Defcon: Excuse me while I turn off your pacemaker

August 8, 2008 | Dean Takahashi | Comments | |

The Defcon conference is the wild and woolly version of Black Hat for the unwashed masses of hackers. It always has its share of unusual hacks. The oddest so far is a collaborative academic effort where medical device security researchers have figured out how to turn off someone’s pacemaker via remote control. They previously disclosed the paper at a conference in May. But the larger point of the vulnerability of all wirelessly-controlled medical devices remains a hot topic here at the show in Las Vegas.

Let’s not have a collective heart attack, at least not yet. The people on the right side of the security fence are the ones who have figured this out so far. But this has very serious implications for the 2.6 million people who had pacemakers installed from 1990 to 2002 (the stats available from the researchers). It also presents product liability problems for the five companies that make pace makers.

Kevin Fu, an associate professor at the University of Massachusetts at Amherst and director of the Medical Device Security Center, said that his team and researchers at the University of Washington spent two years working on the challenge. Fu presented at Black Hat while Daniel Halperin, a graduate student at the University of Washington, presented today at Defcon.

Getting access to a pacemaker wasn’t easy. Fu’s team had to analyze and understand pacemakers for which there was no available documentation. Fu asked the medical device makers, explaining his cause fully, but didn’t get any help.

William H. Maisel, a doctor at Beth Israel Deaconess Hospital and Harvard Medical School, granted Fu access for the project. Fu received an old pacemaker as the doctor installed a new one in a patient. The team had to use complicated procedures to take apart the pacemaker and reverse engineer its processes. Halperin said that the devices have a built-in test mechanism which turns out to be a bug that can be exploited by hackers. There is no cryptographic key used to secure the wireless communication between the control device and the pacemaker.

A computer acts as a control mechanism for programming the pacemaker so that it can be set to deal with a patient’s particular defribrillation needs. Pacemakers administer small shocks to the heart to restore a regular heartbeat. The devices have the ability to induce a fatal shock to a heart.

Fu and Halperin said they used a cheap $1,000 system to mimic the control mechanism. It included a software radio, GNU radio software, and other electronics. They could use that to eavesdrop on private data such as the identity of the patient, the doctor, the diagnosis, and the pacemaker instructions. They figured out how to control the pacemaker with their device.

“You can induce the test mode, drain the device battery, and turn off therapies,” Halperin said.

Translation: you can kill the patient. Fu said that he didn’t try the attack on other brands of pacemakers because he just needed to prove the academic point. Halperin said, “This is something that academics can do now. We have to do something before the ability to mount attacks becomes easier.”

The disclosure at Defcon wasn’t particularly detailed, though the paper has all of the information on the hack. The crowd here is mostly male, young, with plenty of shaved heads, tattoos and long hair. The conference is a cash-only event where no pictures are allowed without consent. It draws thousands more people from a much wider net of security researchers and hackers than the more exclusive Black Hat.

Similar wireless control mechanisms are used for administering drugs to a patient or other medical devices. Clearly, the medical device companies have to start working on more secure devices. Other hackers have figured out how to induce epileptic seizures in people sensitive to light conditions. The longer I stay at the security conferences here in Las Vegas, the scarier it gets.

Next Story: PartnerUp’s Weekly Opportunities
Previous Story: California Supreme Court says noncompete agreements are illegal

Bookmark and Share

Photo of Dean Takahashi

About the Author, Dean Takahashi

Dean is lead writer for GamesBeat at VentureBeat. He covers video games, security, chips and a variety of other subjects. Dean previously worked at the San Jose Mercury News, the Wall Street Journal, the Red Herring, the Los Angeles Times, the Orange County Register and the Dallas Times Herald. He is the author of two books, Opening the Xbox and the Xbox 360 Uncloaked. Follow him on Twitter at @deantak, and follow VentureBeat on Twitter at @venturebeat.

  • Yeah I mean this is seriously fucked. I'm all for the research but not too happy that this even presents the idea to the public. I mean how many people even thought of remote controlling a pacemaker before this? My 2 yr old niece has a pacemaker and this is seriously scary stuff.
  • Every computer geek, engineer, and hacker thinks of it as soon as they hear that they can be remote controlled. Security by obscurity is a lie.
  • DS3M
    Weird... By Your Logic you would rather not know that there is a killer in your neighborhood, even as he creeps through your side door?

    Come on, you have a family member with one of these, of course you should be concerned that there is a flaw that went (relatively) undetected and was certainly not locked up by the manufacturers.

    Wouldn't you rather the "good guys" know about it than the bad ones?

    It works well that the companies didn't hand over their specs freely; that the researcher (Kevin Fu) was up front and honest [and managed to get some help from Harvard] made it better.

    It shows it can be done by someone with skill and access, both of which are likely to be low enough all around to prevent your average russian hackers from pulling off "Heart Stop USA 2010."

    In any case, I am the type of person that considers biomechanical integration something to be weary of. I would opt to die or have some other surgery than have a pacemaker. Straight up.

    I am also aware that most things that are mechanical are up to receive interference...
    Not interested in letting the man implant and then zap me at their will...
  • rayden54
    That's not right.

    It isn't ignorance is bliss. You see now both sides know. Is it worth telling the bad guys to keep the good guys informed?

    To put it into a metaphor, it would be like telling everyone in town that your door's unlocked. Not everyone is a killer, sure, but it only takes one.

    As far as the "skill and access" thing goes. They may be low, but one person can do a lot of damage. Especially if this attack can be done remotely to more than one pacemaker at a time.
  • K
    This is a more dangerous repeat of what happened with Garage Door Openers back in the 80s. Although the door receivers used infrared and not radio waves, thieves found it was easy to build a custom remote control that "sprayed" the neighborhood with every possible door code. Even worse, many garage doors were left with the default PIN code and never changed, and in suburban developments that means every house usually had the same make and model of garage door engine... I remember watching 20/20 where the reporter and a P.I. drove through a suburb opening every single garage door one after the other.

    Modern garage door openers defeat this problem using pairs of random numbers keyed into each remote control. You have to get up on a step ladder and hold a button on the opener while holding the remote controls button simultaneously for them to "pair" and exchange random numbers. The numbers use public/private key exchange, so even if a cracker uses software to guess one number, he still can't open the door.

    Fast forward to pacemakers: it's a similar problem. The wireless controller and the pacemaker need to use secure communication to authenticate each other, or else anyone could send the pacemaker commands. The greatest is not evil hackers murdering pacemaker-wearers remotely but accidental reprogramming sent to the pacemaker. Imagine if some other device, like a child's toy walkie-talkie, sent a radio signal that matched one of the pacemakers command sequences exactly. Since the pacemakers today seem to accept commands with no security the child's toy could accidently adjust the pacemaker rate faster, slower, off, into test mode, whatever. At the hospital, the doctor might never figure out that it was accidental radio interference that caused her pacemaker to malfunction. Similar problems have happened with computer networks, where packets for one protocol (AppleTalk) are mistaken by the router for other packets (like RIP, BGP, or DECNET) causing weird network problems.

    So, while it's easy to crack jokes, these guys have found a serious flaw with these medical devices and the manufacturer needs to fix it. Over on consumerist.com, there's another story of apathetic radio device design:

    http://consumerist.com/5034950/fisher+price-wal...
  • Agreeing with people on the comments below. People should shut the hell up about this kind of research. It is information warfare of a low-level kind. Just imagine how these researchers have made all the people with the devices implanted feel. Of course they will rationalize their hobby with, "It's responsible and protective." It goes to show that we need to find new ways to deal with these kinds of issues in a world where everything is just one press away from publish.
  • rethinking my words, I do see the responsible side to this research. I just believe how the community talks to itself can be an issue if it impinges on well being of patients. I do concur with Al above that "Security by obscurity is a lie". Just do it more discretely. Talk to the company directly and drop the blogging about it and gaining kudos by opening your mouth at a security convention, however cool it may reflect on you.
  • The sad reality is that companies won't respond to security issues unless there's a response from consumers. However disheartening (no pun intended) it may be, consumers have a right to know the risks that are present in the devices implanted in their bodies.

    Now that the vulnerability is demonstrated, manufacturers will hopefully phase strong encryption into their control protocols.
  • DS3M
    Not sure if you read the article, but Fu attempted to contact the pacemaker companies for specs, while fully explaining the research task ahead.

    Most companies will be thick headed and rebuff a hacker that says "I have found a flaw here here and here, I can exploit it in this fashion, I can do this within your systems, help me help you and we can solve it and close it together."
    Others will integrate them into R + D for their software
  • AnonymousInGermany
    "The crowd here is mostly male, young, with plenty of shaved heads, tattoos and long hair."

    Never heard of this exploit... Hair spoofing?
  • Jim McDosh
    Wow that is some pretty amazing stuff.

    Jt
    www.FireMe.to/udi
  • alpha bravo
    There has long been an EMP attack for these devices that works on all of them. Inducing large pulses in the wiring triggers fibrillation. Welcome to the 21st century.
  • Just figuring this out? My brother and I used to do that four years ago with our grandpa's old ticker when he had his replaced. You can get at those things with nothing more than a laptop and a ham radio as long as you have a full frequency spectrum and the right adapters.
  • DS3M
    My Father in Law cant be around old microwave ovens.
    They gotta be newer than 2002 or something...
  • E-Man
    Yep. Those granddaddy Cylon Model Ts did have that peculiarity. That, and the roving red eye that didn't let you shoot (or spank) straight, either.

    @-)

    One of my Granddads had a clock in his stomach (according to Grandma). But he was an old navy man - so it must have been very early-on research. :D
  • Shane
    You have no idea how much this scares me. I work in the Biomedical Equipment field, but more and more equipment is either going wireless, or connected over a network, or both. Even the infusion pumps we have upload drug info wireless. What's next?
  • Wensday!!!
    Wow! If we make some giant one we could shut down every pacemaker in America and save the government millions with so many fewer pentions! Plus give quite a boost to the funeral buisness......

    Nobody likes the government anymore though, and coffins are already overpriced, so yeah, I'll go with what everyone else is saying; what an evil freak. (if he actually uses it)
  • SpoonGouge
    As the owner of a pacemaker and an AICD (Automatic Implanted Cardiac Defibrillator) I think this story is bullshit. True, there are new devices that can be reached via the radio but every device I've ever had (~approx 8 pacers and 4 AICD's in the past twenty years) could only be accessed by the radio antenna that need to be placed ON your chest AROUND or directly above the device (similar to invisble fence). So how were they able to do tricks with an old pacer the doctor was replacing? Don't think it's possible.
  • Quin
    The reason for the large, close antenna is because the doctors want to limit exposure. With everything in ideal positions and very close to the pacemaker, they can use a lot less power to broadcast the signal. The bad guys do not have this concern for the patients health.
  • fdas
    how to induce seizures? just watch old episodes of pokemon.
  • haynesjgator
    I am a heart patient who has a pacemaker and a student majoring in Computer Information Science. I have always wondered about this. Every year when I have my 'tune up' all the tech does is place a device with a radio sensor (size of a computer mouse), and a signal bar not unlike a cell phone indicates the connection to the computer. That is it. No passwords, no nothing, tap the touch panel and access my heat! ;-) I actually asked my doctor about security once and he said the range is very limited to communicate with the device preventing most issues and there are not passwords just in-case you are hit by a bus, heart attack, coma, etc.

    Also must people don't know that patients with pacemakers have devices that will send medical data back to there doctor via telephone. Place you phone on the machine, wear wrist bracelets to detect electrical activity, place provided magnet over pacemaker, and it will 'chirp' your data back to the 800 service and your doctor. I hope all this is done with read-only privileges to the pacemaker...
  • Kalief
    Nice. When can I buy the satellite version?
  • Scott
    This type of 'research', and the reporting of such 'research' is irresponsible, and extremely dangerous. Publishing dangerous stories such as this really calls into question a site's management and guidance. This issue has crossed many sites off my favorites list.
  • mitch
    Scott, you haven't read the above points? This kind of research is absolutely necessary. You can't predict whether a random RF-emitting gadget could trigger an unwanted change in the pacemaker. This research proves that there's a danger in leaving pacemakers unsecure, and now the pacemaker companies have a reason to make them secure: consumers know there's a danger. If you think the research is irresponsible and dangerous because now ONE OF THE BAD GUYS!!! is going to work out the same hack and kill a guy with a pacemaker - that's completely unrealistic. As Monsterbox said above, all it takes is a ham radio and a laptop to do this. If some BAD GUY wanted to do this, they would have figured it out a long time ago. The research isn't opening a door for murderers, it's closing a door for unintentional disruption of the device.

    Man, reading comments like yours always make me think there's a chance that the companies themselves are sending someone around to draw attention away from the importance of the article, so they don't have to do anything...
  • eric
    cheers
  • daniel
    Scott get your head out of the sand!

    Without research that pushes boundaries and questions accepted norms then there would be no progress: the manufacturers would continue to build sub-standard equipment if it meant protecting their bottom line (profits).

    Ignorance of a problem doesn't mean the problem doesn't exist and research that highlights such problems isn't irresponsible. The researchers involved attempted to work together with the manufacturers but they refused to help (because by doing so they would expose the flaws in their equipment and hurt company profits).
  • rayden54
    The research is necessary. Reporting the flaws before they've been fixed is just dumb.
  • Ervin Wright
    I have an ICD, question how can my ICD be protected? Would it reqire the wearing of a lead lined shirt or something like that?
  • Alcari
    So what's the problem? Just add a rotating 512 bit encryption key, so the odds of guessing it correctly are minute without actually getting your hands on said pacemaker before implantation. Make it react only to a very specific signal strength so it can only be interfaced with using special equipment and not just any radio.

    Problem solved. This is not that big a problem and can be solved for 20 dollars worth of electronics and 2 hours of work.
  • spammeblind
    Just a word of sanity for the moron researchers. If you read the paper carefully you'll see they have to be less than 5 centimeters from the device to make the connection. That means someone has to be standing in front, or behind you, with a sensing device placed upon your chest. The connection is inductive, to connect outside of the 5cm limit would require exponentially more power. I don't think anyone would survive the power source, let alone have a actively functioning device. They were very careful to hide the truth in the article, and the really funny part is one of the morons received $449,000 dollars for this "discovery". In simple terms they committed a replay attack, but again remember less than 5 centimeters.

    Simple answer is they are going to become famous because the press exaggerates to sell papers, and the researchers don't have the intelligence, or the morals, to correct them.
  • edsion007
    Hmmm.. why it has to do with twitter so much?
  • edhardy622
    UGGs became ubiquitous among Southern California surfers and Southern California downhill skiers, and from there, Uggs, which name comes from the Australian
    http://www.uggboots365.co.uk
  • kafhfk

    I think I will try to recommend this post to my friends and family, cuz it’s really helpful.
    Ugg Boots Sale

  • Pacemaker problems can rarely occur long after the implantation procedure. These "late" complications include generator failure (extremely rare), and lead failure (less rare). Lead failure can occur
  • Richard Johnson
    KILL DICK CHENEY NOW
  • Shhhh, don't warn him or he'll hide in his man-size safe.
  • DS3M
    Well lets hope he suffocates in there waiting for the invasion of Iran
  • Keaton
    I swear, that is EXACTLY what I thought when I read the article intro.
  • And kudos for that.
  • US Secret Service
    Smart move, punk.
  • Anonymous
    That joke was old a decade ago. Get a life
  • jimoaklandu
    what a DESPICABLE jerk you must be!!!!!!!
  • Anonymous
    Next time when you're at Wal-mart, get a sense of humor.
  • r. manhammer
    Is there something wrong with executing war criminals? Why do you hate America?