to secure these devices. I'm seriously concerned as to whether or not the companies that make insulin pumps, pace makers, implants, etc, may not be taking these concerns seriously.

Re:Bionic eye

[darkfire5252]

Look up public private key cryptography and get back to me. Asymmetric cryptography does not require revealing the private key to hospitals....

Re:Bionic eye

[pnewhook]

Yes, its all nice and simple to the software guy that doesn't know what he is talking about.

Yes what you are asking is possible but it's prohibitively expensive, pointless, and adds ZERO benefit to the patient. In fact because of the extra power draw of this pointless device the patient will have to undergo extra surgeries to replace the battery more ofter thereby further jeopardizing the patient safety.

Re:Bionic eye

[geekyMD]

You sir, are a moron. You suggest: 1) Requiring doctors to carry smart cards with encryption data 2) Requiring doctors to keep said cards with "the morphine" (showing you have never seen how a hospital manages secure resources) 3) Said hideously rare and necessarily hard to obtain cards would be required to save a life in dire emergent situations. This shows: 1) You have never seen how an emergency room or hospital inpatient floor works. 2) You have no idea how a pacemaker interrogator works. Furthermore, you suggest: 1) A hideously complex encryption system based on ONE point of weakness: the manufacture's private key. 2) You KNOW this is a weak point by your suggestion of "armed guards" (where should they be? in yur hard drivez guardin' your bites?) Therefore: 1) You have suggested a security by obscurity scheme which even the RIAA is learning just doesn't work. 2) You have definitively solved a "hard" problem in a field of experience vastly different from your own by applying your specific brand of expertise without any form of intellectual humility. Which shows: You're a slashdotter alright. I also stipulate: Due to your heinous disregard of human life in your brash search for security, and disregard of other peoples input on this forum, as priorly asserted: You sir, are a moron.

Re:Ah, the smart-arse non-sequiturs

[I_Love_Pocky!]

I can't speak to how Medtronic implements their RF communication, but as I said ours is encrypted and boosting the signal to "hack" someone does not get around the encryption.

With the encryption that you say your company uses, wouldn't it simply be a matter of acquiring a single sending device, and reverse engineering it?
No. The individual communication session is protected by a unique key. Still, if you physically had a programmer (the sending device you mentioned), you could use it without any hacks to change a patient's settings just as a doctor could, but it would require physical proximity on the order of a few cm. This sort of communication does not occur using RF. You can't spoof this with a high gain antenna or any such thing because the communication isn't occurring using radio frequencies at all. And as you said, at this range you could kill a person any number of other ways.