Pacemakers can be remotely pwned

Kevin Fu (associate prof at the UMass Amherst/director of the Medical Device Security Center) gave a Black Hat presentation in Vegas yesterday in which he demonstrated a way of remotely disabling a pacemaker, using open radio technology. It sounds like other implantable devices, like those used for auto-administering drugs, would also be vulnerable to the attack. The attack relies on the fact that the control protocol for these devices does not use any cryptographic security -- that sounds like it'd be easy enough to fix for future models. Not sure how you'd field-patch the 2.6 million devices that have already been... installed to date, though.

A computer acts as a control mechanism for programming the pacemaker so that it can be set to deal with a patient’s particular defribrillation needs. Pacemakers administer small shocks to the heart to restore a regular heartbeat. The devices have the ability to induce a fatal shock to a heart.

Fu and Halperin said they used a cheap $1,000 system to mimic the control mechanism. It included a software radio, GNU radio software, and other electronics. They could use that to eavesdrop on private data such as the identity of the patient, the doctor, the diagnosis, and the pacemaker instructions. They figured out how to control the pacemaker with their device.

“You can induce the test mode, drain the device battery, and turn off therapies,” Halperin said.

Translation: you can kill the patient.

Defcon: Excuse me while I turn off your pacemaker, Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses (Thanks, Kiltak!)

46

1. I’m sure Cheney has one that’s lead lined and nuclear powered.

2. this seems like an idea that was released 5 years before zero-day.

3. no encryption? Not even a 4 number PIN or something? Jesus that’s ignorant.

4. … they say replay attacks work, eg. you can ignore any replies from the pacemaker and reprogram it by a one-way conversation.

   … and these things communicate on 175kHz. That’s long-wave (eg. radio 4 is 198kHz in the UK), as in it diffracts round buildings and reflects off the ionosphere, and isn’t line-of-sight.

   … I wonder how sensitive the receiver is in those pacemakers?

   … I wonder if you had a high power amplifier and a spare antenna tower, if you could implement an “area denial” / “country denial” on people with implanted pacemakers?

   … I wonder if that kind of research gets funded?

   * looks up DARPA *

5. Ok, you’ve scared me now!

   I’ve had a pacemaker since my mid twenties and I’m not keen on it being turned off any time soon! I’m 31 and WAY too young to die!

6. “I’m sure Cheney has one that’s lead lined and nuclear powered.”

   He has a heart???!!

7. Hmmm… this would make a good plot for movie about about a serial killer… or a shitty episode of CSI. Either way.

8. “Science, we’re all about COULD’A, not SHOULD’A”

9. This sounds exactly like the first chapter in Barry Eisler’s Rain Fall, a 2002 novel where a hitman uses a PDA to reprogram his target’s pacemaker as he’s standing next to him on the subway.

10. Man, I hate it when cyborgs complain whenever one of them gets cyberbrain sclerosis, or their heart turned off by a hacker, or something like that.

    Bunch of big metallic babies.

11. This wouldn’t even have to actually work to be effective. Now that the info is out that pacemakers are remotely hackable, pacemaker wearers are vulnerable to malicious pranking by people pretending to take control of their hearts.
    And they thought all they had to do was stay away from microwave ovens.

12. Why wld y pst n rtcl lk ths? thght tht bngbng ws gnrlly ltrstc blg st, s why r y gys ndrctly ncrgng ppl t ptntlly kll ths wth hrt prblms? My dd hs pcmkr, y prtnts jrks. Why dn’t y wrt bt smthng ttrly slss & brng lk stmpnk t clttr th mss mnd wth pntlss dstrctns nstd lk y’r gd t…

13. I’ll be selling copper mesh tee shirts

14. @10
    pretending a threat does not exist doesn’t make it go away. I can absolutely guarantee the manufacturers knew and did nothing. Now they have to.

15. Takuan- true, but I predict the way this threat will be made to “go away” is by outlawing the tool used in exposing it: software-defined radio.

16. cats out of the bag, that won’t work. 99% plus of any threat will go away with encryption. Minimal expense on new ones, who knows on installed. Once again, corporate short sighted greed threatens us all.

17. @Takuan, It’s because these things typically get designed by medical experts rather than security experts.

    by contrast, Bruce Schneier’s pacemaker uses an elliptic curve cipher suite and automatically launches counter-attacks by reprogramming the hackers software radio. …

18. Yeah, well my dad’s pacemaker could beat up your dad’s pacemaker!

19. Sounds like a good plot for a terrorist movie. Time to raise the threat-level meter!

20. I’d like the device to make my girlfriend’s heart beat faster when I enter the room, and slow down when I leave.

    Or I’d like it to make her want to eat more red meat.

    This could take awhile…

21. #9: “Pacemaker wearers are vulnerable to malicious pranking by people pretending to take control of their hearts.”

    That in itself could be enough to cause some people heart problems too.

    Didn’t medtronic also have a recall recently? I used to work for a competing medical company in their same neighborhood and I swear I remember hearing something about that.

22. Reminds me of that scene in John Cameron Mitchell’s Shortbus, where Ceth’s “Yenta 650” inadvertently makes the mayor’s pacemaker freak out.

23. This is an old story (I don’t know if it was Dr. Fu or someone else a few months ago) At least two issues are conflated here: the pacemaker can deliver a fatal shock, and it can be remotely attacked, but it turns out it can’t be deliver a fatal shock remotely. Not to mention these are low power devices that only function when the heart is going into arrhythmia (or heart attack) So the theoretical attacker would have to wait for the victim’s heart to go into arrhythmia, and be away from medical assistance, and then MAYBE the victim will have a heart attack that the pacemaker would have helped prevent… The problem with black hat conferences is that the speakers are automatically tempted to lie and BS, not to mention wildly exagerate.

24. CUVTIXO – I think the point is they can be reprogrammed to just not work. My father has his checked out a couple times a year and tuned as needed – not significantly different from a car computer, except wireless by necessity.

25. It devolves to reality as in all things. Yes we can exploit weak security in any aspect of life. There are areas where security was not considered as needful. This is a potential example of real risk Vs fantasy risk being misjudged. As my understanding of what would be involved is sort of non trivial to actually kill a person tracelessly. The NVRAM of most such devices has an audit log. The fact of any alteration in the timeline of the NVRAM would show up like a Charolais Bull in a lineup of white mice. As would erasing it entirely. So even if it really were made to “work”?

    While the hypothetical victim would be no less hypothetically dead- the MO would be screamingly obvious. And thus establish a suspect pool. Field strength at these frequencies is problematical. That old law called Inverse Square. Radio 4 to an aerial in free air or a ferrite rod Vs an implanted device? Two vastly incomparable scenarios. Look up the transmitter power of Radio 4! Then look at the transmitter antenna dimensions ..that alone is almost a game stopper. A coil head or maybe a box coil but inverse square law makes this seem dubious for an in vivo exploit at distance.

    For distances greater than single inches to feet?

    A plastic garbage bag or similar low tech might prove way more overall effective in every aspect.

26. @ #21 Ryan:
    Medtronic’s had a few recalls. The one I’m aware of is a particular run of internal defibrillator leads (leads are the wires that actually go to your heart). Some leads can somehow fracture and short circuit and suddenly the patient is being shocked over and over again for no reason.

    It’s not particularly unusual for medical devices to be recalled, and the expense can be staggering because it can require a surgery for each and every patient who received the device.

    Recalling every pacemaker ever installed would be insane. Maybe there’s some way to flash the firmware to add encryption to some of them? Here’s hoping.

27. This could be a great way for young hackers to leverage some of the power in the household.
    “Son, go mow the lawn.. wait, is that??, AGH STOP YOU’RE KILLING ME, OKAY OKAY I’LL DO IT JUST STOP”

28. I work more on the electrical behavior of the heart itself rather than engineering the devices, but it’s my understanding that to program an implanted pacemaker or defibrillator, you have to transmit the signal essentially right on the patient’s chest. You can’t, for example, stand in a crowd and aim an antenna at someone to turn off their pacemaker, or set it to the wrong mode. There is a signal strength issue.

    If that could be overcome, then yes, it could be possible to program a pacemaker to operate in such a way as to actively induce an arrhythmia. A single mistimed ventricular pace, then a pause afterwards, could be enough to induce VT or VF (ventricular tachycardia and ventricular fibrillation).

29. cheaper to bash them on the head with a rock.

30. The exploit is irrelevant. You can buy a programmer on Ebay.

    BTW: Doctors don’t generally tune pacemakers. Sales reps for the medical companies do.

31. Is it wrong for me to instantly think of DICK Cheney with misty eyes and a dreamy look on my face?

    …no, it is not.

32. That’s terrible. A likely scenario might involve a murderer who wishes to collect on their inheritance sooner rather than later, and induces a heart attack on grandma. I think we all know there is no shortage of such monsters in the world, masquerading as humans.

    I hope this major flaw is addressed ASAP, before any murderous people try to exploit it. Maybe writing letters to the manufacturers would help?

33. @ #12 “Why wld y pst n rtcl lk ths? thght tht bngbng ws rgnlly ltrstc blg st(???), s why r y gys ndrctly ncrgng ppl t ptntlly kll ths wth hrt prblms? My dd hs pcmkr, y prtnts(???) jrks. Why dn’t y wrt bt smthng ttrly slss & brng lk stmpnk tht clttr th mss mnd wth pntlss dstrctns nstd lk y’r gd t…”

    1. Mithrandir,

       You’re on a time-out. You may apply to Teresa for reinstatement.

34. As I understand it, the GNU Radio project is already a bit embattled. Things like this cannot be anything but bad, possibly spurring new regulations, and leaving a dark cloud over the devs.

35. To those who say this is no better than a rock or a plastic bag — this looks like a natural occurrence. If you can think of a way to get a transmitter close to a victim, this method of killing gives you your own cover! There is no noise, no fuss — you don’t even have to be there at the time. The guy is stricken, dies, the paramedics are called, *not* the police, and the device can be retrieved a few hours later by a confederate who knows nothing about the murder. The fact that it doesn’t work at a distance actually makes it easier to use. What if the device is disguised as a piece of broken electronic equipment? It would be easy to substitute an identical actual broken item. Who’s going to suspect the old VCR in the back seat?

36. Is this site really so precious that it can’t take one negative discussion comment? I wrote that I didn’t appreciate how this article broadcasted to the world that there’s an easy way to kill people with pacemakers. Instead of just taking the message down, they decided to be pretentious and take out the vowels. How cleverly information-agey of you…Let’s see if they do it again…

    1. Dwokoneseus,

       Your previous comment was disemvowelled because it was rude, not because it expressed an opinion.

37. let’s see..two comments, both hostile and contributing nothing…. hmmmm, what to do…what to do?

38. When someone publishes the MAKE article explaining how to adjust the live youghurt incubator to run at 37.3^C, along with the genetic source code of `airborne ebola’ and details of how to mail-order the RNA plasmids that will turn Yakult into the rasberry-flavoured harbinger of the next apocalypse… then we need to worry.

    This pacemaker attack is not that easy to carry out.

    The article doesn’t give any of the specific waveforms that would cause harm, it just reports it was possible to find them out and replay them.

39. I repeat the base tech issue of required field level. There’s more “real” worry of an event from external RF sources you never would suspect. Which is information usually explained to persons as part of caregiver pre-surgical consulting.

    As for the Software Defined Radio concept becoming entangled in such dubious at best exploits? I worry more in the real world about cell phone jammers blocking 911 calls.Which scenario of someone dying from that blocked EMS call is certain to be a when not if. The resultant and justified wrongful death suits should be educational. And quite ethically consonant with the starting topic of this thread.

    SDR and other projects do have an operator/coder mindfulness “duty” so to speak. Screwing up certain areas of the RF spectrum CAN and WILL kill. Has done so in fact if some blocked fire radio calls count. It all comes back to ethics and responsibility.

    Our “concept presenters” have ethically scored the point of disclosure to the public. We may not agree on the how. We dare not EVER risk suppression of the WHY. That why is a corrective feedback path of last resort for dangers in our world. Dangers that need some careful consideration.

    As does Fire.

40. Encryption, PINs, or passwords sound great until you consider that any emergency room, EMT, and cardiologist’s office in the country needs to be able to access the pacer at a moments notice in order to render possibly life saving treatment. The patient may arrive unconscious, or even if he’s not, he may not know the PIN. You could put a key on a medical ID bracelet but how many people wear those things after the first six months?

    No, right now I can pass out where I please and wherever I end up, they’ll be able to talk to my pacer. Force the manufacturer to encrypt it and one day I might end up turning blue on a table while the nurse is on hold with tech support. No question, I’m coming back to haunt the fool who forced encryption. I hope he’s ok with books flying off the shelf for no reason because I’ll be relentless.

41. I hope this major flaw is addressed ASAP, before any murderous people try to exploit it. Maybe writing letters to the manufacturers would help?

    1. oyun27,

       Your link goes on your profile page. Thanks.

42. the market will respond. First, rich, evil, old men who believe for good reason many want them dead will insist on hardened pacemakers. They are the natural first targets because of the extreme effort required to use this approach. After them, low cost de rigeur tech will benefit the rest.

43. I remember discussing this basic problem on comp.risks in ’98-’99 as there was an article about needing to update the firmware on some pacemakers for Y2K, and the process was wireless.

Comments are closed.

Read the rules you agree to by using this website in our Terms of Service.

Boing Boing uses cookies and analytics trackers, and is supported by advertising, merchandise sales and affiliate links. Read about what we do with the data we gather in our Privacy Policy.

Who will be eaten first? Our forum rules are detailed in the Community Guidelines.

Boing Boing is published under a Creative Commons license except where otherwise noted.

Mark Frauenfelder
Cory Doctorow
David Pescovitz
Xeni Jardin
Rob Beschizza

Jason Weisberger
Publisher

Ken Snider
Sysadmin

About Us
Contact Us
Advertise
Forums
Shop
Shop Support