Have a heart (attack): Defibrillators, pacemakers vulnerable to hackers

Have a heart (attack): Defibrillators, pacemakers vulnerable to hackers

Summary: Researchers have discovered that an implantable heart device, a combination of a defibrillator and pacemaker, is vulnerable to hackers.According to a study, authored by researchers at the University of Washington, University of Massachusetts Amherst and Harvard Medical School, hackers could get wireless access to a heart device and shut it down (a power denial of service attack) or deliver jolts of electricity.

SHARE:
13

Researchers have discovered that an implantable heart device, a combination of a defibrillator and pacemaker, is vulnerable to hackers.

According to a study, authored by researchers at the University of Washington, University of Massachusetts Amherst and Harvard Medical School, hackers could get wireless access to a heart device and shut it down (a power denial of service attack) or deliver jolts of electricity. In either case, it wouldn't be fun for whoever had the pacemaker.

While this hack isn't likely given that the New York Times reports you need $30,000 worth of gear to make it happen it does raise a few eyebrows.

heart1.pngHere's the abstract of the paper, which was published on the Medical Device Security Center:

Our study analyzes the security and privacy properties of an implantable cardioverter defibrillator (ICD). Introduced to the U.S. market in 2003, this model of ICD includes pacemaker technology and is designed to communicate wirelessly with a nearby external programmer in the 175 kHz frequency range. After partially reverse-engineering the ICD's communications protocol with an oscilloscope and a software radio, we implemented several software radio-based attacks that could compromise patient safety and patient privacy. Motivated by our desire to improve patient safety, and mindful of conventional trade-offs between security and power consumption for resource constrained devices, we introduce three new zero-power defenses based on RF power harvesting. Two of these defenses are humancentric, bringing patients into the loop with respect to the security and privacy of their implantable medical devices (IMDs). Our contributions provide a scientific baseline for understanding the potential security and privacy risks of current and future IMDs, and introduce human-perceptible and zero-power mitigation techniques that address those risks. To the best of our knowledge, this paper is the first in our community to use general-purpose software radios to analyze and attack previously unknown radio communications protocols.

The researchers say that these attacks would also be possible in any implantable device such as a drug pump and neurostimulator that can be programmed from outside the body. To simulate a pacemaker in a human, researchers put the device into a bag of bacon and ground beef.

In an FAQ on the study researchers note:

We only studied a single implantable medical device. We currently have no reason to believe that any other implantable devices are any more or less secure or private.

The study doesn't describe specific attack vectors since hacking implantable medical devices is obviously a sensitive issue. In other words, researchers wanted to prove a theory without giving nut jobs any ideas. The study does note that buffer overflow attacks and insecure software updates are possible. Think patch day for your pacemaker.

However, these hacks don't necessarily have to kill. You can just swipe critical medical information. Here are some of the possibilities:

heart.png

There are two primary hacking techniques in the study (the report has much more detail):

The researchers reverse engineered wireless transmissions.

We began by capturing RF transmissions around 175 kHz. Using an oscilloscope, we were trivially able to identify transmissions from our ICD and the commercial ICD programmer. We saved traces from both the oscilloscope and the USRP. We processed these RF traces in software (using Matlab and the GNU Radio toolchain) to recover symbols, then bits. Finally, by analyzing these bits we discovered key aspects of the ICD's protocols and the data that it and the programmer transmit.

Eavesdropping via commodity software.

We built an eavesdropper using the Universal Software Radio Peripheral (USRP) in concert with the open source GNU Radio libraries. For the initial analysis in Section III-A, we simply used programs included with GNU Radio to capture and store received radio signals, then wrote code in Matlab and Perl to analyze those signals. To eavesdrop in real time, we integrated the necessary functions back into the C++ and Python framework of GNU Radio. This section describes the eavesdropping process in detail and shows the results of our passive attacks.

As for defenses, researchers note that nothing is perfect. For instance, just using a cryptographic key (think WEP key for your pacemaker) would raise its own issues. According to the study:

Providing security and privacy on an IMD involves health risk factors and tight resource constraints. Traditional approaches could potentially introduce new hazards to patient safety. For instance, protecting an IMD with a cryptographic key may provide security, but the unavailability of a key could hinder treatment in emergency situations. Another risk to IMD availability is excessive power consumption by mechanisms other than those needed for the device's primary function. For instance, the energy cost of performing computation for cryptography or radio communication could directly compete with the energy demands of pacing and defibrillation. Effective mechanisms for security and privacy should not provide new avenues for an unauthorized person to drain a device's battery. For instance, spurious wake-ups or a cryptographic authentication process itself could cause a device to enter a state that consumes excessive amounts of energy.

However, there are a few potential defenses, but they are experimental. Two key characteristics are that the defenses can't drain power or introduce other points of failure. After all, I'd rather have a pacemaker work than be able to fend off a hacker.

Topics: Security, Health, Legal, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Pacemakers Must Be Running Windows Mobile

    God forbid you blue screen during sex.
    itanalyst2@...
    • LOL

      bout spit up my lunch!
      Been_Done_Before
  • Security Clearance Issues?

    I wonder if and how such a vulnerability might affect someone's ability to obtain a government security clearance.

    I wouldn't think all that much, since there are plenty enough ways to kill or disable someone without hacking into their pacemaker or drug pump.
    johnay
  • Cool

    Terrorists could assasinate world leaders that have pacemakers installed just by beaming commands to the pacemaker.
    croberts
  • i would say something about a certain someone

    in higher office, but they might construe it the wrong way...

    i think everyone knows who i am talking about though.
    Been_Done_Before
    • Say No More

      And the higher the office, the more likely $30k won't be enough to stop some people or groups.
      MichP
  • Defibrillators-pacemakers vulnerable to hackers

    We're pretty knowledgeable about wireless devices;
    ~ Question:
    ~ At exactly what range are these wireless hacks taking place?
    Are we being told that we could hack a Pacemaker from down the street.. ? Very unlikely!

    The Team
    http://wirelessspeech.blogspot.com
    a_chameleon
    • I agree with your question and assesment

      It would also be very easy for political targets to use a shielding defense.
      This website details some uses and output power in this frequency range. http://www.dxing.com/lw.htm
      It is also like that the ICD are intentionally hard of hearing, so that background radio noise will not cause any problems.
      Realvdude
  • Truly sad, are they running embedded Sun Solaris

    . . . no, that would just slow the user down and require an expensive HMO maintenance agreement.

    Oh well, stick an RFD chip in the patient and let the govt keep track of em.
    Boot_Agnostic
  • RE: Have a heart (attack): Defibrillators, pacemakers vulnerable to hackers

    I don't know exactly how, but I'll work extra hard to put this on a forum signature or something.
    dragonmago@...
  • RE: Have a heart (attack): Defibrillators, pacemakers vulnerable to hackers

    This is not surprizing. Security is an afterthought for most biomed manufacturers. I have seen devices that use off the shelf windows and are then told you can't patch or AV the box because it disrupts the biomed device. That forces us to go to locked down vlans (which then impacts accessability).
    I_Byte
  • Researchers: not enough risk???

    So I read this article yesterday on the Drudge and then the NT Times web site. My biggest issue was around the the researchers claiming that there wasn't enough risk to warrant corrective recalls for patients as you would have to get right up on their chest to cause harm-- well gee whiz. Let's see:

    1) We know that the broadcast distance is about 3ft.
    2) We know just about any pocket sized device can be custom built to broadcast/receive radio signals with just about any device.
    3) We know that the hacking process can be programmed and automated.

    So picture this: a high ranking official with heart issues (Cheney??) needs a pacemaker. He gets one, then an assassin goes to some fund raiser, plunking down $20k of his $20mil payout to get right next to that official and shake his hand-- only, he's carrying this device in his pocket. The moment the official comes within a few feet-- the pacemaker gets reprogrammed, and the next time it gets set off-- dead official.

    Is it possible, even if at the paranoid extreme, that this scenario is possible? If so, is this not enough basis for a redesign, recall and redeployment?

    If not, I need to get into Healthcare IT.
    kckn4fun
    • Secure those worth $30k to an assassin

      I can't say I'd mourn Cheney. But really, the man can afford to get a special pacemaker with extra built in security. It might cost a pretty penny, but he can afford it.

      Normal people might not be able to pay for such extra security, but those with the talent and the insanity required to actually kill someone with their own pace maker isn't going to target your average person.

      No normal hacker would want to kill a person out of sheer malice. Most hackers just hack so they can say that they did, not to actually do something bad. Even those that do like to plant trojan horses and adware aren't about to kill someone idly. Taking a life is very different from peeking into private files or stealing a password. Someone who might actually want to kill someone this way would have to spend $30,000 and then get within 3 feet of their target, and stay there for some unknown amount of time, since we're not sure how LONG it take for this hack and reprogramming of the pacemaker to actually complete. So, we have a terrorist or an assassin who might actually be willing to do this, and would only target someone of importance. So those under particular risk can get pretty new one with a firewall installed.

      Besides, wouldn't just be easier (and cheaper!!) to shoot your target in the head? When it comes down to it, this just isn't the best or most efficient way to kill a person. So I'm pretty sure that no one is actually going to go through with it anyways.
      Caggles