Security researchers to unveil pacemaker, medical implant hacks
A team of respected security researchers known for their work hacking RFID radio chips have turned their attention to pacemakers and implantable cardiac defibrillators.
The researchers will present their paper, "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," during the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy, one of the most prestigious conferences for the computer security field.
The authors of the paper are listed as: Shane S. Clark, Benessa Defend, Daniel Halperin, Thomas S. Heydt-Benjamin, Will Morgan, Benjamin Ransford, Kevin Fu, Tadayoshi Kohno, William H. Maisel.
Kevin Fu, an assistant professor at the University of Massachusetts Amherst, along with two graduate students who worked on the project all gained significant attention for their past work in attacking RFID-based credit cards and RFID (radio frequency identification) transit payment tokens.
Kohno, a professor at the University of Washington, was the subject of worldwide media coverage for his work in exposing flaws in Diebold voting machines back in 2003, and then later for finding major privacy flaws in the RFID-based Nike+iPod Sport Kit.
Shocking stuff
When contacted by e-mail, Kohno told me that he and his colleagues could not currently comment on their latest project. Without the help of the authors, it is difficult to predict the contents of their research paper. However, it is possible to piece together other bits of information to try to learn more about the project.
A previous research paper published by the same team noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. An increasingly large percentage of these can be remotely controlled and monitored by specialized wireless devices in the patient's home. The devices can be accessed at ranges of up to 5 meters.
By reading between the lines (millions of remotely implanted medical devices, able to administer electrical shocks to the heart, can be controlled remotely from distances up to 5 feet, designed by people who know nothing about security), it is easy to predict the gigantic media storm that this paper will cause when the full details (and a YouTube video of a demo, no doubt) are made public.
Just remember where you saw it first.
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure. 
- by bravian March 3, 2008 12:37 PM PST
- "millions of remotely implanted medical devices"
- Like this Reply to this comment
-
-
- by nutroxx March 14, 2008 7:02 PM PDT
- It is possible indeed, but very dangerous and should never be done! Doc. Bennett
- Like this
-
(3 Comments)Your own message contradicts this statement.
"can be controlled remotely from distances up to 5 feet"
Heh - this statement gives clues into who the manufacturer is. The latest systems can go much farther than 5 feet.
"designed by people who know nothing about security"
how do you know this? Do you even know what is involved with the design and manufacture of ICDs? I used to work for one of the big three ICD makers. I can't speak for the other two ICD makers but the system at this company was designed and implemented with the input of security experts who were permanent part of design team. I look forward to the paper but one gets tired of this blatant over-generalizations from the press.