Forgot your password?
typodupeerror
Security Medicine News

Researcher Reverse-Engineers Pacemaker Transmitter To Deliver Deadly Shocks 216

Posted by Soulskill
from the cheerful-news-of-the-day dept.
Bismillah writes "Pacemakers seem to be hackable now too, if researcher Barnaby Jack is to be believed. And the consequences of that are deadly. Anonymous assassinations within 30 feet of the pacemaker seem to be possible. From the article: 'In a video demonstration, which Jack declined to release publicly because it may reveal the name of the manufacturer, he issued a series of 830 volt shocks to the pacemaker using a laptop. The pacemakers contained a "secret function" which could be used to activate all pacemakers and implantable cardioverter-defibrillators (ICDs) in a 30 foot -plus vicinity. ... In reverse-engineering the terminals – which communicate with the pacemakers – he discovered no obfuscation efforts and even found usernames and passwords for what appeared to be the manufacturer’s development server. That data could be used to load rogue firmware which could spread between pacemakers with the "potential to commit mass murder."'"
This discussion has been archived. No new comments can be posted.

Researcher Reverse-Engineers Pacemaker Transmitter To Deliver Deadly Shocks

Comments Filter:
  • by DikSeaCup (767041) on Wednesday October 17, 2012 @07:15AM (#41679777) Homepage
    Shocking!
    • by dkleinsc (563838) on Wednesday October 17, 2012 @07:20AM (#41679795) Homepage

      I'm shocked, shocked!%N#)NO CARRIER

    • by shiftless (410350) on Wednesday October 17, 2012 @07:38AM (#41679901) Homepage

      ...the state of computer "engineering" is complete and utter shit if a fucking pacemaker can be hacked and compromised? What the mother fuck? Are you fucking kidding me? Shouldn't those be among the best designed, safest, most reliable and secure of devices? God help us all. Just wait until they drag us into this war with Iran here soon, and China and Russia decide to team up to end our bullshit and we end up descending into WW3.

      Can you imagine the utter chaos in the U.S. when all our magic electronic boxes suddenly stop working, or worse, work silently behind our backs to sabotage and/or kill us? According to another /. article, it's 300+ days on average (sometimes years) between the finding of a typical "zero day" exploit and when it was actually found (kept hidden, and potentially exploited) by attackers. Who wants to bet money China and Russia both have teams of hackers dedicated to finding exploits for all common software and systems in the U.S., extensively documenting and writing code against them, nicely sorting and tabulating it all out and filing it away in an archive, then keeping this info close at hand at all times for when the right opportunity presents itself?

      Right now we are more vulnerable than ever. Hands up: who here is looking forward to jumping into a world war with both feet, then being surprised by how much we don't know about our own security vulnerabilities, learning the hard way from powerful foreign countries that just might kick our asses, or at the very least cause massive damage (bombing, etc) to the mainland U.S.? We're learning now that pacemakers have huge gaping security holes. Holy fucking Christ. What else is out there waiting to be compromised and exploited?

      • by mwvdlee (775178) on Wednesday October 17, 2012 @07:43AM (#41679925) Homepage

        Holy fucking Christ. What else is out there waiting to be compromised and exploited?

        Your sanity?

        • Re: (Score:2, Flamebait)

          by Chrisq (894406)

          Holy fucking Christ. What else is out there waiting to be compromised and exploited?

          Your sanity?

          Your dildo?

      • by thedonger (1317951) on Wednesday October 17, 2012 @08:39AM (#41680369)

        Shouldn't those be among the best designed, safest, most reliable and secure of devices?

        I'm surprised they would allow remote access without a direct connection. It's vulnerable enough in that it relies on electronic timing and can be affected by external electromagnetic forces; but, to make it accessible via wireless/RF/whatever just seems like a bad idea through and though.

        • I'm surprised they would allow remote access without a direct connection. It's vulnerable enough in that it relies on electronic timing and can be affected by external electromagnetic forces; but, to make it accessible via wireless/RF/whatever just seems like a bad idea through and though.

          AFAIK, wireless access was designed in so doctors can tweak the settings without having to cut into the patient to make a wired connection.

      • by MarkGriz (520778) on Wednesday October 17, 2012 @08:51AM (#41680473)

        utter shit if a fucking pacemaker
        What the mother fuck?
        Are you fucking kidding me?
        end our bullshit and we end up descending into WW3.
        work silently behind our backs to sabotage and/or kill us?
        powerful foreign countries that just might kick our asses
        Holy fucking Christ.

        Ask your doctor if Xanax is right for you

      • "...the state of computer "engineering" is complete and utter shit if a fucking pacemaker can be hacked and compromised?"

        While I don't know the details of this, I don't think you can claim that computer "engineering" is complete and utter shit because it's possible to do bad things that will kill people.

        The vast majority of cars have wheel nuts that are accessible and use a standard spanner to remove. This is a real threat - cars with expensive wheels now typically use locking wheel nuts - but what you don'

      • by dywolf (2673597)

        God help all those poor soldiers on the front lines with pacemakers.... ...

        oh wait...

      • by cdrguru (88047)

        The clear answer is that security has been an afterthought and still is for the most part. There is also the rather idealistic notion that such things are utterly beneath humans to do. What we have found on the Internet is pretty much nothing is "beneath" humans. If someone can get away with doing some mischief, they might do it. If they can do it anonymously, it is almost a dead certainty someone is going to do it if for no other reason than for laughs or bragging rights.

        We are clearly starting to see

        • We are clearly starting to see the dark underside of humanity. The Internet has allowed a huge amount of anonymous and pseudo-anonymous activity and this has pretty much turned over the rock so everyone can see the squishy, many-legged stuff that is buried in the human psyche.

          "Starting to see"? No offense, cdrguru, but you sound like someone who has never read any history. All of that squishy, many-legged stuff has been happily striding across the breadth and scope of human experience for some time now. Arguably, since we've been human. (And by some accounts, much longer than that even -- pretty much all of humanity's ugly behaviours have clear predecessors / analogs in other primate species.)

          Cheers,

      • if a fucking pacemaker can be hacked and compromised [...] God help us all. Just wait until they drag us into this war with Iran here soon, and China and Russia decide to team up to end our bullshit and we end up descending into WW3.

        Can you imagine the utter chaos in the U.S. when all our magic electronic boxes suddenly stop working, or worse, work silently behind our backs to sabotage and/or kill us?

        I'd like to propose a new logical fallacy, the "Fireman Bill [google.com]" fallacy.

        That's where you start with a problem and predict a series of possible - but highly unlikely - events which lead to total catastrophe.

        I don't see it on the Lofical Fallacy Bingo card [lifesnow.com]. (Some are close or have similar characteristics, but none address the complete goofiness of the argument.)

        Where does one go to register these things?

      • In the USA, there are plenty of people - millions actually - who have the means to kill anyone wearing a pacemaker quite easily. These people are called "gun owners". Now the number has increased by one - some idiot hacker who figures out how to hack into the pacemaker software. So what has changed?
        • by TheCarp (96830) <sjc@nospAm.carpanet.net> on Wednesday October 17, 2012 @12:15PM (#41683289) Homepage

          Yes but, there are consequences. When someone gets shot, investigations happen, people with motive are questioned. Mode of death and circumstances affect alot.

          As an example, I have some friends with a farm and a good amount of land behind it. They have a camping ground for events and a number of structures etc in the woods from the many many years of farm and other uses.

          They allowed someone that was going through hard times to stay in their woods, living in one of the primitive stuctures. He helped out at the farm, feeding the animals. One day, they noticed the animals hadn't been fed, later on, they went out to check on him.... he had attempted to kill himself, but was still barely alive.

          The parametics and police were decidedly unhappy about having to head out into the woods....but did tell my friends that its a really good thing that they found him when they did, because if he had died, and they came to find the dead body, the investigation would have been a very different matter, whereas, since he was (even if just barely) alive when the police arrived, they could just call it an accidental OD or possible suicide and not have to investigate.

          Now, if it were a gunshot?... you know they would investigate. However.... guy with a pacemaker has a heart attack? Thats natural causes man.

          This could have happened already, many times over, and nobody would be any wiser.... no need to investigate such an "obvious" death.

        • In the USA, there are plenty of people - millions actually - who have the means to kill anyone wearing a pacemaker quite easily. These people are called "gun owners". Now the number has increased by one - some idiot hacker who figures out how to hack into the pacemaker software. So what has changed?

          Don't forget the 10s of millions of car owners.

      • by T.E.D. (34228)
        This is why I have always absolutely refused to interview for biomedical jobs that use C. For stupid GUI's, fine use an insecure bug-prone language, but for God's sake not when human life is on the line. I will have no part in that.
        • Meanwhile, the Jet Propulsion Laboratory at NASA (among many other companies which need life-critical applications) have been writing in C using the VXWorks Real Time Operating System for decades. Why? Well, definitely not because it's an "insecure bug-prone language". The bug-prone languages are the high level languages you probably are suggesting we use instead, which, instead of causing user error, have undefined behaviour, internal implementation bugs, and often many layers of godawful code. Good C is p
  • by Errol backfiring (1280012) on Wednesday October 17, 2012 @07:16AM (#41679779) Journal

    ... he discovered no obfuscation efforts and even found usernames and passwords ...

    How come such pacemakers were ever approved by the FDA?

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Because the FDA doesn't care about security. It's not in their mission or charter, and they don't test for it. Hopefully with issues such as this, that issue will be rectified.

      • by Anonymous Coward on Wednesday October 17, 2012 @07:42AM (#41679923)

        Because the FDA doesn't care about security. It's not in their mission or charter, and they don't test for it. Hopefully with issues such as this, that issue will be rectified.

        Uh, not their mission or charter? Care to tell me exactly what the fuck their mission and charter is, if it's somehow not trying to keep citizens safe from products produced by companies with crystal-clear motives (greed, profit), driven by executives with less-than-average morals?

        Computer security may not specifically be their primary mission, but product security sure as hell is. And if it's not, then dismantle the whole damn organization, because clearly what the public thinks they do, and what they actually exist for, are two completely different things.

        • I worked for a company that does medical test (for the approval of new medicines) and there were quite a few rules for writing the software needed. This is "secondary" software in the sense that it only captures data and no life depends on it directly. I would expect unencrypted communication channels to prosthetics to be severely outlawed.
        • by cdrguru (88047)

          It takes a real paranoid person to think that someone would "just for fun" want to hack into a pacemaker. We haven't gotten over the idea that people are generally good and nobody would want to do this, even if they could.

          The truth is that if you could kill someone with a mouseclick, you might - I don't care who you are, that is just the way people are in reality. We have operated under the assumption that "nobody would do this" for far too long.

        • The purpose of the FDA is to keep the profits of the pharmaceutical industry high. And nothing else.

          FDA, for example, has entirely skipped on regulating "supplements". No matter their claims or effects, as long as they don't contain restricted substances.

          • And to add to that point:

            People dying is very bad advertising for new medications, so FDA has an interest in preventing that. However, if someone else can be blamed for the death - or if it causes symptoms that can be treated or reversed - suddenly FDA cares much less.

            Because if someone hacks a pacemaker the death can be blamed squarely on the hacker and FDA's hands are clean. Despite letting a dangerous, hackable pacemaker enter the market.

            In many ways, FDA approval resembles a brand. And I suppose in that

          • FDA, for example, has entirely skipped on regulating "supplements". No matter their claims or effects, as long as they don't contain restricted substances.

            Talk to Congress(ask for Tom Harkin(D-IA) and Orrin Hatch(R-UT) in particular. Harkin appears to be a True Believer and gets some nice campaign cash from Herbalife, Hatch? Well, let's just say that Utah has a thing [nytimes.com] for 'supplements'.).

            The "Dietary Supplement Health and Education Act of 1994’’ [gpo.gov] says that the FDA can't do jack about 'supplements', aside from some basic manufacturing standards stuff, unless they get enough adverse event reports to satisfy the burden of proof(on them) and

        • by Rich0 (548339)

          Certainly part of their mission, but quality in the FDA realm has a peculiar definition. Quality is measured by presence/absence of paperwork for the most part. Sure, there are guides on what kinds of paperwork need to exist, but for the most part the FDA is much better at finding issues with the paperwork that is there than they are with finding issues with the paperwork that isn't there.

          Most FDA types are doctors or scientists or such. You don't really get people thinking in terms of computer security.

    • by cultiv8 (1660093) on Wednesday October 17, 2012 @07:56AM (#41680019) Homepage
      This has been known since at least 2008 [secure-medicine.org]. The Economist has an interesting article about the FDA slowly moving towards open source medical devices [economist.com] to improve the overall security and reliability of software in medical devices.
      • Even the fact that an internal organ has or needs wireless capabilities baffles me. There are so many ways to abuse them! You can be tracked, for instance. Does Google have all the details of the pacemakers among the router data? Why not create a plug just under the skin so it is easily reached when needed? Wireless pacemakers literally are an unnecessary evil.
        • by RobinH (124750)
          Actually the benefit of wireless is absolutely obvious: you can monitor battery levels, even update firmware in the event of a serious bug, without doing surgery, and without having wires protruding through the skin (which is itself a major infection risk).
          • by aXis100 (690904) on Wednesday October 17, 2012 @08:58AM (#41680543)

            Yeah, but there's a difference between short range wireless (several cm) and long range (10's of metres) that makes a huge difference to the possible attach vectors.

            • Yeah, but there's a difference between short range wireless (several cm) and long range (10's of metres) that makes a huge difference to the possible attach vectors.

              But since the attacker isn't worried about getting his hacked programming device approved, he's free to boost the amplifier and/or antenna gain on his end, or any other tweak he can come up with to increase the effective range.

              • he's free to boost the amplifier and/or antenna gain on his end

                This is why I was fairly shocked (:wince:) when Dick Cheney very publicly got a remotely programmable pacemaker while he was in office. We'd just read stories about bluetooth being beamed over something like a kilometer at the time.

            • Yeah, but there's a difference between short range wireless (several cm) and long range (10's of metres) that makes a huge difference to the possible attach vectors.

              There actually isn't a fundamental difference between short-range and long-range wireless: its all broadcast, and range depends on both the the sensitivity of the receiver and the power of the transmitter. You can't make a system "short-range only" when you control only one endpoint.

    • by gweihir (88907)

      The FDA is clueless, susceptible to coercion and no competent independent security review was ever done.

  • a series of 830 volt shocks from the pacemaker

  • I'm sure the developer was thinking, "Who would even think of trying to hack a pacemaker? Who would even want to?"

    Unfortunately, it only takes one sociopath.

    • I'm sure the developer was thinking, "Who would even think of trying to hack a pacemaker? Who would even want to?"

      Unfortunately, it only takes one sociopath.

      Yeah, but there are a lot of developers are sociopaths. Fortunately one of the people who discovered this went public with the information.

    • Or just a common hacker who likes to mess with stuff. People have been finding ways to modify the ECM calibrations in cars for years, although until recently it hasn't been wireless capable.

      So, Bobby, you're pretty good with the computers, right? Could you make the old ticker run a bit stronger for a while? Ya see, old man Johnson's been telling all the dames down at the retirement home all about how he keeps lapping me around the mall. I just need, you know, a little boost.

    • No, sorry this is just completely insane. Under no circumstances should this have been possible, at all, ever. How many senior politicians and CEOs have pacemakers? Something sounds like it went very wrong in the engineering, development, or management departments, or maybe all three.

      • No, sorry this is just completely insane. Under no circumstances should this have been possible, at all, ever. How many senior politicians and CEOs have pacemakers? Something sounds like it went very wrong in the engineering, development, or management departments, or maybe all three.

        Think your statement through a couple more times. With emphasis on "CEO" and "politician".

        Did something go wrong? Really?

    • Unfortunately, it only takes one sociopath.

      Or an advertising company (for tracking). Or a supermarket. Or...

    • I'm sure the developer was thinking, "Who would even think of trying to hack a pacemaker? Who would even want to?" Unfortunately, it only takes one sociopath.

      Think about intelligence agencies and secret service. The same people that already killed with Polonium poisoning in the past, for instance.
      It's a very clean and safe way to dispose of someone after all: who can tell it from a real heart attack after the fact?

    • by skids (119237)

      Unfortunately, it only takes one sociopath.

      ...or one particularly loathsome patient.

    • Or...an heir or business partner.

  • Crank 3 (Score:5, Funny)

    by revelation60 (2036940) on Wednesday October 17, 2012 @07:31AM (#41679855)
    Sounds like it could be the plot of the new Crank movie!
  • Dick Cheney (Score:3, Funny)

    by inode_buddha (576844) on Wednesday October 17, 2012 @07:45AM (#41679941) Journal

    Dick Cheney has a pacemaker...

  • by StefanSavage (454543) on Wednesday October 17, 2012 @08:31AM (#41680301)

    Seems like this was demonstrated four years ago, no?

    Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.
    D. Halperin, T.S. Heydt-Benjamin, B. Ransford, S.S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W.H. Maisel.
    IEEE Symposium on Security and Privacy, May 18-21, 2008.

    See: http://www.secure-medicine.org/icd-study/icd-study.pdf [secure-medicine.org]

  • by coinreturn (617535) on Wednesday October 17, 2012 @08:38AM (#41680361)
    Tin foil vest.
  • Sounds like a fun mission or mini-game for a future Assassins Creed title. Maybe you invade a Templar nursing facility and need to kill them without being detected.

    *Lock-on target*

    *BZZZZ-BZZZZ*

    "Requiescat in pace."

  • by Smerta (1855348) on Wednesday October 17, 2012 @08:51AM (#41680493)
    (1) It was most likely an ICD (or pacemaker/ICD combination), not a pacemaker.

    Pacemakers are used to establish a regular heartbeat (pacing) at a specific interval. Implantable Cardiac Defibrillators (ICDs) are used to deliver high-voltage shocks at a precise moment in time to stop an arrhythmia. Delivered at exactly the wrong time, this can induce an arrhythmia.

    (2) "he issued a series of 830 volt shocks to the pacemaker using a laptop". Sorry pal, thanks for playing, hit the bricks, you're done. The ICD (not pacemaker) is the one issuing the shocks. At least the voltage level sounds about right. All of this starting from a ~3V battery too.

    The wireless interfaces (telemetry) into pacemakers and ICDs are notoriously insecure, from all major device manufacturers. They are playing catch up now. Believe me, there is a lot of heartburn (no pun intended) in the ranks of corporate/executive management in the device companies when it comes to this topic.

    A couple points worth remembering:

    (1) These devices have very long lifetimes. The typical implant is expected to last 6-10 years (usually the battery is the limiting factor). So there are people walking around with devices in them with security problems from 10 years ago in some cases.

    (2) It takes a tremendous amount of money to develop a new device in this class. All the testing, certification, trials, etc. The electronics and firmware are incredibly optimized for their specific function, the test suites are massive, the verification & validation processes are lengthy.

    (3) Regarding (1) above about 10 year old firmware - essentially all devices support near-range telemetry, which allows a physician / tech within physical proximity (a few inches) to download logs about what events the device has seen / experienced. It also allows the device to be updated with firmware patches. Having been around this enough in different places, I'm pretty confident saying that it's always in the form of patches, as opposed to wholesale forklift updates.

    Patches aren't just pushed out like Firefox releases, even the smallest one is a massive amount of effort -- even if the change is a one-line change in code. And more importantly, any patch requires the patient to visit the physician, the physician to be up to date on patches & warnings, etc.. I've seen data first-hand from 2 device manufacturers showing the distribution of devices & updates in the field, and believe me, not everyone is anywhere near up to date. Actually, it probably looks a lot like the Firefox version distribution...

    • by dubdays (410710)

      Delivered at exactly the wrong time, this can induce an arrhythmia.

      No kidding. That asystole arrhythmia is a real bitch.

  • Wasn't this the plot of a recent Doctor Who episode? [wikipedia.org]

  • Love the fact that my targetted advertising at the top of the page was for defibshop.co.uk - "Need a defibrillator..."
  • This sounds like a plot for an episode of Pinky and the Brain.

  • by kfogel (1041) on Wednesday October 17, 2012 @09:56AM (#41681247) Homepage

    Hackable medical devices are a known problem -- there's a great paper on it from Karen Sandler, at that time at the Software Freedom Law Center (she's given OSCON talks about it too):

    Killed by Code: Software Transparency in Implantable Medical Devices [softwarefreedom.org]

    And the SFLC's announcement / summary of the paper:

    Software Defects in Cardiac Medical Devices are a Life-or-Death Issue [softwarefreedom.org]

  • 12 years too late...

  • DNS (Score:4, Funny)

    by ThatsNotPudding (1045640) on Wednesday October 17, 2012 @12:05PM (#41683149)
    Anybody got Dick Cheney's IP address? Just curious; totally unrelated to this story. Honest.

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...