Fu can remotely turns off your pacemaker
Kevin Fu, an associate professor at the University of Massachusetts at Amherst and director of the Medical Device Security Center gave a Black Hat presentation in Las Vegas yesterday in which he demonstrated a way of remotely turning off someone’s pacemaker via remote control.
Fu’s team and researchers at the University of Washington spent two years working on the project. The attack relies on the fact that the control protocol for these old pacemakers do not use any cryptographic security, currently there are 2.6 million such pacemakers have been installed from 1990 to 2002.
Getting access to a pacemaker wasn’t easy. Fu’s team had to analyze and understand pacemakers for which there was no available documentation. Fu asked the medical device makers, explaining his cause fully, but didn’t get any help.
William H. Maisel, a doctor at Beth Israel Deaconess Hospital and Harvard Medical School, granted Fu access for the project. Fu received an old pacemaker as the doctor installed a new one in a patient. The team had to use complicated procedures to take apart the pacemaker and reverse engineer its processes. Halperin said that the devices have a built-in test mechanism which turns out to be a bug that can be exploited by hackers. There is no cryptographic key used to secure the wireless communication between the control device and the pacemaker.
A computer acts as a control mechanism for programming the pacemaker so that it can be set to deal with a patient’s particular defribrillation needs. Pacemakers administer small shocks to the heart to restore a regular heartbeat. The devices have the ability to induce a fatal shock to a heart.
Fu and Halperin said they used a cheap $1,000 system to mimic the control mechanism. It included a software radio, GNU radio software, and other electronics. They could use that to eavesdrop on private data such as the identity of the patient, the doctor, the diagnosis, and the pacemaker instructions. They figured out how to control the pacemaker with their device.
[via venturebeat]
Subscribe by email: