Hacking pacemakers

There was a recent post concerning hacking of pacemakers. An article said it was possible to hack into a pacemaker. In this post I'll go further into detail about hacking of pacemakers and what it means to us with pacemakers.

Hacking - illegal or unauthorized access to a device or service.

Black Hat researcher Jerome Radcliffe hacked his own insulin pump. Radcliffe reverse-engineered the wireless commands sent from the small controller that ships with his pump. He was then able to use a small radio frequency (RF) transmitter to remotely control his insulin pump. Even then Radcliffe said Hacking the pump wasn't easy.

Notice that Jerome had access to his own pump, had the time to access the pump, had the tools, and had the knowledge. Without all four parts of the puzzle (access, time, tool, knowledge) Jerome was going to find it difficult if not impossible to hack into a pacemaker. Even then he said it wasn't easy.

What was NOT discussed in the article was the following: Methodology, Expertise, ROI - Return On Investment, Statistics, Punishment.


METHODOLOGY: The tools needed to effectively accomplish the hack.

First you need to know the radio frequency (RF) used by the device. Second you need equipment that will access the frequency. A kid who got an Arduino board (microprocessor board) or a Raspberry PI board (micro-computer / microprocessor board) for Christmas won't be able to hack into your pacemaker. No way, won't happen.

"Testing by Joseph Xu, University of Michigan showed some good news: Successful hacks are unlikely in the near future. Though they demonstrated the ability to manipulate external devices from a range of one or two meters, successful attacks on embedded devices were limited to two or three centimeters. "

In other words, hackers would need to have the device attached to your body and be placed on top of your PM in order to be successful. Believe me when I tell you I'm not going to let anyone get that close to me except after a nasty fight.

In addition to finding the RF, then finding the code to use, you also have to determine if it is the same for all types of pacemakers. With manufacturers being aware of hacking possibilities what steps are they taking? Medtronic refuses to discuss - I'm glad they don't. In the US we have tort law where anyone can be sued by anyone at anytime. I'm sure they've taken steps but they aren't talking and I'm not asking.


EXPERTISE: The knowledge needed to effectively accomplish the hack.

#1: As said before, a high school kid isn't going to have the expertise to gain access to your device. Even if he does, by some remote chance, have the intelligence, he's not going to have access to equipment capable of making the hack. RF equipment off-the-shelf doesn't work in the part of the radio spectrum necessary for our pacemakers. Web enabled electronics for Arduino and Raspberry Pi are limited to pre-set RF settings. You can change the web address but not the RF settings. He doesn't have access to the tools.

#2: Jerome Radcliffe hacked his own insulin pump. But he had the four pieces of the puzzle - access, time, tools, and knowledge. Even then he said it wasn't easy. He refused to name the manufacturer of the pump and refused to give out any other information regarding his pump and how he accessed it. Wonder why? Could it be personal survival was his main interest?

Notice he didn't hack a pacemaker. It was an insulin pump.


ROI - RETURN ON INVESTMENT: What do you gain by hacking.

Criminals, like everyone else, have to make it worth while to do what they do.

As of 2013 there were about 3 million people with pacemakers. Population of the USA was approximately 316 million. So roughly out of every 105 people, 1 would have a pacemaker. Is it really worth it to go after 1 person out of 105? Especially when you don't know who has a pacemaker? As said before, they'd have to attach the equipment to your body to make it work. Like the next 105 people are just going to let someone walk up to them and touch them with strange equipment? Really?

It just isn't economical to a hacker / criminal to go after pacemakers.


STATISTICS: What percentage of the population can be hacked for profit?

Question here is what kind of effect do you get when you go after a certain percentage of the population? Sad to say, it's much more effective, gets you more notoriety, has more effect, to go after school kids in a school than to go after 1 potential person out of the next 105 people you see. Just isn't worth the work and hassle.


PUNISHMENT: What happens to you if you are caught doing illegal activity?

While it probably isn't illegal to hack into pacemakers (yet), it is illegal to touch a person without their previous approval (in the USA). In legal terms that is known as assault.

In the US we have to get written permission from parents before a campout just so we can take them to the hospital. Touching a kid without prior permission can get an assault charge leveled against you.

So messing around with someone's pacemaker without their permission is assault. Since it could result in death, it's felonious assault in Ohio with a minimum of 3 years to 11 years in prison with a fine up to $20,000. Being convicted of a felony gets you in BIG trouble. Is it really worth the risk?


CONCLUSION:

Is it possible for someone to hack into a pacemaker? Yes. But they will need access, time, tools, and expertise. Even then it would be difficult. With current technology even if someone figured out how to hack into a pacemaker they still would need to be touching you to gain access to the equipment.

Thinking you will be walking down the street and suddenly get zapped by some demented high school kid or evil scientist would be best relegated to science fiction.

Do we have to worry about our pacemakers being hacked - I don't think so.

Everyone should sleep well tonight.

INFORMATION for this posting based on articles at the following web addresses:
http://www.informationweek.com/healthcare/security-and-privacy/hackers-outsmart-pacemakers-fitbits-worried-yet/d/d-id/1113000
http://content.onlinejacc.org/article.aspx?articleid=1358197
http://www.criminaldefenselawyer.com/resources/criminal-defense/felony-offense/assault-deadly-weapon-ohio

2 Comments

Thanks

by Energy - 2014-11-23 09:11:40

Thanks for the thorough information... very good to read!

Good point

by Theknotguy - 2014-11-24 09:11:16

Your point is well made. i.e. as soon as someone figures it out it will be all over the Internet. That thought was running around while I was writing the post. But, and a big BUT, there are additional things to consider.

Remember I said the hacker needed four things, access to the equipment, time, tools, and expertise. Publishing on the Internet eliminates some of the expertise. But you still have to have access to the equipment, time, and tools to do the hacking.

Equipment in the range our PM's operate isn't readily available. You just can't go down to the local Radio Shack store and pick up the equipment. Or if you could, it's going to cost a lot of money. So that pretty well eliminates the casual hacker.

Another factor is expressing criminal intent. 2901.22 of Ohio revised code discusses the various levels of criminal intent. So if a person engages in such activity they can't look,at the judge and say, "I didn't know what I was doing." Or they can say it, but the judge isn't going to buy it. At that point they're back to felonious assault. Minimum of three years in adult prison. Hopefully even stupid teenage boys will figure that out.

Working with scout kids, I know there are teenage boys out there stupid enough to try to hack into a pacemaker. I would regularly have to back them up against a tree on a campout and tell them to stop doing whatever stupid activity they were doing. Sometimes it was nose to nose while I explained the facts of life. But for teenage kids we're back into access to equipment problems, money to buy it, and time to figure out how to make it work. Remember the advanced hacker said it was still difficult to do and that was with an insulin pump not a pacemaker.

I worked for twelve years in a health insurance company. Only one breach in that twelve year span. Nurse took printed records home - wasn't supposed to do that - had her roommate (also a nurse) look at something on the printed report. Results - instant dismissal. People within the health care system take their work seriously - ultimately mistakes can mean bad things to you including loss of life so self preservation kicks in. Rogues are weeded out early and quickly.

So for the record. I have my pacemaker but I'm not going to mess around with it. Self preservation - I'd really like to live for a long time. I don't have equipment to access my pacemaker for hacking, Don't know the RF frequencies. Don't have computer code. Don't know. Am not interested in learning.

The only reason for the post was to explain in non-emotional terms how difficult (almost impossible) it would be for someone to hack into pacemakers. Let's get rid of the fear mongering and yellow journalism and look at the facts.

You know you're wired when...

Your electric tooth brush interferes with your device.

Member Quotes

But I think it will make me feel a lot better. My stamina to walk is already better, even right after surgery. They had me walk all around the floor before they would release me. I did so without being exhausted and winded the way I had been.