Hacking Medical Devices

Okay, so this could be big news:

But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker.

They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal—if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory.

The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio that Medtronic, the device’s maker, had embedded in the implant as a way to let doctors monitor and adjust it without surgery.

There’s only a little bit of hyperbole in the New York Times article. The research is being conducted by the Medical Device Security Center, with researchers from Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington. They have two published papers:

“Security and Privacy of Implantable Medical Devices,” Daniel Halperin, Thomas S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and William H. Maisel, IEEE Pervasive Computing, January 2008.
“Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses,” Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel, IEEE Symposium on Security and Privacy, May 2008.

This is from the FAQ for the second paper (an ICD is a implantable cardiac defibrillator):

As part of our research we evaluated the security and privacy properties of a common ICD. We investigate whether a malicious party could create his or her own equipment capable of wirelessly communicating with this ICD.

Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could violate the privacy of patient information and medical telemetry. The ICD wirelessly transmits patient information and telemetry without observable encryption. The adversary’s computer could intercept wireless signals from the ICD and learn information including: the patient’s name, the patient’s medical history, the patient’s date of birth, and so on.

Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could also turn off or modify therapy settings stored on the ICD. Such a person could render the ICD incapable of responding to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia.

Of course, we all know how this happened. It’s a story we’ve seen a zillion times before: the designers didn’t think about security, so the design wasn’t secure.

The researchers are making it very clear that this doesn’t mean people shouldn’t get pacemakers and ICDs. Again, from the FAQ:

We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician. The implantable cardiac defibrillator is a proven, life-saving technology. We believe that the risk to patients is low and that patients should not be alarmed. We do not know of a single case where an IMD patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs.

For all our experiments our antenna, radio hardware, and PC were near the ICD. Our experiments were conducted in a computer laboratory and utilized simulated patient data. We did not experiment with extending the distance between the antenna and the ICD.

I agree with this answer. The risks are there, but the benefits of these devices are much greater. The point of this research isn’t to help people hack into pacemakers and commit murder, but to enable medical device companies to design better implantable equipment in the future. I think it’s great work.

Of course, that will only happen if the medical device companies don’t react like idiots:

Medtronic, the industry leader in cardiac regulating implants, said Tuesday that it welcomed the chance to look at security issues with doctors, regulators and researchers, adding that it had never encountered illegal or unauthorized hacking of its devices that have telemetry, or wireless control, capabilities.

“To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide,” a Medtronic spokesman, Robert Clark, said. Mr. Clark added that newer implants with longer transmission ranges than Maximo also had enhanced security.

[…]

St. Jude Medical, the third major defibrillator company, said it used “proprietary techniques” to protect the security of its implants and had not heard of any unauthorized or illegal manipulation of them.

Just because you have no knowledge of something happening does not mean it’s not a risk.

Another article.

The general moral here: more and more, computer technology is becoming intimately embedded into our lives. And with each new application comes new security risks. And we have to take those risks seriously.

Tags: academic papers, cost-benefit analysis, hacking, medicine, privacy, risk assessment, vulnerabilities

Posted on March 12, 2008 at 10:39 AM • 46 Comments

Comments

Oh boy • March 12, 2008 10:52 AM

Doesn’t Dick Cheney have one of these things?

j0hnner_ca • March 12, 2008 10:55 AM

This is really cool! Horrible, sure, but cool.

Hacker hitmen in the decade?

Dale • March 12, 2008 11:22 AM

Heh – I think I’ll sell a Faraday vest…

bytosaur • March 12, 2008 11:30 AM

I have a pacemaker, so just add this to my list of other stuff I have to watch, in particular, magnetic fields from the following;
Store Anti-Shoplifting sensors, small gas engines that you could bring up close to your chest, leaning over the fender to work on your car, some security sensors at airports (I always get the full search because of this). Where I work, there are labs that use magnetic fields in research, so I’m banned from those area. Magnetic degaussers of any kind. Toy magnetics, refrigerator magnetics, EM from badly sealed microwaves. Shall I go on?

By the way, add chainsaws and jackhammers, not because of the magnetic fields, but because the vibration can cause the wires going into the heart to become loose, and no full contact sports. I have a hunk of titanium sitting a pocket of flesh above my left pectoral muscle that could end up setting on my abdominal wall.
Now I have to worry about some hacker trying to get at me. I think the potential here is minimal. I ain’t gonna stay up nights worrying about it. Find something real to report.

Roy • March 12, 2008 11:37 AM

I bet Dick Cheney is sweating bullets.

Movie Plot Threat • March 12, 2008 11:38 AM

What a movie plot threat. This is to be ranked right up there with mind control x-rays and car-alarm bombs.

The only way this will be “big news” is if the TV networks read Bruce’s blog.

Doug Coulter • March 12, 2008 11:42 AM

I especially enjoyed the statement that it took too much equipment (a whole $30k worth, I’ve seen car stereos that have more than that in them) and you had to be close for it to work.

Bah — I am an engineer, and I call BS. What they bought off the shelf for maybe about the same price as a hit contract for a single hit — that’s cheap, and I could surely build any transmitter of that sort for a few hundred bucks IF I had to buy all the parts new.

In other words, free except for my time raiding my junkbox. Not a barrier to implementation.

As for range? Simply a matter of power output and antenna size. Trivially scalable. Even if it’s purely inductive interface vs real radio waves. (Inductive interface tends to fall off at 3rd power of distance vs the old square law for photons)

In some of the companies own words, even the leakage from a microwave oven might do harm.
That’s not much power unless the oven is severely compromised, and it’s not the right wavelength, and doesn’t go through tissue all that well (cooked on the outside, still frozen on the inside — I claim ubiquitous empirical evidence). Nor is microwave oven radiation “coded” correctly. Though if you just want to break the device, this may not be required at all, or even desired. Why leave a signature? (ELINT)

In some accidents here in moderate energy physics experiments, the EMP from a capacitor the size of half a loaf of bread with a minimal “antenna” (eg poor wiring practice for the kiloamp currents involved) fries PC’s from 30 ft plus — even if they are off at the time. And that was an accident. Even some pretty robust stuff has gone up in smoke (Lambda power supplies) while sitting safely on a bench in the next room, unconnected. Though the latter was from a larger capacitor, about 1500 joules, about the size of a briefcase including the charger. Far easier to conceal or explain than say, a high power rifle.

Not that I see any general value in this as an assassination weapon. Targets fitting the requirements aren’t real common, and collateral damage might be an issue.

As Bruce implied, the companies are acting like idiots and depending on most people knowing even less than they do about basic electrical engineering. PR spin to keep the stock prices up. Whenever the motive to lie or obfuscate is big money, depend on it happening.

I might worry more about the identity theft issues.
I can say from experience that it is very nasty to have happen to you. But of course, this is a tiny incremental additional risk, there are lots of easier ways to do ID theft.

I consider all human implantable devices “beta” at best anyway, and feel for the unfortunate testers — whatever they are told, that’s what they are. The elegant, self-repairing (and self defending) design of life is tough to match with mere current technology.
Nerve endings in particular get tired of being shocked instead of naturally stimulated with ions, and die off. The records of implants will show this to anyone who looks — we aren’t seriously even trying to talk the correct language with most of these things. My work was with hearing-assistive implants, but life is life, and nerves are nerves.

Dirty Jake • March 12, 2008 11:44 AM

This is no great surprise, and has been explored and thoroughly discussed in the industry.

The added complexity of secure communications between a programmer and a device would create a risk of failure that does not exist now. That added risk of failure translates over time to a non-zero number of people being harmed due to loss of therapy that are not at risk now. This is whether or not some evil person is out to harm someone with a pacemaker.

That has to be balanced against the number of evil people that might try harming someone by hacking device communications. So far that number is zero. Up until the current moment, increasing the complexity to provide secure communication increases the harm to people.

If you work from the assumption that evil people will now start to target people with pacemakers, you have to factor in the resourcefulness and tenacity of the attacker. The question then becomes: “Will secure communication (with the added complexity risks) stop the attacker?” I haven’t seen a thorough analysis of a person that’s prone to attack people with pacemakers, but my personal guess is that adding secure communication would not slow them down in their goal of harming the person with a pacemaker. There are just too many ways to harm someone that are easier, and if someone is determined enough to hack a pacemaker then they are determined enough to do something simpler.

Adding secure communication may reduce the risk of flashy headlines at the expense of increasing the risk to people with pacemakers.

stacy • March 12, 2008 11:54 AM

I see a “Law & Order” or “CSI” episode out of this one.

bytosaur • March 12, 2008 11:55 AM

You dont have to use sophisticated equipment to harm people with defibrillators and pacemakers. As I stated before, a strong magnetic field will do it with the current technology. I feel it when if I stand between the anti-shoplifting gates. No big science here.
And I disagree with implantable devices being “beta”. My family has a genetic defect causing an EP block to showup when we are in our thirties and forties. My mother lived for over 35 years with a pacemaker, and died from kidney problems, not a heart problem. Other family members are now in their 90s, having pacers for decades. Pacers work and are extremely reliable.

SteveJ • March 12, 2008 12:04 PM

I like this: “The ICD wirelessly transmits patient information and telemetry without observable encryption.”

I’ve heard of hedging your bets, and not trying to claim more than you’re sure of, but if there’s no observable encryption, surely that means there’s no encryption? How can something be “encrypted” if it appears to an eavesdropper to be the same as the plaintext?

I suppose maybe they’re saying that they can’t be sure that the data they’re seeing isn’t a cunning ruse, with the real data encrypted and steganographically hidden in it. Seems pretty unlikely, given that they successfully controlled the thing…

Mike • March 12, 2008 12:39 PM

Dale: “Heh – I think I’ll sell a Faraday vest…”

Tinfoil Teeshirt? Tinfoil Tanktop?

Damn, I can’t get the thesaurus to find a synonym for vest starting with “f”

old guy • March 12, 2008 1:04 PM

@movie plot threat

I saw this on the network news before I saw it here.

bytosaur • March 12, 2008 1:11 PM

Faraday vest – they actually got them for people who need to weld and have a pacemaker. Not all pacemaker/defibrillator people are old and crippled like Cheney!

Eclectic Sheep • March 12, 2008 1:32 PM

@mike

Just make a conductive woven fabric thick enough to provide insulation: Faraday Fleece

Then you can make any number of protective garments.

derf • March 12, 2008 1:32 PM

This could be combined with the remote reading of an RFID passport or RealID hack and a sophisticated terrorist might single out an important government individual for death by pacemaker.

Michael M • March 12, 2008 2:18 PM

As a method of assassination, this appeared in the Barry Eisler thriller Rain Fall in 2002:

http://www.barryeisler.com/Rain_Fall_Chapter_1.pdf

Bryan • March 12, 2008 2:18 PM

I saw this comment over on Ars Technica and thought it delicious:

This obviously needs to be addressed and fixed asap. Imagine a high ranking official had an implanted cardiac defibrillator and a terrorist used a simple radio signal to kill them.

mike r • March 12, 2008 3:08 PM

I agree the risk is minimal. But if Patient information can be extracted, I can’t help but wonder if this would consitute a FDA violation of 21 CFR Part 11 for electronic records.

bytosaur • March 12, 2008 3:36 PM

My doctor told me that the only thing available on the current models is the model and serial number of the device, which is registered with the manufacturer, who can then provide name, etc. Considering that I have a card in my wallet with the make of the device, the make of wire leads, serial#s and implant date, wouldn’t be easier to just steal my wallet? It would be alot cheaper with less technological considerations.

Sam • March 12, 2008 3:40 PM

Now I’m imagining a twist on TV-B-Gone.

Grahame • March 12, 2008 3:41 PM

I agree with Dirty Jake. The problems with associated with encrypting this stuff are formidable – how do you manage the keys? After all, any medical lab needs to be able to read this stuff, so the keys need to be widely distributed. And the source key is not updateable without surgery….

As with everything medical, it’s about balancing risks. As bytosaur points out, there are many risks associated with pace makers, ones that far eclipse this one. You don’t get pace makers installed for fun, but because you’d die without them.

I think that it’s wrong to argue that this is a case of unexpected risks emerging; better to argue about it as a case of risk trade off.

Sevastos • March 12, 2008 5:25 PM

This is no surprise at all. A cardiologist friend told me about this possibility a couple of years age when RF programmable pacers came on the market. He also warned the manufacturers representatives of the problem. Their answer: “You’ve got a suspicious mind” and “OH, NOBODY would do that”. The range for the office programmer is about thirty feet. There is nothing to stop a hacker from sitting in a shopping mall and “reading the mail” or shocking someone. And while we are at it, let’s tell the dirty little secret: pacer programmers, while expensive, are given to the doctors free of charge. They are not regarded as “secure devices” and can easily be stolen from a physicians office.

Kevin • March 12, 2008 6:43 PM

@Doug Coulter

It’s important to differentiate between zapping someone with a pacemaker and being able to subtly manipulate what the pacer is doing. I think you’re right that the ease with which you could just stick someone with a taser means this isn’t the most efficient way to go about killing someone.

What is an issue is that this could potentially allow you to harm someone in a way that looks like an accidental pacemaker failure, or perhaps just jiggle their heart rate around every night while they sleep to cause a slower natural looking decline.

I don’t think it’s a serious problem to worry about now. But if I were getting something implanted, I’d want to be sure it’s going to continue to not be a problem for the long term.

Mike A • March 12, 2008 7:06 PM

I’d sure like to know more about what, “they had also been able to glean personal patient data” means. If this data is at exploitable, that could be the real threat here. Far more common that murder by hacker. It almost seems like the Bruce Buzzword “Security Theater” may be relevant here. Put up something headline grabbing but unlikely to obscure a real threat.

Lester • March 12, 2008 8:49 PM

Everybody is talking about hearts and pacemakers. They’ve already started implanting devices, actually called “pacemakers”, in people’s brains, to treat a difficult to treat form of mental illness (yes, I’m being intentionally vague – makes it more dramatic). The devices are programmed after being implanted, in the psychiatrist’s office, with a hand-held device. I’ll let your imagination take it from there.

I think I heard that they’ve also started experimenting with using magnetic fields to treat mental illness. They’re learning how to alter people’s mental states with magnetic fields. I wonder what the security protocols are there?

jenkins • March 12, 2008 10:34 PM

According to some news articles and slashdot Gadi Evron had spoken on this threat a year ago and conducted research into other related threats.

I was there…. anyone knows where I can dowload his talk? CCC keeps videos…

Wired story (2007):
http://blog.wired.com/27bstroke6/2007/08/will-the-bionic.html

Wired story today:
http://blog.wired.com/27bstroke6/2008/03/wifi-pacemaker.html

Network World:
http://www.networkworld.com/news/2008/031208-heart-device-hack-a.html

PC magazine:
http://blogs.pcmag.com/securitywatch/2008/03/hacked_through_the_heart_and_y.php

His original talk at CCC Camp 2007, according to slashdot (no slides):
http://events.ccc.de/camp/2007/Fahrplan/events/2049.en.html

jenkins • March 12, 2008 10:34 PM

According to some news articles and slashdot Gadi Evron had spoken on this threat a year ago and conducted research into other related threats.

I was there…. anyone knows where I can dowload his talk? CCC keeps videos…

Wired story (2007):
http://blog.wired.com/27bstroke6/2007/08/will-the-bionic.html

Wired story today:
http://blog.wired.com/27bstroke6/2008/03/wifi-pacemaker.html

Network World:
http://www.networkworld.com/news/2008/031208-heart-device-hack-a.html

PC magazine:
http://blogs.pcmag.com/securitywatch/2008/03/hacked_through_the_heart_and_y.php

His original talk at CCC Camp 2007, according to slashdot (no slides):
http://events.ccc.de/camp/2007/Fahrplan/events/2049.en.html

Alan@France • March 13, 2008 3:12 AM

It is Horrible but if it can help to make things more secure, why not !
Be careful of the Ping of Death 😉

Aidan A. O'Brien • March 13, 2008 3:51 AM

One feature of the “wireless” connectivity is that the nominal range is under 10 meters. So any exploit of the device would have to be close (or have a really big antenna). If you are that close there are less expensive means to “attack” someone.

The personal information may include your name, the parameters of the device, any recorded heart rate, current heart rate, and body electroconductivity (feature for watching water weight gain).

I asked a prominent electrophysiologist about these sorts of issues. His response was that in his opinion anything that made the job of programming the device quicker was better. In other words there is a medical benefit to a quick and unencumbered interface (either more patients cared for or in an emergency, more rapid care for an individual patient).

It should be noted that the wireless mode of these devices allows a patient to use a bedside monitior that connects remotely to the manufacturer (Medtronic at least) which forwards information to the patient’s physician. This is a system that needs further scrutiny.

As far as the cost of the attack is concerned, it would be easier to steal a proper wireless programmer from a hospital (cost of a hospital orderly uniform approx. $30).

In my opinon, the article left out too much of the context in with these devices operate. The risk of attack is low. There is little or no benefit to this type of attack over of other simpler and less costly attacks.

However, the risk / benefit analysis of wireless access to these devices (missing from the article) is interesting and needs to be discussed on an ongoing basis.

natenido • March 13, 2008 4:02 AM

Some fun quotes from the first article (Halperin, Heydt-Benjamin, Fu, Kohno,
Maisel):

Pacemakers and ICDs [typically contain] a custom ultralow-power microprocessor with about 128 Kbytes of RAM for telemetry storage.
Modern devices use the Medical Implant Communications Service, which operates in the 402- to 405-MHz band and allows for much higher bandwidth (250 Kbps) and longer read range (specified at two to five meters) [than previous generations].
Major pacemaker and ICD manufacturers now produce at-home monitors that wirelessly collect data from implanted devices and relay it to a central
repository over a dialup connection. The repository is accessible to doctors via an SSL-protected Web site.
[They also consider DoS attacks:] For example, an adversary should not be able to drain a device’s battery, overflow its internal data storage media, or jam any IMD communications channel.
Strong security mechanisms, such as
public-key cryptography, can be expensive in terms of both computational
time and energy consumption longevity and performance goals. […] the use of
cryptography can therefore create tension
between security and some IMDs’ longevity and performance goals.

Connecting with the previous blog entry about the landmark ruling by Germany’s Federal Constitutional Court (Bundesverfassungsgericht) which established a new constitutional right to the “integrity and privacy of IT systems”: This may have been influenced by a testimonial from computer science professor Andreas Pfitzmann, who urged the judges to consider the problem of cyber spying in a wider sense – not just online searching of PCs in people’s homes, but also of implanted devices in people’s bodies. He specifically mentioned pacemakers and hearing aids.

(Transcript in German:
https://tepin.aiki.de/blog/archives/188-Andreas-Pfitzmann-vor-dem-Bundesverfassungsgericht.html )

TapeMonkeyAdmin • March 13, 2008 4:20 AM

“I think I heard that they’ve also started experimenting with using magnetic fields to treat mental illness. They’re learning how to alter people’s mental states with magnetic fields. I wonder what the security protocols are there?”

I’m calling a whole pile of BS on this unless you can come up with a peer-reviewed study to back it up. As a survivor of Multiple Myeloma, I routinely have MRIs which are upwards of 30,000 gauss and I have yet to become a manchurian candidate. I fail to see a mechanism by which a magnetic field alone can permanently alter brain chemistry. Of course, I am willing to revise that position if given a peer-reviewed and properly blinded study to show positive results above chance/placebo.

As for the topic at hand, I think the development of security measures for these implants is a sensible reaction to the late-happening realization that the design was never secure. How long did it take cars to have security/safety systems in place that were effective? Seems like a natural progression of the development of the tech to have to consider security and to be honest I don’t see much threat compared to the benefit of the device.

hit man • March 13, 2008 6:18 AM

@Doug Coulter

just how many “hits” are paid for in real life do you think. This is not Hollywood. paying for hits is probably even rarer than terrorist attacks.

Lester • March 13, 2008 7:36 AM

@TapeMonkeyAdmin
“I’m calling a whole pile of BS on this unless you can come up with a peer-reviewed study to back it up.”

My original source was a discussion with my psychiatrist some months ago. Maybe I’ll ask him for “peer-reviewed” research next time I see him. In the meantime, take a look at this IEEE article – http://spectrum.ieee.org/print/3050 . It’s not “peer-reviewed” but it is the IEEE. You have heard of the IEEE, haven’t you? It even has some references at the bottom you could check out.

The Vagus Nerve Stimulation discussed at the beginning of the article turns out not to work so well, or so I heard, but, again, I don’t have the “peer-reviewed” references. The Deep Brain Simulation mentioned near the bottom is the “pacemaker” I mentioned.

For the rest who might not be aware, using magnetic fields to stimulate the brain isn’t all that new. There are even atheistic-materialistic types who claim that religious experiences are simply the result of the temporal lobe having fun. They’ve even built a helmet that induces religious-like experiences by using magnetic fields on the temporal lobe. Of course, temporal lobe epilepsy and some forms of bipolar also involve these experiences, which often go away when the medication works. Unfortunately, again, I don’t have the “peer-reviewed” references.

Those who have access to google can try searching on the words magnetic, field and psychiatry. I can’t say if any of those articles are “peer-reviewed” but some of them come from respected organizations.

People who are seriously interested can also wonder around PubMed. From to the abstract of “Brain stimulation for the treatment of psychiatric disorders.” in “Current opinion in psychiatry”, May, 2007: “RECENT FINDINGS: Within the past year, the results of several large multicenter trials have been published, clearing the way for US Food and Drug Administration approval of vagus nerve stimulation for recurrent treatment-resistant depression and a pending consideration of approving transcranial magnetic stimulation for the treatment of depression.”

As far as the “manchurian candidate” comment, maybe you want to get a clue about what mental illness really is.

David • March 13, 2008 9:02 AM

I remember Edwin Black used this technique as a plot device in his novel “Format C:” – published in Nov 1999.

By the way, don’t type the name of that book at a DOS or Windows prompt.

Sparky • March 13, 2008 10:12 AM

This could, very well, be the perfect murder; change the parameters of the device, killing the patient, then change the parameters back to the original settings. No evidence of any crime being committed, assuming the device does not keep logs of the parameters or communication, which, I think, is fairly safe guess since they didn’t care about any security at all.

Also, because the device has an unique identifier, the “hit-man hacker” doesn’t even need to be around; the whole thing can be automated.

Also, what are they going to do if people start dropping left and right? They can’t just replace all those pacemakers on short notice.

Some people can’t live without them, but not with them either.

Jurgen Voorneveld • March 13, 2008 10:44 AM

Just a small point. This seems like a safety issue to me, not a security issue. I just can’t imagine anyone going out there to kill/harm people by stopping their pacemakers, there are just too many far easier ways of killing.
So basically there are no attackers to worry about, only environmental effects (which, admittedly, can be all kinds of weird stuff since we are using more and more technology). Not that I wouldn’t like some security..

Anonymous • March 13, 2008 6:45 PM

There’s really no need for a cryptographic solution against life-threatening attacks. If such attacks ever became a problem the addition of a low-tech pressure-switch would be enough. The switch would be physically attached to the pacemaker by a shielded wire and could be positioned between a pair of ribs, close enough to the surface to be reached by a probing finger but not close enough to be accidentally activated by everyday activity. Push the switch to power up the communication subsystem to allow the device to receive data. Release the switch to power it down. No power, no hackers getting in, no problem.

It’s marginally less convenient than always-on wireless communication, but at least the recipient of the pacemaker knows they’re not going to be killed by remote control. There might be a tiny window of opportunity if a black hat is ready with a remote control when the patient visits the doctor and turns the wireless on, but that’s movie plot stuff and easily mitigated.

Where constant monitoring is required, transmission (NOT reception) could be left on, possibly encrypted. But that’s a privacy issue, not life-and-death.

@ David: “don’t type the name of that book at a DOS or Windows prompt.”

Why not?

C:>format c:
The type of the file system is NTFS.

WARNING, ALL DATA ON NON-REMOVABLE DISK
DRIVE C: WILL BE LOST!
Proceed with Format (Y/N)? n

No problem. 😉

Alan • March 13, 2008 7:39 PM

Bruce? I thought this was old news. I take it you haven’t read RAIN FALL by Barry Eisler? Here’s the pdf of the first chapter.

http://www.barryeisler.com/Rain_Fall_Chapter_1.pdf

False Data • March 14, 2008 12:28 AM

Bruce wrote: “The general moral here: more and more, computer technology is becoming intimately embedded into our lives. And with each new application comes new security risks. And we have to take those risks seriously.”

The thing that makes computer security unusual is that it’s easy to replicate hacks: one smart person figures out how to break a piece of code and makes a tool, which others can copy at extemely low cost, and suddenly every script kiddie can break that piece of code. I’ve been thinking for a while that perhaps it’s time to use that same trait to the white hats’ advantage.

Not every coder can be an expert on best practices for reducing bugs, but smart ones can create languages that encourage design patterns that reduce bugs. (Specific examples that come immediately to mind are structured programming and elimination of memory leaks by eliminating manual memory management.) Similarly, not every coder can be an expert on computer security; so far, efforts towards that end have been less than successful. But perhaps it’s possible to design languages and operating environments that encourage design patterns that lead to better security. I’m not thinking so much of libraries, but of languages and operating systems, because they drive the paradigms that people use when thinking about code design.

jayh • March 14, 2008 9:02 AM

mostly overhype.

There are far more effective technologies for harming someone that don’t depend on you having exotic equipment and their having a vulnerable heart device (simply use a gun)

Every day you encounter hundreds or even thousands of strangers who could if they were inclined harm or kill you… but they don’t. this is just one more minor footnote in the number of possible ways to harm someon.

Lester • March 14, 2008 4:01 PM

What is wrong with a technique used by older pacemakers:Place a strong magnet over the pacemaker closing a reed switch, which then allows the device to communicate. The pacemaker can still be read and programmed through a wireless interface, but not without the patient’s knowledge. This would do away with the need for the encrypted link while ensuring privacy.

Doug Coulter • March 15, 2008 11:57 PM

@kevin
“It’s important to differentiate between zapping someone with a pacemaker and being able to subtly manipulate what the pacer is doing. I think you’re right that the ease with which you could just stick someone with a taser means this isn’t the most efficient way to go about killing someone.”

I agree about the differentiation, and am sorry I didn’t do a better job of explaining myself. I didn’t even think about subtly messing with a pacemaker, (great idea) as I don’t think this is anything but a movie plot threat.
Now I wonder…

The portable EMP generator I was thinking about was actually built and used by myself and some friends in high school in the late ’60s. There wasn’t much stuff to use it on then, but it really whacked the school’s synced clocks/bells and PA system, to the amusement of all the students. No backpacks then, we used a briefcase. Much better stuff is now available, but our device worked from quite a little distance with little or no obvious giveaway how it happened (it was helpful to have a friend drop some books as it was triggered to mask the acoustic noise it made). We later turned it into sort of a super taser to handle the bullies, which were a real problem then (and probably still).
Beats going postal and shooting up the whole school.
The bad guys learned to leave off hassling the science club members real fast.

“What is an issue is that this could potentially allow you to harm someone in a way that looks like an accidental pacemaker failure, or perhaps just jiggle their heart rate around every night while they sleep to cause a slower natural looking decline.”

Ooohhh — that’s far nastier than what I’d imagined.
And very subtle/clever. Good thing most of the bad guys wouldn’t get it, and from long experience with them, neither would “the agencies”. You can join my imagination club anytime. If you’d have us, that is.

@hit man

Surely rarer than terrorist attacks worldwide! (unless you call them paid hits, which many of them are — I heard families got paid if a member did the detonation thing…) Here, (USA), hits are probably more common as there are few real terrorist attacks indeed.

I agree with Bruce on the “special olympics for terrorists” comments (and the person who pointed out this is an insult to the merely mentally challenged) — most (all?) of the threats prevented by our loss of civil rights weren’t credible in the least.

I do hear of convictions for paid-for hits now and then on the news — not just in movies (which I generally don’t watch). Some divorces seem to get too exciting, for example, leaving the professional criminals, or just drug gangs, out of it for the moment. One of the guys in my gun club (not a criminal, or hit man — quite the opposite, as is the usual case there) was approached, for example — and shown real money, cash now. He told the lady to sober up and left it at that, as far as I know. I suppose he should have gone to the authorities, but he didn’t want to get in any trouble he didn’t deserve to be in — and the “target” in question is still OK — evidently the sharp rebuke actually sobered the woman up.

I hear there are police/FBI types who pretend to be “real” hit men in order to troll for this, arrest the would be payer, and prevent the real thing. If so, good for them! IIRC I’ve heard of some busts from that. You’d think an amateur would realize that anyone they easily found claiming to be in that business…couldn’t be for real, as if they were pro, you’d never know it. Guess that’s what makes an amateur what they are, though.

@jayh

Agree totally. But fun for the imagination, no?

@Lester
Good thought.
As an engineer, tricky, but possible to implement — but the basic idea is sound, and there are other proximity-only approaches possible. Older tech was more resistant to the voltages induced on conductors by moving the magnet near to and away from the patient than the new stuff tends to be. It would take more junk (shielding or a better PCB layout that thought of this) in the patient to do it this way, which is usually not a good thing.

I suspect, as usual, that the designers just didn’t think about security at all. Like people writing software in the days when one rented time on a computer and computers did not regularly communicate with the world — “who would want to mess up this nice, valuable resource?”

As Bruce has pointed out, the internet changes lots of things. You now have to worry about threats from everywhere, not just the local ones. This message hasn’t gotten out well enough yet.

Kim Black • March 19, 2008 11:12 AM

Scarier notions:

I have the latest model of wireless ICD in my upper chest. It took two surgical operations (60 grand and counting) to implant and two 4 inch scars. It requires a new battery periodically, so every 3-4 years or so, I’ll go back in and have another surgical procedure, hopefully not two like the first go around. The device saved my life.

Next to my bed is a device that communicates with the device and sends the information via a telephone to the manufacturer. A doctor is supposed to subscribe to that service, but mine doesn’t, so the info is just going into limbo. If I keel over or the device doesn’t work properly, no one will be notified. The device gives me no information, it just tells me the last time it did a reading.

Now, I have to worry about a hacker being able to ‘possibly’ access the device and cause the device and my heart to malfunction. Great, I’ll just add it to the list of other things to worry about. Maybe someone could invent a light on the device that flashes when I’m in a dangerous situation – hacker alert, magnetic device. I can be my own Christmas tree.

Roger • March 20, 2008 6:07 AM

For the benefit of the many commenters here who didn’t bother to read the article: this isn’t just about pacemakers. The pacemaker they studied in detail was a concrete example, but the flawed protocols they attacked are intended to be widely deployed in an ever expanding range of bionic therapeutic or diagnostic aids.

Today it may just be the people with severe heart disease, but unless the security=safety message is rammed down the throat of manufacturers, pretty soon we will be talking about whatever more profitable implant market they find next: the 20 million USAians with type II diabetes, the alleged 5% of children with ADHD, the 2.5 million women already using contraceptive implants…

GraniteKey • March 26, 2008 12:03 PM

My company specializes in security consulting and integration of cryptographic modules in embedded devices. We were recently given a project by a medical device manufacturer who wanted security implemented in their medical device. We decided to research this new vertical market (for us) and I was shocked to discover the dearth of security in medical devices. I assumed that it would be fairly easy to get some new business. As it turns out, it is not, and the reason is the FDA. Since the FDA does not mandate that medical devices are secure against hacking, manufacturers simply do not implement defenses in their devices. Sure, there are some that want us to secure their devices, but this is mostly driven by the competitive advantage gained by such secure implementations. Most device manufacturers who are interested in what we can do have already been financially compromised by not having security in their devices, and this includes manufacturers of medical and non-medical devices. In other words, the approach is not proactive, but reactive. I am happy to see these issues making their way into the public eye. Not only because it may provide us more business, but also because since I have become aware of the vulnerabilities, I am literally nervous about medical devices being used on me and my loved ones.

Hacking Medical Devices

Comments

Leave a comment Cancel reply