Researchers warn of hacking risks to heart devices
by Donald Melanson 
posted Mar 12th 2008 at 12:48PM
While it should hardly come as a surprise given the near constant stream of hacking fears we hear about these days, researchers are now warning about a possible vulnerability to an especially important bit of technology: medical devices that control the human heart. As The Wall Street Journal reports, the concerns are mostly centered around so-called "programmers," which are devices used to wirelessly communicate with the implanted defibrillator or pacemaker. Those devices are obviously only sold directly to physicians by a select group of companies but, as the researchers warn, it is at least conceivable that hackers could transmit the same radio signals using another device, allowing them to shut down the defibrillator or deliver a shock, or possibly even obtain a patient's medical information. The researchers are quick to point out, however, that this is "theoretical risk, not an actual risk," and they're not recommending that anyone consider deferring an implantation or removing a defibrillator. [Image courtesy of Medtronic]
Filed under: Misc. Gadgets
Reader Comments (Page 1 of 2)
Jeff Tracy @ Mar 12th 2008 12:52PM
Fear mongering is a great way to procure funding!
rv @ Mar 12th 2008 3:00PM
Seriously, why would hackers do this? Thats murder. Theres nothing to lol about killing random people.
Sean @ Mar 12th 2008 5:10PM
Way to go and devulge vunerabilities to the public, nobodie would of thought of this without being told about it. If you were a bank you wouldnt go around saying hey our back door isnt alarmed and someone could rob us...no keep this shit to yourselves
linuxamp @ Mar 13th 2008 3:38AM
Sean, if you have to use obscurity it just means you didn't do a good job with security. Publicizing this kind of information is good in that more people will be able to scrutinize the devices and find problems with design and implementation.
Case in point, Truecrypt. It's open source so you can see everything they're doing but it's still one of the toughest encryption tools available.
Dan Davis @ Mar 12th 2008 12:54PM
I'm going to overclock mine so I can run faster!
mian @ Mar 12th 2008 1:29PM
All the downside of steroids without any of the benefits. It's a niche no one ever thought to fill.
My wiMax pacemaker seemed like such a good idea a week ago.
LondonConsultant @ Mar 12th 2008 12:55PM
Make sure its got a good firewall and WPA turned on...
Tim @ Mar 12th 2008 12:55PM
I knew integrated wifi was a bad idea.
I guess this explains that "betty's ticker" network that popped up when i was configuring a network connection last night...
But seriously, I bet there is REALLY funny story about how they figured out this could happen...
Khris @ Mar 12th 2008 12:56PM
Did I make your heart miss a beat?
How about now?
webon @ Mar 12th 2008 12:58PM
homo-paranoicus* non the less
Flashpoint @ Mar 12th 2008 12:58PM
The true meaning of having a "broken heart"
Chris Macdonald @ Aug 10th 2008 10:21PM
oh that was lame
Joshua @ Mar 12th 2008 5:21PM
hey, Could you please explain more of that because that would help lot of people around. Worth to read your blog
Frankenstein Black @ Mar 12th 2008 1:06PM
What’s Dick Cheney’s (er Oswald Cobblepot’s) IP address?
samnesral @ Mar 12th 2008 1:17PM
666.666.6.666
Kris @ Mar 12th 2008 5:05PM
Sorry samnesral but that is not a valid IP address.
Dick's IP address is 127.0.0.1
PhilxBefore @ Mar 12th 2008 2:26PM
"666 is not a valid entry. Please specify a value between 0 and 255."
PGP-Protector @ Mar 12th 2008 3:14PM
006.006.006
UKNigel @ Mar 12th 2008 3:32PM
Insignificant digits are not included in an IP address. It would be 6.6.6
Chad @ Mar 12th 2008 1:06PM
When were pacemakers ever NOT hackable? Even before they started installing transceivers in them you could bork the device by simply aiming a strong electromagnet at it. And everyone should be familiar with the reported affect of a microwave on a pacemaker.
Cliffy B. @ Mar 12th 2008 1:14PM
If there's anyone who would intentionally hack someone heart device they should go to jail for 25 year,attempted murder.
Dan @ Mar 12th 2008 1:53PM
Which is good enough reason to assume most hackers wouldnt attempt to hack into such a device. Hackers can face quite a serious charge depending what they hack into and destroy, whether personal or government owned.
But to hack into a device that contorls the heart and possibly stop or currupt it to a point of non-operation, well the hacker is facing more then just small charges, your talking homicide/murder, and much much worse. They won't be getting any mercy points from any judge or government official that you can bet.
tanooki2003 @ Mar 12th 2008 1:33PM
Gee great way to fear monger the valued bloggers Donald Melanson
AlexL @ Mar 12th 2008 1:39PM
Did they think about security when they implemented wireless connectivity in these devices? Did they make the communication encrypted? Does the device have a white list of allowed communication partners? It seems if these devices weren't designed with security in mind, then the hacking risk is very real.
cnycompguy @ Mar 12th 2008 2:55PM
the security with these is physical security, with a wireless range of inches, you'd notice and be able to step back away, or shoot the attacker.
AlexL @ Mar 12th 2008 2:59PM
The range is going to depend on the power of the sending device. So all you need to defeat it is to get a higher power transmitter.
porath @ Mar 12th 2008 1:43PM
why do they release these reports to the public? can't they just give them to physicians to warn their patients against any possible danger? if even one person gets the idea to kill somebody in this way because of this report, i'd say everyone involved in its distribution is at least partially responsible. nonsense media.
Joseph @ Mar 12th 2008 2:11PM
Im In Ur Hart Haxing Ur HartBeatz
Forgive me.
BigD145 @ Mar 12th 2008 2:31PM
The capacitor from a disposable camera will do the same job. Let's ban disposable cameras. Seriously, ban them.
PhilxBefore @ Mar 12th 2008 2:34PM
The capacitor would have to come in direct contact with the person unlike a wireless attack.
Anything with an electric current could short it out. I bet if you had a pacemaker you'd become Almish.
Now there's a paradox for ya.
YoJIMbo @ Mar 12th 2008 3:21PM
I have been hit hard by a flash capacitor... I ended up feeling very light and free and I wanted to give my money away... I later came to my senses and slapped myself. Very interesting though.
PhilxBefore @ Mar 12th 2008 2:32PM
I think the larger question at stake here is who is actually sweeping the airwaves to find a 70+ year old person's pacemaker and wanting to take it down? Anyone with the knowledge of doing this, probably is more concerned with finding information rather than maliciously destroying an incredible life-saving device.
F*ckin media, there is a huge difference between a hacker and a cracker.
Hackers - build
Crackers - destroy
Cryonaka @ Mar 12th 2008 11:21PM
thats weird.. where im from "cracker" is a racial slur
cnycompguy @ Mar 12th 2008 2:49PM
The wireless range is about 3 inches, So in this case, a hacker would be rather obvious.
AlexL @ Mar 12th 2008 3:00PM
Range depends on the power of the transmitter.
cnycompguy @ Mar 12th 2008 3:07PM
the communication is a 2 way protocol. The need for the built in power supply to last for over 5 years, means that the devices transmit at an extremely short range.
I have one of these myself, I know what goes in to making them work.
AlexL @ Mar 12th 2008 4:07PM
You mean the "programmers" need to receive a signal from the implant before it can proceed to send the implant its commands?
AlexL @ Mar 12th 2008 5:08PM
A two-way communication protocol does not inherently make the device secure. Can you elaborate on what kind of implementation details there are? Someone could still theoretically build a malicious one-way programmer that does not receive any signals from the implant, and instead only sends out high powered signals to the implant, thus operating it from long ranges. Unless, of course, the implant is designed to send out secure codes to the programmers, which the programmer need to use to subsequently send commands to the implant.
Tidify @ Mar 25th 2008 3:24PM
I suspect the author of this report is nowhere near the age bracket of people facing the implantation of one of these devices. I don't have one myself, as I am also not in that age group, but I know somebody who has one. This person was told they faced a real risk of life-threatening cardiac problems, and that this device could help reduce the risk of death/disability from cardiac events. I would argue that the likelihood of death/stroke/disablement, etc far outweighs the prospect of a truly misguided individual somehow managing to hack your ICD.
PGP-Protector @ Mar 12th 2008 3:13PM
006.006.006
joey @ Mar 12th 2008 3:44PM
There should be like this unwritten code that there are certain things you don’t hack. Honor among thieves. Of course then you would have this renegade bunch that could care less.
Then the governments of the world would have to unite and form a treaty with the hackers of the world to try to stop the outlaw of hackers. Of course there would be like this one renegade hacker who has infiltrated this group and when the time is right sabotage the whole plan but at the same time a misfit group of hackers discovered this and put in safe measures to stop this.
But at the point where the bad hackers where gonna die, one of the good hackers felt compassion because the both of them used to date the bad hacker or something and in that moment the bad hacker almost gets away till another member of the good hackers tries to stop the bad hacker and the bad hacker falls 70 stories down to a rusty spike and the first good hacker weeps and cries out their name.
But the world is now safe for now.
Jeff @ Mar 12th 2008 4:35PM
What the Heck?!
although, I admit, that made me laugh
obiwan @ Mar 12th 2008 4:56PM
I saw that movie! It was awesome. But it was only 42 stories, which was symbolic because it was part of the address of the wireless pacemaker the first good hacker had installed so that he could practice hacking it without almost killing someone else. At the end he sends the code to stop his own broken heart.
tiuk @ Mar 12th 2008 5:18PM
What was the name of that movie?
jpa @ Mar 12th 2008 4:56PM
All your hearts are belong to us
mschaffer @ Mar 12th 2008 5:01PM
When does a "theoretical risk" become an "actual risk"?
OneLove @ Mar 12th 2008 5:15PM
put some usb and D's on that beeotch!
Kyle @ Mar 12th 2008 5:20PM
Not only 70+ people have these devices. I'm 34 and have one.
PotentiallyAwful @ Mar 12th 2008 5:26PM
Wow this is a great idea, I would never have conceived doing this before reading this article. Now I know how to get rid of an annoying old neighbor if necessary! PS you told me everything else I need to know, how about letting me know how not to get caught as well?
GJ engadget.
Sam @ Mar 12th 2008 5:53PM
What kind of dick hacks people?