Bad security can kill (Hacking a pacemaker)

A research team was able to hack into a pacemaker/heart defibrillator, in a laboratory setting. :eek:

NY Times article (subscription required, I believe)

Medical device Security Center Web site where the paper is posted.

FAQ about the paper

and finally,

Text of the paper (PDF)

This was a laboratory based attack on a device that was NOT in a patient. Never the less, this is scary stuff. Oh, and hackers could get private medical info as well as forcing the pacemaker/defibrillator to fire when they want. Or they could just run down the batteries, which require a surgical replacement.

Scary stuff.

I don’t know much about pacemakers. I always assumed you had to be hardwired to one to fiddle with it… so wouldn’t it be a mite tricky once the pacemaker is implanted?

Oh, Really Not All That Bright, you know that wires are just soooo Twentieth Century. It’s all wireless now.

Wireless communications allows doctors to make adjustments to the devices, or download records from the devices, without opening up the patient. There are proposed devices which allow remote access, for patients in rural areas. The remote access devices may actually exist - I wasn’t clear on that part.

A part of the FAQ that I thought was clever was the author’s proposal of security methods for implantable medical devices that (the authors claim) use the RF power of the hacking signal to run the security measures, rather than drawing down the batteries. Often the batteries have to be replaced via surgery, so discharging the batteries is a form of attack.

Future newspaper headline:

**“Octagenarian Hacker Makes Woman’s Heart Go Pitter-Pat” **
“I thought it was love”, she said, “but it was just bad code.”

I have a friend who has one (actually, a fairly new one – it was inserted last fall, to replace one from 13 years ago).

She has a small pad she holds next to the pacemaker (near her shoulder) and it wirelessly communicates with the pacemaker, and can download recorded date on how it has been working and any problems it encountered. Then she can connect that to a phone modem, and upload it to her cardiologist. And the data must be stored with date/time on it; they’ve told her to write down the date/time when she has an incident where it isn’t working as she wants, then they can look back to find the pacemaker data from that time and see just what was happening.

The doctor has a similar device, but his can also re-program the pacemaker parameters. I think they even have the technical capability to able to send a reprogramming ‘update’ over the phone to her, which she could use to re-program her pacemaker. But they don’t do that; they always do that when she has come in to the office for a checkup.

But her reading device has to be held right against her body to work, and kept still. Wouldn’t a ‘hacking’ device also have to be held up against the patient for it to work?

Not necessarily–the max power and range of the device for receiving commands is dependent on the antenna size, not the typical power used–that is, if the hackers use a bigger broadcast antenna and reception dish than the standard programming apparatus, the viable range of hacking attempts will be correspondingly increased.

I find it not so much scary as really neat. Not only do I work in technology, but I work in cardiac surgery. I had no idea we did stuff this cool. And now that Medtronic knows about the security hole, they can do something to fix it.

I was wondering who would actually go to the immense amount of trouble to screw with someone’s VAD and why. Then the article mentioned Dick Cheney.

“Twice up to overload and back down dead” - Cordwainer Smith, in Scanners Live in Vain.

The story should be in any collection of his short stuff. Go here to read the first paragraph.

Tools —> Windows Update ----> Custom Install -----> “Now searching for latest available updates for your pacemaker”…

From the times article.

Bolding mine

So if you kidnapped a person and made them stand still long enough you could hack the device.

Of course you could just shoot them, or throw them in a tank full of sharks with laser beams attached to their heads.

Or you could invite them over for coffee and seat them near the computer.

2 inches from the sensors, hooked to your $30,000 while a whole team of guys work on the problem.

I wonder how long a ‘sustained’ effort takes.

Hours? Days? Weeks?

snerk

I was just telling my boss about this.

He already knew. He was on the team that worked on it.

Featured in the triller Hard Rain published back in 2002. Not that big of a logical leap considering that pacemakers haven’t been wired for a long time, and that the general public have been warned about microwave or cell phone interference. Frankly, I’m surprised that this is considered big news rather than being looked at as just a demonstration of a theoretical vulnerability.