Print 14 comment(s) - last by theapparition.. on Mar 14 at 11:26 AM

A hacker could cause a lethal shock to someone with an ICD

For millions of heart patients across the United States the difference between life and death is the pager sized heart pacemaker or Implantable Cardiac Defibrillator (ICD). The pacemaker sends tiny electrical signals through the heart to allow the heart to properly time each beat and maintain the normal sinus heart rhythm needed to pump blood properly.

The ICD is a similar device that is typically used for heart patients whose heart pumps normally at most times, but can convert into a dangerous rhythm that results in improper blood flow and could lead to death. The ICD is a smaller, low power version of the external defibrillator used in hospitals and on ambulances.

Many of the most common ICDs and pacemakers implanted in patients across the country now feature wireless control capabilities and some of the devices can even connect to the internet to allow doctors to monitor the patients from remote locations and allow for setting changes to the devices without requiring surgical intervention.

A group of researchers from the Medical Device Security Center published a report (PDF) showing that under a specific set of circumstances the wireless communications of these ICDs and pacemakers could be hacked. The researchers were able to gather patient information from the devices wireless telemetry functions.

To gain access to this telemetry data the researchers used an antenna, radio hardware and a PC, which could be readily obtained by any malicious user. The researchers say that the ICD telemetry data was transmitted without observable encryption from the Medtronic Maximo used in the study. The researchers were able to gather the patient’s name, medical history, date of birth and more.

The more serious problem the researchers found was that a malicious party could actually change the settings on the ICD causing it to deliver a high voltage shock capable of causing a heart arrhythmia that could be lethal.

The researchers note that the testing they performed was on a device not implanted into a person and the ICD was in close proximity to the radio equipment. This hacking doesn’t appear to be something that can happen from a distance.

Does this research mean that anyone with an ICD or pacemaker that features wireless telemetry needs to rush to their doctor for a replacement? The researchers say they strongly believe that nothing they have found should deter patients from receiving this type of device if recommended by their doctor.

The researchers further state the risk to patients is low and that no recorded instance of a hack on an ICD or pacemaker has ever been recorded.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Doesn't appear to be hackable from range?
By darkpaw on 3/12/2008 4:57:43 PM , Rating: 2
So they say it doesn't appear to be hackable from range, but then again bluetooth isn't designed to be used at a few miles either. The right gear sure can make a big difference.

RE: Doesn't appear to be hackable from range?
By exanimas on 3/12/2008 6:30:06 PM , Rating: 5
So if you have a pacemaker and some guy is following you with a laptop and an antenna...

By xsilver on 3/12/2008 6:56:22 PM , Rating: 5
or if you have a guy following you with a banana peel... equally as dangerous?

By Buspar on 3/12/2008 7:18:11 PM , Rating: 5
"Darn it, Cheney, hold still!"

RE: Doesn't appear to be hackable from range?
By Omega215D on 3/12/2008 8:46:18 PM , Rating: 2
psshh, 7-11 with their high powered microwave ovens out in the open you know they're out to kill those people.


RE: Doesn't appear to be hackable from range?
By paydirt on 3/13/08, Rating: -1
By theapparition on 3/14/2008 11:26:01 AM , Rating: 2
Big deal. This was already done in the movies. Suddenly, people dropped dead who were wearing pacemakers.

The move was "The Core", which probably explains why no-one remembers it. I'm partially ashamed to remember it either, but the 2/$5 DVD bin is sooo tempting sometimes.

Bad science
By JAB on 3/12/2008 10:03:35 PM , Rating: 4
None of this is possible without physical access to the person you MUST be in inches of tthe device to get this info or program. Not feet inches on top of that you need to be within a inch or two with a large magnet of one part of the device to do any of this.

If you changed the settings there is a record on the device so no secret kills. The whole test is a joke they only were able to decrypt the radio info by first hooking up the serial port on the device. Sadly this kind of big money research to prove the sky is blue is very popular and profitable. Unfortunately this kind of misleading research is the norm instead of the exception it is even worse in the big name ivy league schools of medicine it seems.

My most frighting quote from a Doctor 'You know and I know that the research is cr_p but it came from the New England Journal of Medicine and all the lawyers read it so have no choice.' The study was multi million dollar but they messed it up but no one reads the fine print.

RE: Bad science
By Min Jia on 3/13/2008 4:01:19 AM , Rating: 2
New ways for professional killers to complete their assignments. Nice.

RE: Bad science
By radializer on 3/13/2008 9:10:04 PM , Rating: 2
I agree to the fact that the DT article could have mentioned that the maximum range that this study tested was "several centimeters" as the referenced PDF reveals - in its current form, this article doesn't quote any numbers which allows readers to draw erroneous conclusions that this is truly a remote process.

The important message from this entire exercise IMHO is that the researchers managed to trigger a "Command Shock" to initiate ventricular fibrillations with the therapy mode of the ICD disabled - which is dangerous.

Also, since the only use of having an ICD deliver shocks is to test how well its therapies can help patients recover from actual cardiac arrhythmia events - allowing one mode to be enabled while the other is disabled strikes me as poor design. Either adequate interlocks were not provided or those provided aren't secure enough.

Someone simply wasn't thinking?
By geddarkstorm on 3/12/2008 5:00:13 PM , Rating: 2
First off, from the article it sounds like the ICD itself sends personal information about the patient? If that's true, then that's really poor designing. Throwing such incredibly sensitive information on to open airwaves is just asking for trouble. Instead, the ICD should be designed to send a key, and that key can be used to retrieve the patient's information from a medical database; the only other information it should send is its settings, of course, and ECG data--nothing that's identity sensitive. Moreover, changing the charge settings on the device should at least require a user name and password, as should interfacing with the device in the first place.

Maybe it was just the brand they were using, but none of these issues can't be easily fixed, so the fact they exist at all is a testament to poor planning.

By AToZKillin on 3/12/2008 5:43:22 PM , Rating: 2
The key idea is a great idea. I second that. So long as the database itself doesn't leak. Why would they go through all that trouble of designing something that sends sentivies information across airwaves, and then not protect it?

New form of assasintation
By ninjit on 3/12/2008 5:03:40 PM , Rating: 4
Unless these things start keeping log files (like a planes black-box, in the event of death), you could specifically kill someone knowing they had one of these devices in them, and no one would be the wiser.

Very scary, but kinda cool in a morbid sense.

I can't wait till the day when I can hack my boss, and make him do the Robot dance in the middle of a board-meeting.

By msheredy on 3/13/2008 2:20:47 PM , Rating: 2
Now this is a threat.

It is stupid articles such as this that need not be brought to the public's attention.

"Well, we didn't have anyone in line that got shot waiting for our system." -- Nintendo of America Vice President Perrin Kaplan

Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki