Researcher claims feasibility of writing lethal wireless pacemaker viruses

In a presentation at the BreakPoint security conference in Melbourne, IOActive researcher Barnaby Jack described an attack on pacemakers that could, he says, deliver lethal shocks to their owners. Jack claims that an unspecified pacemaker vendor's devices have a secret wireless back-door that can be activated by knowledgeable attackers from up to 30 feet away, and that this facility can be used to kill the victim right away, or to reprogram pacemakers to broadcast malicious firmware updates as their owners move around, which cause them to also spread the firmware, until they fail at a later time. Darren Pauli from Secure Business Intelligence quotes Jack as saying,

“The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in range,” Jack said.

He was developing a graphical adminstration platform dubbed “Electric Feel” which could scan for medical devices in range and with no more than a right-click, could enable shocking of the device, and reading and writing firmware and patient data.

“With a max voltage of 830 volts, it's not hard to see why this is a fairly deadly feature. Not only could you induce cardiac arrest, but you could continually recharge the device and deliver shocks on loop," he said.

Manufacturers of implanted devices have been resistant to calls to publish their sourcecode and to allow device owners to inspect and modify that code, citing security concerns should latent vulnerabilities be exposed, and put implantees at risk. But as Jack's presentation demonstrates, vulnerabilities can be discovered without publication -- and if they are discovered and not disclosed, they may never be patched (or may not be patched until coming to light in some kind of horrific attack). In other words, secrecy helps bad guys, but keeps good guys and innocent bystanders in the dark.

Hacked terminals capable of causing pacemaker deaths (Thanks, Jon!)

(Image: Atlas Pacemaker, a Creative Commons Attribution (2.0) image from travisgoodspeed's photostream)



  1. The only thing that saves this from being true nightmare fuel is the very low likelihood of other same-brand pacemakers within 30 feet.  If your thing got virused, the virus would have a hard time spreading.

    But still.  Yeeagh.

    1. Spread the virus through old folks homes, cardiology labs (high chance all patients in a single lab might have the same brand, I’d guess), anywhere the elderly congregate to increase the overall probability of pacemakers in general. Set your “Heartbreaker” to go off after, say, one week or so. I think that might cause enough mayhem.

    2.  And just to be clear, the pacemakers don’t spread the virus — they only receive it. They programmer device spreads the virus. Cory has either misread or misworded that part of his comment. It would take someone bringing a programmer to the Republican Convention or some other place with lots of potential victims — you couldn’t just turn someone with a pacemaker into a walking bomb.

  2. OK, but why would hackers do this?  Just to cause sh!t?  I can see, say, Iranians doing this if the US turns up the screws more, but who wants to kill a bunch of old people they don’t know?  Unless, of course, it was a cover for killing ONE old person so they could inherit, say, $5 billion dollars.

    1.  Think of a variation on the old “Lock you in a bomb vest and make you rob a bank for me”- this one would be so much more subtle. All you’d need to do is perform some non-lethal shocks to convince the victim you mean business.

      Sounds like the next caper movie to me!

    2. …but who wants to kill a bunch of old people they don’t know?

      Well, you clearly don’t live in Palm Springs or Fort Lauderdale.

    3. Makes you wonder if someday insurance companies will insist on post-mortem examinations of the devices for signs of tampering in cases of strange cardiac deaths.

    4.  “who wants to kill a bunch of old people they don’t know?”

      Governments, corporations, and bigots.

    5. Iranians can be hackers too, as can people of any nationality.

      If the one person you want to kill is the president of a rival country, or CEO of a rival company, it could get very movie-plot plausible (which is to say, not usually plausible, but occasionally freakily prescient).

    6. You make the mistake of assuming “hackers” is a giant monoculture of peaceful, white-hat-wearing geeks working for the good of all mankind. It’s not too beyond the pale to imagine some misanthropic nerd doing this “just for the lulz.”

    1. But you have to BE there! This way your mark can drop dead at a specified time and place. Preferably while you’re in full view of a large number of people. 

  3. Shit that goes into your body should be open source, period. Security through obscurity is a sure way to fail.

    That said, I am not all that terrified.  Body hacks are scary in theory, but in practice, it is about as scary as some dude wandering around poisoning people.  You need a combination of sadism,technical capability, and lack of fear of consequences that is just so damned rare it isn’t worth worrying your pretty little head over so long as there is cancer, heart attacks, and cars driven by your fellow humans.  

    A smart sadistic human with no fear of consequences could do far worse than whack a few pace markers.  With access to just the chemicals I have at work I can think up at least a couple of ways to murder a pile of people in very terrible ways that would be very hard to trace to me.  Lone killers are just not worth the bother of worrying about. Hell, I think DHS should be tossed in the trashcan because organized terrorist are not worth worrying about either. What can I say though, I am a crazy fellow who only thinks you should worry about things that stand at least a slim chance in hell of killing you.  Fear cancer, heart attacks, and cars.

    1. Open source is a complete non-solution here. How do you verify that the code running on a pacemaker matches any particular branch of source code in a publicly accessible repository? How long is the company who builds the pacemakers supposed to wait around for someone to look through the code to try and find problems like this before they start putting the code on actual pacemakers and shipping them?

      One of the biggest myths that people seem to have about open source software is that there are thousands of qualified people out there reading through it for no other reason than because they think it’s an interesting way to spend their evenings. This is not the case.

      1. The point isn’t to have branches and or even public contributions.  The point is to have the code available for inspection.  Interested parties should be able to examine the code and look for weakness.  Security through obscurity simply doesn’t work.  

        Will armies of people tear into the code?  Probably not.  Will a few security folks and nerds with giant batteries attached to their heart take an interest?  Probably.

        If nothing else, it encourages non-shitty coding practices.  It is one thing to write bad code and hide it.  It is another thing to write bad code for a life critical device and then have everyone be able to look at it.

    1. Unless you are using this as a cautionary tale, it has very little relevance to jinxing pacemakers.

      1. Same security researcher (Barnaby Jack) doing the same thing (infecting an embedded device with malicious firmware), but with very different consequences

      2. It’s some interesting background information on the related professional history and approach of the researcher.  I can hardly imagine a more relevant link.

  4. “They had spent two years of team effort figuring out how to use mobile phone technology to hack into a pacemaker and turn it off by remote control, in order to kill a person…The reason I call this an expression of ideology is that there is a strenuously connected lattice of arguments that decorate this murderous behavior so that it looks grand and new. If the same researchers had done something similar without digital technology, they would at the very least have lost their jobs. Suppose they had spent a couple of years and significant funds figuring out how to rig a washing machine to poison clothing in order to (hypothetically) kill a child once dressed?…These are certainly doable projects, but because they aren’t digital, they don’t support an illusion of ethics.”
    Jaron Lanier, You Are Not a Gadget, p. 65

    I’m not sure if I back Lanier’s attitude that the tech angle “supports an illusion of ethics,” but the contrast he draws (which is probably a problematic analogy in ways that don’t occur to me right now) seems to illustrate a certain amount of paranoia we have toward the digital that we don’t have toward, say, the mechanical. Like, why aren’t blog posts going up about the remote, but real, possibility of people poisoning the machines at your local laundromat, but they are going up about the remote, but real, possibility of someone flashing a virus to your pacemaker?

    1. Because there are people spreading viruses to all kinds of equipment. It’s something the every-day person is dreadfully familiar with, often because they keep having to get their machine scraped clean.

      Their experience of malware is that it is mysterious and unstoppable AND a universal constant.

      Telling the person who’s got three unwanted toolbars and who’s World of Warcraft account keeps getting hacked that the same asshats that do that sort of thing to their desktop could do that to their grandfather’s heart is very believable.

  5. In the ‘hack’ environment, a real and practical use for that virus has been overlooked.

    Many of these pacemaker/defrib devices have been implanted into bodies whose brains are degenerating at an exponential rate. Visit any Alzheimer’s care unit and you will see people who are essentially only alive because of these devices.  Families do not have the ability to turn OFF these devices. 

    If you want to get a real feel for what a zombie really looks like; visit any long-term care facility filled with people who have severe Alzheimers.  Alive, only because of the steady shock to their hearts provided by that machine.

    These facilities charge anywhere from 5k to 12k per MONTH for the care provided; now it’s an economic issue.

    As an aside, I’ve heard the rumor that passing a very strong magnet over the chest of someone with this kind of device will booger it up enough to render inoperable.

Comments are closed.