Researcher Reverse-Engineers Pacemaker Transmitter To Deliver Deadly Shocks

Bismillah writes "Pacemakers seem to be hackable now too, if researcher Barnaby Jack is to be believed. And the consequences of that are deadly. Anonymous assassinations within 30 feet of the pacemaker seem to be possible. From the article: 'In a video demonstration, which Jack declined to release publicly because it may reveal the name of the manufacturer, he issued a series of 830 volt shocks to the pacemaker using a laptop. The pacemakers contained a "secret function" which could be used to activate all pacemakers and implantable cardioverter-defibrillators (ICDs) in a 30 foot -plus vicinity. ... In reverse-engineering the terminals – which communicate with the pacemakers – he discovered no obfuscation efforts and even found usernames and passwords for what appeared to be the manufacturer’s development server. That data could be used to load rogue firmware which could spread between pacemakers with the "potential to commit mass murder."'"

Re:Function creep...?

[richardcavell]

Cardiologists commonly communicate electronically with the pacemaker after its insertion to adjust numerous parameters of its function. The pacemaker can also deliver information to the cardiologist about its usage history, battery state, etc. (Doctor) Richard Cavell

Re:Vulnerability in pacemaker firmware?

[durrr]

There's pacemakers that only do the pacing.
There's ICDs; Implantable cardioverter-defibrillators that restores proper rythm after detecting arrythmias.
And there's combinations of the two. Most likely the pacemaker in question here is a combination device or they're actually talking about ICDs and not pacemakers.

A classic heart attack involves blocking of coronary arteries however and a defibrillator won't do shit for that. Defibrillations are made to terminate an arrythmic beat and restore the normal sinus rythm.

Re:Why are these approved?

[cultiv8]

This has been known since at least 2008 [secure-medicine.org]. The Economist has an interesting article about the FDA slowly moving towards open source medical devices [economist.com] to improve the overall security and reliability of software in medical devices.

Hmmm... sounds familiar

[StefanSavage]

Seems like this was demonstrated four years ago, no?

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.
D. Halperin, T.S. Heydt-Benjamin, B. Ransford, S.S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W.H. Maisel.
IEEE Symposium on Security and Privacy, May 18-21, 2008.

See: http://www.secure-medicine.org/icd-study/icd-study.pdf [secure-medicine.org]

Herp Derp article author

[Smerta]

(1) It was most likely an ICD (or pacemaker/ICD combination), not a pacemaker.

Pacemakers are used to establish a regular heartbeat (pacing) at a specific interval. Implantable Cardiac Defibrillators (ICDs) are used to deliver high-voltage shocks at a precise moment in time to stop an arrhythmia. Delivered at exactly the wrong time, this can induce an arrhythmia.

(2) "he issued a series of 830 volt shocks to the pacemaker using a laptop". Sorry pal, thanks for playing, hit the bricks, you're done. The ICD (not pacemaker) is the one issuing the shocks. At least the voltage level sounds about right. All of this starting from a ~3V battery too.

The wireless interfaces (telemetry) into pacemakers and ICDs are notoriously insecure, from all major device manufacturers. They are playing catch up now. Believe me, there is a lot of heartburn (no pun intended) in the ranks of corporate/executive management in the device companies when it comes to this topic.

A couple points worth remembering:

(1) These devices have very long lifetimes. The typical implant is expected to last 6-10 years (usually the battery is the limiting factor). So there are people walking around with devices in them with security problems from 10 years ago in some cases.

(2) It takes a tremendous amount of money to develop a new device in this class. All the testing, certification, trials, etc. The electronics and firmware are incredibly optimized for their specific function, the test suites are massive, the verification & validation processes are lengthy.

(3) Regarding (1) above about 10 year old firmware - essentially all devices support near-range telemetry, which allows a physician / tech within physical proximity (a few inches) to download logs about what events the device has seen / experienced. It also allows the device to be updated with firmware patches. Having been around this enough in different places, I'm pretty confident saying that it's always in the form of patches, as opposed to wholesale forklift updates.

Patches aren't just pushed out like Firefox releases, even the smallest one is a massive amount of effort -- even if the change is a one-line change in code. And more importantly, any patch requires the patient to visit the physician, the physician to be up to date on patches & warnings, etc.. I've seen data first-hand from 2 device manufacturers showing the distribution of devices & updates in the field, and believe me, not everyone is anywhere near up to date. Actually, it probably looks a lot like the Firefox version distribution...

Re:Well I'm convinced it's true

[Hank the Lion]

I built a stun gun capable of generating 900,000 volts on-demand out of a few dollars worth of parts and a 9 volt battery, and it fits in the palm of your hand

900V or 9 kV I would believe, 900 kV not so much.
You would need creeping distances of more than 300 mm just to prevent arcing and making the voltage collapse before it even reached the 900 kV.
"900 kV" and "fits into the palm of your hand" are mutually exclusive, I think.
(and yes, I've designed and built multi-kV devices myself)

See Karen Sandler's work on this issue.

[kfogel]

Hackable medical devices are a known problem -- there's a great paper on it from Karen Sandler, at that time at the Software Freedom Law Center (she's given OSCON talks about it too):

Killed by Code: Software Transparency in Implantable Medical Devices [softwarefreedom.org]

And the SFLC's announcement / summary of the paper:

Software Defects in Cardiac Medical Devices are a Life-or-Death Issue [softwarefreedom.org]

Re:Isn't it plain and obvious...

[Jack9]

> Then maybe you need to go work for a body piercer, who has more than enough experience installing hardware into people without so much risk of infection.

The epidermis is highly resistant to infection compared to internal organ tissue which largely has no nerves and no significant way to deal with infection. The primary cause of death for cardiac surgery patients is infection.

> Pretty sad a piercer would have more experience than someone that supposedly worked for a medical device manufacturer.

The sad part is your ignorance.