This was a laboratory based attack on a device that was NOT in a patient. Never the less, this is scary stuff. Oh, and hackers could get private medical info as well as forcing the pacemaker/defibrillator to fire when they want. Or they could just run down the batteries, which require a surgical replacement.
I don’t know much about pacemakers. I always assumed you had to be hardwired to one to fiddle with it… so wouldn’t it be a mite tricky once the pacemaker is implanted?
[QUOTE=Really Not All That Bright]
I don’t know much about pacemakers. I always assumed you had to be hardwired to one to fiddle with it… so wouldn’t it be a mite tricky once the pacemaker is implanted?
[/QUOTE]
Oh, Really Not All That Bright, you know that wires are just soooo Twentieth Century. It’s all wireless now.
Wireless communications allows doctors to make adjustments to the devices, or download records from the devices, without opening up the patient. There are proposed devices which allow remote access, for patients in rural areas. The remote access devices may actually exist - I wasn’t clear on that part.
A part of the FAQ that I thought was clever was the author’s proposal of security methods for implantable medical devices that (the authors claim) use the RF power of the hacking signal to run the security measures, rather than drawing down the batteries. Often the batteries have to be replaced via surgery, so discharging the batteries is a form of attack.
[QUOTE=Really Not All That Bright]
I don’t know much about pacemakers. I always assumed you had to be hardwired to one to fiddle with it… so wouldn’t it be a mite tricky once the pacemaker is implanted?
[/QUOTE]
I have a friend who has one (actually, a fairly new one – it was inserted last fall, to replace one from 13 years ago).
She has a small pad she holds next to the pacemaker (near her shoulder) and it wirelessly communicates with the pacemaker, and can download recorded date on how it has been working and any problems it encountered. Then she can connect that to a phone modem, and upload it to her cardiologist. And the data must be stored with date/time on it; they’ve told her to write down the date/time when she has an incident where it isn’t working as she wants, then they can look back to find the pacemaker data from that time and see just what was happening.
The doctor has a similar device, but his can also re-program the pacemaker parameters. I think they even have the technical capability to able to send a reprogramming ‘update’ over the phone to her, which she could use to re-program her pacemaker. But they don’t do that; they always do that when she has come in to the office for a checkup.
But her reading device has to be held right against her body to work, and kept still. Wouldn’t a ‘hacking’ device also have to be held up against the patient for it to work?
[QUOTE=t-bonham@scc.net]
But her reading device has to be held right against her body to work, and kept still. Wouldn’t a ‘hacking’ device also have to be held up against the patient for it to work?
[/QUOTE]
Not necessarily–the max power and range of the device for receiving commands is dependent on the antenna size, not the typical power used–that is, if the hackers use a bigger broadcast antenna and reception dish than the standard programming apparatus, the viable range of hacking attempts will be correspondingly increased.
I find it not so much scary as really neat. Not only do I work in technology, but I work in cardiac surgery. I had no idea we did stuff this cool. And now that Medtronic knows about the security hole, they can do something to fix it.
I was wondering who would actually go to the immense amount of trouble to screw with someone’s VAD and why. Then the article mentioned Dick Cheney.
[QUOTE=NYTimes]
The report, to published at www.secure-medicine.org, makes clear that the hundreds of thousands of people in this country with implanted defibrillators or pacemakers to regulate their damaged hearts — they include Vice President Dick Cheney — have no need yet to fear hackers. The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists from the University of Washington and the University of Massachusetts to interpret the data gathered from the implant’s signals. And the device the researchers tested, a combination defibrillator and pacemaker called the Maximo, was placed within two inches of the test gear.
[/QUOTE]
Bolding mine
So if you kidnapped a person and made them stand still long enough you could hack the device.
Of course you could just shoot them, or throw them in a tank full of sharks with laser beams attached to their heads.
[QUOTE=Really Not All That Bright]
Tools —> Windows Update ----> Custom Install -----> “Now searching for latest available updates for your pacemaker”…
[/QUOTE]
snerk
I was just telling my boss about this.
He already knew. He was on the team that worked on it.
Featured in the triller Hard Rain published back in 2002. Not that big of a logical leap considering that pacemakers haven’t been wired for a long time, and that the general public have been warned about microwave or cell phone interference. Frankly, I’m surprised that this is considered big news rather than being looked at as just a demonstration of a theoretical vulnerability.