Saturday, August 9, 2008

Hacking Pacemakers

Medtronic Marquis DR ICD, Photo: Medtronic, Inc.

According to Cory Doctorow at boingboing and Dean Takahashi at VentureBeat, a paper (pdf) was presented at Black Hat and Defcon in Las Vegas Thursday on the vulnerability of implantable cardioverter-defibrillators (ICDs), specifically a Medtronic Maximo DR VVE-DDDR model #7278. According to Takahashi:

Fu and Halperin said they used a cheap $1,000 system to mimic the control mechanism. It included a software radio, GNU radio software, and other electronics. They could use that to eavesdrop on private data such as the identity of the patient, the doctor, the diagnosis, and the pacemaker instructions. They figured out how to control the pacemaker with their device.

“You can induce the test mode, drain the device battery, and turn off therapies,” Halperin said.

Translation: you can kill the patient. Fu said that he didn’t try the attack on other brands of pacemakers because he just needed to prove the academic point. Halperin said, “This is something that academics can do now. We have to do something before the ability to mount attacks becomes easier.”

This isn't new news. The basic idea was around the Intartubes in March. The same paper was presented at a conference in May, according to Takahashi.

It's fascinating to me that the people who build ICDs haven't started to add some kind of security to them. They are basically embedded microcontrollers and could have anything from a 4-digit PIN to full RSA encryption. Instead, device companies seem to have relied upon "security through obscurity" (not publishing the communication protocols) and the belief that the wireless range of an ICD is limited to inches or feet, not yards or kilometers.

Well, Bluetooth networking is allegedly limited to 10m, and people build "bluetooth sniper rifles" capable of detecting devices at 3/4 miles.

How long before someone creates an "ICD sniper rifle"?

"Mr. Vice President, I'm afraid you're going to have to enter the Faraday Cage. Permanently"