Hacking a Pacemaker 228
jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."
Don't fear.... much (Score:5, Insightful)
One:
Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.
If I had an AICD, I sure as hell wouldn't want to be around Cheney, lest the signal from mine be confused with his. Of course maybe that is why he has a man sized safe in his office is a Faraday cage.
But why? (Score:2, Insightful)
Just shut it off (Score:2, Insightful)
More interestingly: get away with it (Score:2, Insightful)
Re:Bionic eye (Score:5, Insightful)
Um, yes you do. Do you want them to have to cut you open because you don't like the maximum pacing rate and want to have it reduced by 5 bpm ?
Insider (Score:3, Insightful)
That kind of attitude is the problem (Score:3, Insightful)
Well, no, there are ways to prevent that.
Let's start with the simplest: you can't remote-hack a computer which isn't connected to the net. Pull your network cable out of the computer and that's it, you can't be hacked by some guy in China any more.
Of course, you don't want to do that to your home computer, but we're talking pacemakers and the like. Why _does_ a pacemaker need a WiFi interface anyway? No, seriously. It's not like you want the users to surf for porn and post to Slashdot on their pacemakers. It's not even an appliance, as far as the user is concerned, it's a standalone device like their computer chair or the windshield wipers on their car. You have no freaking need for those to be networked, in any form or shape.
And here's an even more sobering thought: even if you wanted some control from outside, you're near your pacemaker the whole time. In fact, it's inside you. There's no time when you're on the other side of the town than your pacemaker is. So even if you're one of the die-hards that can argue with a straight face why you might need to log in to your fridge from work, the same doesn't apply to pacemakers. You're near it all the time. Any interface to it or from it can be contact-based just as well.
Second, even if you do want it networked, there _are_ ways to minimize bugs drastically. Code _can_ be proven correct, test cases can cover the code to ridiculous extents, and the thing can be riddled with pre- and post-condition checks right in the code and be able to fail safely to its normal offline mode. Yes, it's damn expensive to do that to something the size of Vista. But we're talking a pacemaker. It's just not the same number of lines of code. (Or if it does have millions of lines of code, maybe you just need to fire the guy who programmed it;)
More importantly, we already do _both_ of those for life-and-death systems like flight control systems on airplanes or brake computers on cars. They're both built and reviewed to be as good as bulletproof, _and_ not wired to talk to the outside world, unless one physically plugs in a special connector and a special computer into it. You don't want a car's brakes to be hijacked by wireless by the guy in the next car, so you just don't give them a wireless connection. Do you see any reason why we wouldn't apply the same thinking to a pacemaker? It's even more likely to kill than hijacking someone's brakes. There is no airbag to save you when your pacemaker fails.
So what I'm saying is: let's all stop and think twice before shrugging and dismissing security as impossible anyway. Sometimes it's very feasible to make it bulletproof, and, really, it has no excuse to not be so.
Re:remote kill? (Score:5, Insightful)
Re:That kind of attitude is the problem (Score:5, Insightful)
Because sticking a JTAG connector through someones chest is fairly painful. You're welcome to experiment on yourself to confirm this.
Also, it's not a WiFi interface. It's a short-range (it goes through your chest, and water absorbs radio waves like crazy), custom, wireless interface. You have no freaking need for those to be networked, in any form or shape.
And you're, what ? An M.D. ? A biomedical engineer ?
Tell you what: Have fun with your dumb fixed-rate 75 bpm pacemaker, but don't expect to be running up any stairs anytime soon.
Any interface to it or from it can be contact-based just as well.
It basically is, genius. Or do you want it so contact-based that they have to shoot a couple of amps through your chest in order to make the pacemaker respond ? Hint: Think of a vital organ that's very, very close to the pacemaker and reacts very badly to having current shot through it.
More importantly, we already do _both_ of those for life-and-death systems like flight control systems on airplanes or brake computers on cars. They're both built and reviewed to be as good as bulletproof, _and_ not wired to talk to the outside world, unless one physically plugs in a special connector and a special computer into it.
They're also conveniently located outside the human body, so plugging a special connector into them doesn't involve going through someones tissue first.
Re:But why? (Score:3, Insightful)
Re:That kind of attitude is the problem (Score:2, Insightful)
The excuse is that people are not willing to spend the difference it would cost to make it bulletproof. There are diminishing returns (even on life-saving devices) which people won't recognize or spend on.
Imagine walking into a doctor's office being presented with two (apparently) identical devices. One costs $1000, and the other costs $10,000. Yes, it's your life, but spending another $9000 to make it more secure isn't going to be the option most people choose.
Beyond that, imagine trying to convince an HMO the medical necessity for spending more money on the secure version. I'd suspect that the manufacturers have already considered that and decided to be competitive instead.
Re:remote kill? (Score:2, Insightful)
Re:But why? (Score:2, Insightful)
Re:Bionic eye (Score:2, Insightful)
As an added precaution, some manufacturers (at least Biotronic IMHO) have devices which only communicate when a magnet is placed near (again centimeters) the device, thus closing a magnetic switch and enabling communication.
This is extremely hard to "hack" from afar -- you would need a very strong magnet which would probably cause a lot of other problems.
Re:Bionic eye (Score:3, Insightful)
Sure. Will you ship your secure, encrypted pacemaker with an external power supply to plug it in ?
Sheesh. These things don't come with a multi-core desktop CPU. They're ultra low-power systems, optimized for battery life because changing the battery requires surgery, which already puts your life at stake (Sorry - cutting your chest open isn't trivial. And the chance of something bad happening during or after surgery (infection, complications with the anesthesia, etc), as of now, is about infinitely higher than someone hacking your pacemaker to kill you).
If you'd get a pacemaker, would you get the one that requires you to be cut open every five years, or the one that requires you to be cut open every eight years ?
Re:Bionic eye (Score:4, Insightful)
The thing is that this private key needs to be sent to every hospital and doctor's office which wants to make adjustments to the pacemaker. They'll have it, whether it's embedded in a chip or written in a config file. You have to make this information public in some sense, the very best you could hope to do is use some kind of DRM to protect the key from exposure, but as we all know, such exercises are fated to failure.
And what happens when a pacemaker manufacturer discontinues a line and stops manufacturing the equipment to tune certain kinds of pacemakers (such as would be expected to happen should a key be discovered), do these patients just have to hope that the equipment used for tuning their pacemaker outlives them?
Also, will doctors and hospitals have to buy dozens of different pacemaker adjustment machines, one of every type, even those they don't install themselves so that they can treat patients who move into the area? What happens when the patient needs emergency adjustment of his pacemaker but doesn't remember the model he has (or isn't conscious)?
Finally, these devices don't exactly have little general purpose CPU's in them. One of their biggest concerns is decent battery life. If we put something in there as computationally intensive as strong private/public key cryptography, you're going to significantly hurt the battery life of these devices.
This problem is not as simple as it seems on the surface. It turns out that human life is fragile, and there are many ways in which you can kill someone, some of them even require little effort to kill many people. Hacking this device in a way that endangers other humans would not even need new laws to be punishable since we fortunately already have laws which surround murder, reckless endangerment, and other such things which actually or reasonably could result in the death or injury of other humans.
Insulin pumps too! (Score:3, Insightful)
Several months ago she upgraded to a new pump. This new model (a Medtronic MiniMed) wirelessly communicates with a number of devices. It receives blood glucose data from a continuous glucose monitor. It also receives her regular readings from her standard "prick your finger" blood sugar tests via her test kit. And, it has a wireless key fob that allows her to adjust the pumps settings without having to dig through pockets and clothes to get at the unit.
My first comment to her was "With all of this wireless control, how easy is it for someone to use this wireless interface to put you into a diabetic coma, or worse, kill you?" She thinks it's a fairly ridiculous concept, citing encryption, receiver range, and "Why would anyone want to kill me?", among other reasons.
Well, I say that anything that has any type of wireless interface is hackable. There are, of course, no published documents that I can find detailing what steps have been taken to secure these devices. I'm seriously concerned as to whether or not the companies that make insulin pumps, pace makers, implants, etc, may not be taking these concerns seriously.
Re:Bionic eye (Score:4, Insightful)
Re:Bionic eye (Score:3, Insightful)
Yes, its all nice and simple to the software guy that doesn't know what he is talking about.
Yes what you are asking is possible but it's prohibitively expensive, pointless, and adds ZERO benefit to the patient. In fact because of the extra power draw of this pointless device the patient will have to undergo extra surgeries to replace the battery more ofter thereby further jeopardizing the patient safety.
Re:Bionic eye (Score:3, Insightful)
Re:Ah, the smart-arse non-sequiturs (Score:3, Insightful)
With the encryption that you say your company uses, wouldn't it simply be a matter of acquiring a single sending device, and reverse engineering it?
No. The individual communication session is protected by a unique key. Still, if you physically had a programmer (the sending device you mentioned), you could use it without any hacks to change a patient's settings just as a doctor could, but it would require physical proximity on the order of a few cm. This sort of communication does not occur using RF. You can't spoof this with a high gain antenna or any such thing because the communication isn't occurring using radio frequencies at all. And as you said, at this range you could kill a person any number of other ways.