Defcon: Excuse me while I turn off your pacemaker

The Defcon conference is the wild and woolly version of Black Hat for the unwashed masses of hackers. It always has its share of unusual hacks. The oddest so far is a collaborative academic effort where medical device security researchers have figured out how to turn off someone’s pacemaker via remote control. They previously disclosed the paper at a conference in May. But the larger point of the vulnerability of all wirelessly-controlled medical devices remains a hot topic here at the show in Las Vegas.

Let’s not have a collective heart attack, at least not yet. The people on the right side of the security fence are the ones who have figured this out so far. But this has very serious implications for the 2.6 million people who had pacemakers installed from 1990 to 2002 (the stats available from the researchers). It also presents product liability problems for the five companies that make pace makers.

Kevin Fu, an associate professor at the University of Massachusetts at Amherst and director of the Medical Device Security Center, said that his team and researchers at the University of Washington spent two years working on the challenge. Fu presented at Black Hat while Daniel Halperin, a graduate student at the University of Washington, presented today at Defcon.

Getting access to a pacemaker wasn’t easy. Fu’s team had to analyze and understand pacemakers for which there was no available documentation. Fu asked the medical device makers, explaining his cause fully, but didn’t get any help.

William H. Maisel, a doctor at Beth Israel Deaconess Hospital and Harvard Medical School, granted Fu access for the project. Fu received an old pacemaker as the doctor installed a new one in a patient. The team had to use complicated procedures to take apart the pacemaker and reverse engineer its processes. Halperin said that the devices have a built-in test mechanism which turns out to be a bug that can be exploited by hackers. There is no cryptographic key used to secure the wireless communication between the control device and the pacemaker.

A computer acts as a control mechanism for programming the pacemaker so that it can be set to deal with a patient’s particular defribrillation needs. Pacemakers administer small shocks to the heart to restore a regular heartbeat. The devices have the ability to induce a fatal shock to a heart.

Fu and Halperin said they used a cheap $1,000 system to mimic the control mechanism. It included a software radio, GNU radio software, and other electronics. They could use that to eavesdrop on private data such as the identity of the patient, the doctor, the diagnosis, and the pacemaker instructions. They figured out how to control the pacemaker with their device.

“You can induce the test mode, drain the device battery, and turn off therapies,” Halperin said.

Translation: you can kill the patient. Fu said that he didn’t try the attack on other brands of pacemakers because he just needed to prove the academic point. Halperin said, “This is something that academics can do now. We have to do something before the ability to mount attacks becomes easier.”

The disclosure at Defcon wasn’t particularly detailed, though the paper has all of the information on the hack. The crowd here is mostly male, young, with plenty of shaved heads, tattoos and long hair. The conference is a cash-only event where no pictures are allowed without consent. It draws thousands more people from a much wider net of security researchers and hackers than the more exclusive Black Hat.

Similar wireless control mechanisms are used for administering drugs to a patient or other medical devices. Clearly, the medical device companies have to start working on more secure devices. Other hackers have figured out how to induce epileptic seizures in people sensitive to light conditions. The longer I stay at the security conferences here in Las Vegas, the scarier it gets.

0 comments

Trackbacks

  1. [...] Hacking medical devices isn’t a pretty subject. But it is perfectly possible and manufacturers of those devices shouldn’t ignore the possibility that it can be done. The problem of lack of security awareness among the manufacturers has been around for a while. In 2008, a security researcher at the Defcon security conference showed how he could turn off someone’s…. [...]

  2. [...] Hacking medical devices isn’t a pretty subject. But it is perfectly possible and manufacturers of those devices shouldn’t ignore the possibility that it can be done. The problem of lack of security awareness among the manufacturers has been around for a while. In 2008, a security researcher at the Defcon security conference showed how he could turn off someone’s…. [...]

  3. [...] Hacking dispositifs médicaux n’est pas un joli sujet. Mais il est parfaitement possible et les fabricants de ces appareils ne doivent pas ignorer la possibilité que cela peut être fait. Le problème du manque de sensibilisation à la sécurité parmi les constructeurs a été autour pendant un second. En 2008, un chercheur en sécurité à la conférence de sécurité Defcon a montré comment il pouvait éteindre stimulateur quelqu&#8…. [...]

  4. [...] Hacking medical devices isn’t a pretty subject. But it is perfectly possible and manufacturers of those devices shouldn’t ignore the possibility that it can be done. The problem of lack of security awareness among the manufacturers has been around for a while. In 2008, a security researcher at the Defcon security conference showed how he could turn off someone’s…. [...]

  5. [...] Hacking medical devices isn’t a pretty subject. But it is perfectly possible and manufacturers of those devices shouldn’t ignore the possibility that it can be done. The problem of lack of security awareness among the manufacturers has been around for a while. In 2008, a security researcher at the Defcon security conference showed how he could turn off someone’s pac…. [...]

  6. [...] of loss of security awareness one of several manufacturers was around for some time. In 2008, a security researcher at the Defcon security conference showed how he could turn off someone’… [...]

  7. [...] Hacking dispositifs médicaux n’est pas un joli sujet. Mais il est parfaitement possible et les fabricants de ces appareils ne doivent pas ignorer la possibilité que cela peut être fait. Le problème du manque de sensibilisation à la sécurité parmi les constructeurs a été autour pendant un moment. En 2008, un chercheur en sécurité à la conférence de sécurité Defcon a montré comment il pouvait éteindre stimulateur quelqu&#8…. [...]

  8. [...] the problem.  I really have no issue with how he presented the information, as a matter of fact similar vulnerabilities have been found in pacemakers, presented at this exact conference in 2008.   As far as I can tell, there has not been a single reported case of this actually [...]

  9. [...] medical devices is nothing new, as this 2008 article on hacking pace makers shows, but it is alarming based on the increasing amount of technology in our lives combined with [...]

  10. [...] take over the control of his insulin flow. This follows on the 2008 demonstrations of how to hack pacemakers and how to hack [...]

  11. [...] Hacking medical devices isn’t a pretty subject. But it is perfectly possible and manufacturers of those devices shouldn’t ignore the possibility that it can be done. The problem of lack of security awareness among the manufacturers has been around for a while. In 2008, a security researcher at the Defcon security conference showed how he could turn off someone’s pac…. [...]

  12. [...] difficulty of loss of security awareness one of the manufacturers was around for ages. In 2008, a security researcher at the Defcon security conference showed how he could turn off someone’… [...]

  13. [...] suivante: électronique «Le Social Sims frappe 4,six millions joueurs quotidienne d’une semaine après… Histoire précédente: Google apporte la voix recherche [...]

  14. [...] suivante: électronique «Le Social Sims frappe four,six tens of millions joueurs quotidienne d’une sem… Histoire précédente: Google apporte la voix recherche [...]

  15. [...] regarding malicious access by an attacker. There’s published research for this on both pacemakers and insulin pumps for [...]

  16. [...] As we become more and more reliant on active, implanted biotechnology the opportunities for malicious manipulation of such rise. The hacking of medical devices isn’t a new threat. I’ve commented on it, as have publications more prominent than this blog. The issue has taken on enough of intellectual seriousness that it has prompted the creation of a multi-institutional center, the Medical Device Security Center. In 2008 that group published a method of wirelessly accessing information from some models of pacemakers and then injecting active attacks to change the performance of the pacemakers. After publication they presented the same at Defcon. [...]

  17. [...] get that specific)? And is that even possible to remotely control a pacemaker? (Google says: apparently, it is.) I have to think that somewhere Dick Cheney must have his pacemaker’s serial number under [...]

  18. [...] and turn off therapies,” Daniel Halperin, one of the researchers who developed the technique, told VentureBeat at the time of his talk in 2008. “This is something that academics can do now. We have to do [...]

  19. […] and turn off therapies,” Daniel Halperin, one of the researchers who developed the technique, told VentureBeat at the time of his talk in 2008. “This is something that academics can do now. We have to do […]