Yes, You Can Hack a Pacemaker (and Other Medical Devices Too)

9 5 Loading

Photo Credit: Bloomberg. Barnaby Jack demonstrates an insulin pump attack on a mannequin.

On Sunday’s episode of the Emmy award-winning show Homeland, the Vice President of the United States is assassinated by a group of terrorists that have hacked into the pacemaker controlling his heart. In an elaborate plot, they obtain the device’s unique identification number. They then are able to remotely take control and administer large electrical shocks, bringing on a fatal heart attack.

Viewers were shocked – many questioned if something like this was possible in real life. In short: yes (except, the part about the attacker being halfway across the world is questionable). For years, researchers have been exposing enormous vulnerabilities in internet-connected implanted medical devices.

There are millions of people who rely on these brilliant technologies to stay alive. But as we put more electronic devices into our bodies, there are serious security challenges that must be addressed. We are familiar with the threat that cyber-crime poses to the computers around us – however, we have not yet prepared for the threat it may pose to the computers inside of us.

Implanted devices have been around for decades, but only in the last few years have these devices become virtually accessible. While they allow for doctors to collect valuable data, many of these devices were distributed without any type of encryption or defensive mechanisms in place. Unlike a regular electronic device that can be loaded with new firmware, medical devices are embedded inside the body and require surgery for “full” updates. One of the greatest constraints to adding additional security features is the very limited amount of battery power available.

Thankfully, there have been no recorded cases of a death or injury resulting from a cyber attack on the body. All demonstrations so far have been conducted for research purposes only. But if somebody decides to use these methods for nefarious purposes, it may go undetected.

Marc Goodman, a global security expert and the track chair for Policy, Law and Ethics at Singularity University, explains just how difficult it is to detect these types of attacks. ”Even if a case were to go to the coroner’s office for review,” he asks, “how many public medical examiners would be capable of conducting a complex computer forensics investigation?” Even more troubling, Goodman points out, “The evidence of medical device tampering might not even be located on the body, where the coroner is accustomed to finding it, but rather might be thousands of kilometers away, across an ocean on a foreign computer server.”

Since knowledge of these vulnerabilities became public in 2008, there have been rapid advancements in the types of hacking successfully attempted.

The equipment needed to hack a transmitter used to cost tens of thousands of dollars; last year a researcher hacked his insulin pump using an Arduino module that cost less than $20. Barnaby Jack, a security researcher at McAfee, in April demonstrated a system that could scan for and compromise insulin pumps that communicate wirelessly. With a push of a button on his laptop, he could have any pump within 300 feet dump its entire contents, without even needing to know the devices’ identification numbers. At a different conference, Jack showed how he reverse engineered a pacemaker and could deliver an 830-volt shock to a person’s device from 50 feet away – which he likened to an “anonymous assassination.”

There have also been some fascinating advancements in the emerging field of security for medical devices. Researchers have created a “noise” shield that can block out certain attacks – but have strangely run into problems with telecommunication companies looking to protect their frequencies. There have been the discussions of using ultrasound waves to determine the distance between a transmitted and medical device to prevent far-away attacks. Another team has developed biometric heartbeat sensors to allow devices within a body to communicate with each other, keeping out intruding devices and signals.

But these developments pale in comparison to the enormous difficulty of protecting against “medical cybercrime,” and the rest of the industry is falling badly behind.

In hospitals around the country there has been a dangerous rise of malware infections in computerized equipment. Many of these systems are running very old versions of Windows that are susceptible to viruses from years ago, and some manufacturers will not allow their equipment to be modified, even with security updates, partially due to regulatory restrictions. A solution to this problem requires a rethinking of the legal protections, the loosening of equipment guidelines, as well as increased disclosure to patients.

Government regulators have studied this issue and recommended that the FDA take these concerns into account when approving devices. This may be a helpful first step, but the government will not be able to keep up with the fast developments of cyber-crime. As the digital and physical world continue to come together, we are going to need an aggressive system of testing and updating these systems. The devices of yesterday were not created to protect against the threats of tomorrow.

Discussion — 5 Responses

  • turtles_allthewaydown December 13, 2012 on 10:12 pm

    My previous project was writing the embedded software for an external defibrillator. This unit would be very difficult to hack, it only responded to button presses and had several safeguards. It’s a Class III medical device, meaning it can kill a patient if an error occurs, so the FDA regulations are quite thorough, although they’re tailored less for being hacker-proof and more to make sure the doctor or technician is holding the paddles and intending to use it, not somehow accidentally going off.

    An implanted pacemaker/defibrillator is considerably different (no operator manually controlling it). What’s not described in the article or by Barnaby Jack, is that this attack would require detailed knowledge of the device and how it works, and almost certainly a sample device that you can spend several months playing around with in preparation. It’s not like hacking into a Windows PC. Each device is different and the commands vary by manufacturer and model. Once you’ve done this legwork though, then it would be fairly easy to do it when and where you wanted. If you want to kill a person, there are easier ways. If you want it to be untraceable and had the resources (like in an assassination) this is a potential route.

    Okay, a couple things wrong with this sentence: “Unlike a regular electronic device that can be loaded with new firmware, medical devices are embedded inside the body and require surgery for “full” updates.”
    1) firmware (embedded software) updates can occur wherever the medical device is. A change to the hardware however requires a surgery.
    2) medical devices per se are not ‘embedded’ inside the body, but “implanted” devices are. The term ‘embedded’ is usually used to describe software/firmware that’s built into a device, as opposed to ‘application’ software in a PC.

    830 volts is pretty standard for a defibrillation shock. What matters is the current and milliseconds that it is applied, that determines the Joules that is delivered. An external defibrillator may deliver 200 Joules, an implanted one 50 J or less. (Joules = Watts * time, Watts = Volts * Amps). This is used to put the heart back into a healthy rhythm, but it can also be used to knock it out of a healthy rhythm, potentially leading to cardiac arrest.

  • Robert Schreib December 16, 2012 on 4:20 pm

    Well, with the fantastic advances in intelligent microchips, we could give all the implanted medical devices an inhouse ‘Doctor’, who could evaluate and reject an attempt to hijack a pacemaker even if it’s hacked.