DISQUS

VentureBeat: Defcon: Excuse me while I turn off your pacemaker

  • Ben Kessler · 1 year ago
    Yeah I mean this is seriously fucked. I'm all for the research but not too happy that this even presents the idea to the public. I mean how many people even thought of remote controlling a pacemaker before this? My 2 yr old niece has a pacemaker and this is seriously scary stuff.
  • Al Billings · 1 year ago
    Every computer geek, engineer, and hacker thinks of it as soon as they hear that they can be remote controlled. Security by obscurity is a lie.
  • DS3M · 1 year ago
    Weird... By Your Logic you would rather not know that there is a killer in your neighborhood, even as he creeps through your side door?

    Come on, you have a family member with one of these, of course you should be concerned that there is a flaw that went (relatively) undetected and was certainly not locked up by the manufacturers.

    Wouldn't you rather the "good guys" know about it than the bad ones?

    It works well that the companies didn't hand over their specs freely; that the researcher (Kevin Fu) was up front and honest [and managed to get some help from Harvard] made it better.

    It shows it can be done by someone with skill and access, both of which are likely to be low enough all around to prevent your average russian hackers from pulling off "Heart Stop USA 2010."

    In any case, I am the type of person that considers biomechanical integration something to be weary of. I would opt to die or have some other surgery than have a pacemaker. Straight up.

    I am also aware that most things that are mechanical are up to receive interference...
    Not interested in letting the man implant and then zap me at their will...
  • rayden54 · 1 year ago
    That's not right.

    It isn't ignorance is bliss. You see now both sides know. Is it worth telling the bad guys to keep the good guys informed?

    To put it into a metaphor, it would be like telling everyone in town that your door's unlocked. Not everyone is a killer, sure, but it only takes one.

    As far as the "skill and access" thing goes. They may be low, but one person can do a lot of damage. Especially if this attack can be done remotely to more than one pacemaker at a time.
  • K · 1 year ago
    This is a more dangerous repeat of what happened with Garage Door Openers back in the 80s. Although the door receivers used infrared and not radio waves, thieves found it was easy to build a custom remote control that "sprayed" the neighborhood with every possible door code. Even worse, many garage doors were left with the default PIN code and never changed, and in suburban developments that means every house usually had the same make and model of garage door engine... I remember watching 20/20 where the reporter and a P.I. drove through a suburb opening every single garage door one after the other.

    Modern garage door openers defeat this problem using pairs of random numbers keyed into each remote control. You have to get up on a step ladder and hold a button on the opener while holding the remote controls button simultaneously for them to "pair" and exchange random numbers. The numbers use public/private key exchange, so even if a cracker uses software to guess one number, he still can't open the door.

    Fast forward to pacemakers: it's a similar problem. The wireless controller and the pacemaker need to use secure communication to authenticate each other, or else anyone could send the pacemaker commands. The greatest is not evil hackers murdering pacemaker-wearers remotely but accidental reprogramming sent to the pacemaker. Imagine if some other device, like a child's toy walkie-talkie, sent a radio signal that matched one of the pacemakers command sequences exactly. Since the pacemakers today seem to accept commands with no security the child's toy could accidently adjust the pacemaker rate faster, slower, off, into test mode, whatever. At the hospital, the doctor might never figure out that it was accidental radio interference that caused her pacemaker to malfunction. Similar problems have happened with computer networks, where packets for one protocol (AppleTalk) are mistaken by the router for other packets (like RIP, BGP, or DECNET) causing weird network problems.

    So, while it's easy to crack jokes, these guys have found a serious flaw with these medical devices and the manufacturer needs to fix it. Over on consumerist.com, there's another story of apathetic radio device design:

    http://consumerist.com/5034950/fisher+price-wal...
  • james · 1 year ago
    Agreeing with people on the comments below. People should shut the hell up about this kind of research. It is information warfare of a low-level kind. Just imagine how these researchers have made all the people with the devices implanted feel. Of course they will rationalize their hobby with, "It's responsible and protective." It goes to show that we need to find new ways to deal with these kinds of issues in a world where everything is just one press away from publish.
  • james · 1 year ago
    rethinking my words, I do see the responsible side to this research. I just believe how the community talks to itself can be an issue if it impinges on well being of patients. I do concur with Al above that "Security by obscurity is a lie". Just do it more discretely. Talk to the company directly and drop the blogging about it and gaining kudos by opening your mouth at a security convention, however cool it may reflect on you.
  • Erek Dyskant · 1 year ago
    The sad reality is that companies won't respond to security issues unless there's a response from consumers. However disheartening (no pun intended) it may be, consumers have a right to know the risks that are present in the devices implanted in their bodies.

    Now that the vulnerability is demonstrated, manufacturers will hopefully phase strong encryption into their control protocols.
  • DS3M · 1 year ago
    Not sure if you read the article, but Fu attempted to contact the pacemaker companies for specs, while fully explaining the research task ahead.

    Most companies will be thick headed and rebuff a hacker that says "I have found a flaw here here and here, I can exploit it in this fashion, I can do this within your systems, help me help you and we can solve it and close it together."
    Others will integrate them into R + D for their software
  • AnonymousInGermany · 1 year ago
    "The crowd here is mostly male, young, with plenty of shaved heads, tattoos and long hair."

    Never heard of this exploit... Hair spoofing?
  • Jim McDosh · 1 year ago
    Wow that is some pretty amazing stuff.

    Jt
    www.FireMe.to/udi
  • alpha bravo · 1 year ago
    There has long been an EMP attack for these devices that works on all of them. Inducing large pulses in the wiring triggers fibrillation. Welcome to the 21st century.
  • Monsterbox · 1 year ago
    Just figuring this out? My brother and I used to do that four years ago with our grandpa's old ticker when he had his replaced. You can get at those things with nothing more than a laptop and a ham radio as long as you have a full frequency spectrum and the right adapters.
  • DS3M · 1 year ago
    My Father in Law cant be around old microwave ovens.
    They gotta be newer than 2002 or something...
  • E-Man · 1 year ago
    Yep. Those granddaddy Cylon Model Ts did have that peculiarity. That, and the roving red eye that didn't let you shoot (or spank) straight, either.

    @-)

    One of my Granddads had a clock in his stomach (according to Grandma). But he was an old navy man - so it must have been very early-on research. :D
  • Shane · 1 year ago
    You have no idea how much this scares me. I work in the Biomedical Equipment field, but more and more equipment is either going wireless, or connected over a network, or both. Even the infusion pumps we have upload drug info wireless. What's next?
  • Wensday!!! · 1 year ago
    Wow! If we make some giant one we could shut down every pacemaker in America and save the government millions with so many fewer pentions! Plus give quite a boost to the funeral buisness......

    Nobody likes the government anymore though, and coffins are already overpriced, so yeah, I'll go with what everyone else is saying; what an evil freak. (if he actually uses it)
  • SpoonGouge · 1 year ago
    As the owner of a pacemaker and an AICD (Automatic Implanted Cardiac Defibrillator) I think this story is bullshit. True, there are new devices that can be reached via the radio but every device I've ever had (~approx 8 pacers and 4 AICD's in the past twenty years) could only be accessed by the radio antenna that need to be placed ON your chest AROUND or directly above the device (similar to invisble fence). So how were they able to do tricks with an old pacer the doctor was replacing? Don't think it's possible.
  • Quin · 1 year ago
    The reason for the large, close antenna is because the doctors want to limit exposure. With everything in ideal positions and very close to the pacemaker, they can use a lot less power to broadcast the signal. The bad guys do not have this concern for the patients health.
  • fdas · 1 year ago
    how to induce seizures? just watch old episodes of pokemon.
  • haynesjgator · 1 year ago
    I am a heart patient who has a pacemaker and a student majoring in Computer Information Science. I have always wondered about this. Every year when I have my 'tune up' all the tech does is place a device with a radio sensor (size of a computer mouse), and a signal bar not unlike a cell phone indicates the connection to the computer. That is it. No passwords, no nothing, tap the touch panel and access my heat! ;-) I actually asked my doctor about security once and he said the range is very limited to communicate with the device preventing most issues and there are not passwords just in-case you are hit by a bus, heart attack, coma, etc.

    Also must people don't know that patients with pacemakers have devices that will send medical data back to there doctor via telephone. Place you phone on the machine, wear wrist bracelets to detect electrical activity, place provided magnet over pacemaker, and it will 'chirp' your data back to the 800 service and your doctor. I hope all this is done with read-only privileges to the pacemaker...
  • Kalief · 1 year ago
    Nice. When can I buy the satellite version?
  • Scott · 1 year ago
    This type of 'research', and the reporting of such 'research' is irresponsible, and extremely dangerous. Publishing dangerous stories such as this really calls into question a site's management and guidance. This issue has crossed many sites off my favorites list.
  • mitch · 1 year ago
    Scott, you haven't read the above points? This kind of research is absolutely necessary. You can't predict whether a random RF-emitting gadget could trigger an unwanted change in the pacemaker. This research proves that there's a danger in leaving pacemakers unsecure, and now the pacemaker companies have a reason to make them secure: consumers know there's a danger. If you think the research is irresponsible and dangerous because now ONE OF THE BAD GUYS!!! is going to work out the same hack and kill a guy with a pacemaker - that's completely unrealistic. As Monsterbox said above, all it takes is a ham radio and a laptop to do this. If some BAD GUY wanted to do this, they would have figured it out a long time ago. The research isn't opening a door for murderers, it's closing a door for unintentional disruption of the device.

    Man, reading comments like yours always make me think there's a chance that the companies themselves are sending someone around to draw attention away from the importance of the article, so they don't have to do anything...
  • eric · 1 year ago
    cheers
  • daniel · 1 year ago
    Scott get your head out of the sand!

    Without research that pushes boundaries and questions accepted norms then there would be no progress: the manufacturers would continue to build sub-standard equipment if it meant protecting their bottom line (profits).

    Ignorance of a problem doesn't mean the problem doesn't exist and research that highlights such problems isn't irresponsible. The researchers involved attempted to work together with the manufacturers but they refused to help (because by doing so they would expose the flaws in their equipment and hurt company profits).
  • rayden54 · 1 year ago
    The research is necessary. Reporting the flaws before they've been fixed is just dumb.
  • Ervin Wright · 1 year ago
    I have an ICD, question how can my ICD be protected? Would it reqire the wearing of a lead lined shirt or something like that?
  • Alcari · 1 year ago
    So what's the problem? Just add a rotating 512 bit encryption key, so the odds of guessing it correctly are minute without actually getting your hands on said pacemaker before implantation. Make it react only to a very specific signal strength so it can only be interfaced with using special equipment and not just any radio.

    Problem solved. This is not that big a problem and can be solved for 20 dollars worth of electronics and 2 hours of work.
  • spammeblind · 1 year ago
    Just a word of sanity for the moron researchers. If you read the paper carefully you'll see they have to be less than 5 centimeters from the device to make the connection. That means someone has to be standing in front, or behind you, with a sensing device placed upon your chest. The connection is inductive, to connect outside of the 5cm limit would require exponentially more power. I don't think anyone would survive the power source, let alone have a actively functioning device. They were very careful to hide the truth in the article, and the really funny part is one of the morons received $449,000 dollars for this "discovery". In simple terms they committed a replay attack, but again remember less than 5 centimeters.

    Simple answer is they are going to become famous because the press exaggerates to sell papers, and the researchers don't have the intelligence, or the morals, to correct them.
  • edsion007 · 2 months ago
    Hmmm.. why it has to do with twitter so much?
  • edhardy622 · 2 months ago
    UGGs became ubiquitous among Southern California surfers and Southern California downhill skiers, and from there, Uggs, which name comes from the Australian
    http://www.uggboots365.co.uk
  • kafhfk · 2 months ago

    I think I will try to recommend this post to my friends and family, cuz it’s really helpful.
    Ugg Boots Sale

  • Red Articles · 1 month ago
    Pacemaker problems can rarely occur long after the implantation procedure. These "late" complications include generator failure (extremely rare), and lead failure (less rare). Lead failure can occur
  • Richard Johnson · 1 year ago
    KILL DICK CHENEY NOW
  • Stephen VanDyke · 1 year ago
    Shhhh, don't warn him or he'll hide in his man-size safe.
  • DS3M · 1 year ago
    Well lets hope he suffocates in there waiting for the invasion of Iran
  • Keaton · 1 year ago
    I swear, that is EXACTLY what I thought when I read the article intro.
  • Monsterbox · 1 year ago
    And kudos for that.
  • US Secret Service · 1 year ago
    Smart move, punk.
  • Anonymous · 1 year ago
    That joke was old a decade ago. Get a life
  • jimoaklandu · 1 year ago
    what a DESPICABLE jerk you must be!!!!!!!
  • Anonymous · 1 year ago
    Next time when you're at Wal-mart, get a sense of humor.
  • r. manhammer · 1 year ago
    Is there something wrong with executing war criminals? Why do you hate America?