This was a laboratory based attack on a device that was NOT in a patient. Never the less, this is scary stuff. Oh, and hackers could get private medical info as well as forcing the pacemaker/defibrillator to fire when they want. Or they could just run down the batteries, which require a surgical replacement.
I don’t know much about pacemakers. I always assumed you had to be hardwired to one to fiddle with it… so wouldn’t it be a mite tricky once the pacemaker is implanted?
Oh, Really Not All That Bright, you know that wires are just soooo Twentieth Century. It’s all wireless now.
Wireless communications allows doctors to make adjustments to the devices, or download records from the devices, without opening up the patient. There are proposed devices which allow remote access, for patients in rural areas. The remote access devices may actually exist - I wasn’t clear on that part.
A part of the FAQ that I thought was clever was the author’s proposal of security methods for implantable medical devices that (the authors claim) use the RF power of the hacking signal to run the security measures, rather than drawing down the batteries. Often the batteries have to be replaced via surgery, so discharging the batteries is a form of attack.
I have a friend who has one (actually, a fairly new one – it was inserted last fall, to replace one from 13 years ago).
She has a small pad she holds next to the pacemaker (near her shoulder) and it wirelessly communicates with the pacemaker, and can download recorded date on how it has been working and any problems it encountered. Then she can connect that to a phone modem, and upload it to her cardiologist. And the data must be stored with date/time on it; they’ve told her to write down the date/time when she has an incident where it isn’t working as she wants, then they can look back to find the pacemaker data from that time and see just what was happening.
The doctor has a similar device, but his can also re-program the pacemaker parameters. I think they even have the technical capability to able to send a reprogramming ‘update’ over the phone to her, which she could use to re-program her pacemaker. But they don’t do that; they always do that when she has come in to the office for a checkup.
But her reading device has to be held right against her body to work, and kept still. Wouldn’t a ‘hacking’ device also have to be held up against the patient for it to work?
Not necessarily–the max power and range of the device for receiving commands is dependent on the antenna size, not the typical power used–that is, if the hackers use a bigger broadcast antenna and reception dish than the standard programming apparatus, the viable range of hacking attempts will be correspondingly increased.
I find it not so much scary as really neat. Not only do I work in technology, but I work in cardiac surgery. I had no idea we did stuff this cool. And now that Medtronic knows about the security hole, they can do something to fix it.
I was wondering who would actually go to the immense amount of trouble to screw with someone’s VAD and why. Then the article mentioned Dick Cheney.
Featured in the triller Hard Rain published back in 2002. Not that big of a logical leap considering that pacemakers haven’t been wired for a long time, and that the general public have been warned about microwave or cell phone interference. Frankly, I’m surprised that this is considered big news rather than being looked at as just a demonstration of a theoretical vulnerability.