In 2008, over one thousand people experienced the world’s first virtual web conference. Together, we created a new type of conference that is environmentally-friendly, affordable, and interactive.

In 2009, we are going to take it one step further.

Wear a pacemaker? Be nice to hackers ‘cos they can kill you.

This is crazy: According to VentureBeat, "medical device security researchers have figured out how to turn off someone’s pacemaker via remote control."

What I found most worrying was this passage:

the devices have a built-in test mechanism which turns out to be a bug that can be exploited by hackers. There is no cryptographic key used to secure the wireless communication between the control device and the pacemaker.

The team can apparently turn off treatment wirelessly, thereby killing the patient.

The disclosure at Defcon wasn’t particularly detailed, though the paper has all of the information on the hack.

I find it unbelievable that a device as mission-critical as a pacemaker uses security through obscurity.

This should explode onto the mainstream news shortly.

Creative Commons LicenseThe Wear a pacemaker? Be nice to hackers ‘cos they can kill you. article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.

Post Metadata

Date
August 9th, 2008

Author
Aral

Category
General

Tags

Trackback URI

Comments RSS


5 Comments


  1. Ronny
    1

    Wow! I first thought you’re kidding…
    I wonder how they will fix that…
    Bush doesn’t happen to be wearing one of those? :p

    August 9th, 2008 at 11:12 am


  2. Jane
    2

    Pacemakers at the moment can contain information about the patient which can be accessed by hospitals and which can help identify the patient if they’re not conscious after an accident or similar. If you were to encrypt all the information, you’d need to ensure that all the readers could decrypt the information in case of emergency, which would mean having separate keys for each pacemaker manufacturer.

    An interesting technical challenge :
    1) prevent unauthorised sources from “tampering” with the settings of the pacemaker - i.e. bpm at which to fire etc
    2) allow access to salient patient information to allow identity and serious allergy/patient records of importance to still be available
    3) ensure that the lifetime of a pacemaker battery isn’t impacted - 10 - 15 years is the current average

    August 9th, 2008 at 1:51 pm


  3. Aral
    3

    @Jane: Separating the information from the controls and encrypting the controls should be the first step. There’s a huge difference between being able to read someone’s information and killing them. :) Data privacy is IMHO, relatively speaking, not that big a concern and could be left unencrypted in the short-term at least.

    August 9th, 2008 at 5:42 pm


  4. Gareth Rodger
    4

    That’s incredibly stupid.

    Give the pacemaker a serial number and store the data just like all other medical data - in a database somewhere.

    Surely the data can then be kept updated as-well.

    As for turning the blinking thing off, add encryption as you say then store the key in the patients medical logs.

    I can’t quite understand how this was not thought of during the design or even development stages.

    August 9th, 2008 at 5:58 pm


  5. Jason The Saj
    5

    While many would probably not die if their pacemakers were turned off. It’s more there to help keep pace. Aid could probably be given to most in a timely fashion.

    Many pacemakers also have built in defibrillators to shock the heart if it stops. If one could hack such pacemakers and trigger the defib, that oculd very likely kill someone.

    Quite scary, but I’ve long suspected pacemakers to be a weakness.

    - The Saj

    August 11th, 2008 at 3:01 pm

Leave a Reply

Local SDK _does not_ emulate deployment environment quotas
Regular expressions: repeating a capturing group and making the inner group non-repeating