Defcon duo: how-to shut off a pacemaker, almost get free rides on the T
by Darren Murph 
posted Aug 10th 2008 at 9:38PM
Defcon already delivered by exposing California's FasTrak toll system for the security hole that it is, but that's not nearly all that's emerging from the Las Vegas exploitation conference. For starters, a plethora of medical device security researchers have purportedly figured out a way to wirelessly control pacemakers, theoretically allowing those with the proper equipment to "induce the test mode, drain the device battery and turn off therapies." Of course, it's not (quite) as simple as just buzzing a remote and putting someone six feet under, but it's a threat worth paying attention to. In related news, a trio of MIT students who were scheduled to give a speech on how to hack CharlieCards to get free rides on Boston's T subway were stifled by a temporary restraining order that the Massachusetts Bay Transit Authority snagged just before the expo. Don't lie, you're intrigued -- hit up the links below for all the nitty-gritty.Update: MIT published the Defcon presentation in a PDF.
Read - Pacemaker hack
Read - Massachusetts Bay Transit Authority sues MIT hackers
Read - Restraining order on said hackers
Reader Comments (Page 1 of 1)
Sebastian @ Aug 10th 2008 9:49PM
To sue somebody in order not to spread the news? Geee - these guys never heard of the Streisand effect?
John @ Aug 10th 2008 9:48PM
I think the best part is that the slides that the transit authority wanted stifled were put into the application for the restraining order so now anyone can look at them. Someone didn't quite think that one through...
phil @ Aug 10th 2008 10:59PM
And then there's those of us who came here and have the entire slide presentation on CD. All of the slide shows for the scheduled briefings are supplied on CD (Black Hat does this as well). I'm really at a loss at what they were trying to do by getting a restraining order. They were about a day late if they didn't want anyone to know about this.
DSeaver @ Aug 11th 2008 7:54AM
MIT's school newspaper has published the slides here:
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Free rides for all [in Boston].
Also, slide 85 is a great reference!
Jack C @ Aug 11th 2008 10:15AM
I think them actually doing anything about it, made it a bigger headline. Only a few people outside of the hacker community would had seen it, but now people are looking for it.
As Jeff Moss, founder of DEFCON and Black Hat, mentioned in his article http://www.internetevolution.com/author.asp?section_id=554&doc_id=139509&f_src=flffour , when they discovered the undercover Dateline NBC reporter, people don't "seem to have any idea who we are -- either as a conference or as a culture."
badenglishihave @ Aug 10th 2008 10:03PM
"Kill the messenger" I guess.
johnoe @ Aug 10th 2008 10:12PM
Mister Anderson, or should that be Neo
sargentr @ Aug 10th 2008 10:17PM
ive been waiting for someone to crack the charlie cards. seeing how their RFID and that seems so often cracked.
Setnev @ Aug 10th 2008 10:19PM
Looks like the site took down the pictures of the slides that show how to hack the system. Luckily for Google Cache, the magic and evidence of the wrongdoing is captured.
Here is the link:
http://www.tgdaily.com/images/slideshows/200808091/001.jpg
all the way to
http://www.tgdaily.com/images/slideshows/200808091/087.jpg
Get them while you can.
Graham @ Aug 10th 2008 10:34PM
Most hacks I find are (relatively) harmless, at most they get a free service or steal money. But when it comes to screwing with peoples lives, thats where I draw the line. Now yes, it says that the good hackers got this first, but nonetheless, now that the knowledge oh a hack is out there, the not so good people will be trying to exploit it. I just hope they get this fixed before the information gets in the wrong hands.
inteller @ Aug 11th 2008 8:53AM
it is on the Internet. a little too late for that.
wiregr @ Aug 12th 2008 12:05PM
If the good hackers have it, you can rest assured the bad ones do too. That's why releasing it publicly is a "good thing" - the more people that know about it, the greater the sense of urgency to get this fixed, thus preventing anyone (whether they have good intentions, or bad) from being able to take advantage of it. The so-called "bad hackers" would much rather it stay hidden, so they can continue to take advantage of the vulnerability.
Matt Ferens @ Aug 10th 2008 10:47PM
Although I am glad that the people who are pursing this exploit on pacemakers are on the "good side of the fence", but it still makes you wonder what kind of people would actually attempt such a hack in real life.
Alex @ Aug 10th 2008 10:52PM
The slides are right here...
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Eric M. @ Aug 11th 2008 12:16AM
Thanks man, I was really looking forward to this, so I made sure I saved it to my computer just incase they take it down!
topspinserve @ Aug 10th 2008 11:27PM
They're just copying the wording of the article they're linking to.
HunterXI @ Aug 10th 2008 11:28PM
Hey, I know how to 'hack' MBTA turnstiles... WAIT UNTIL SOMEONE EXITS ONE AND WALK THROUGH THE FUCKING THING. Honestly, not that hard.
Eric M. @ Aug 11th 2008 12:15AM
Damn right, or just have your friend on the other side trigger the sensors that open up the doors for exiting people.
epsilon343 @ Aug 10th 2008 11:42PM
It'd take a pretty sad individual to hack a pacemaker to mess it up. I don't really have an opinion on hackers as long as they don't mess up my life, but the thought of some asshole in his basement deciding to ruin someone's day by inducing a heart attack is pretty sickening.
Ryan @ Aug 11th 2008 12:07AM
which is why these guys expose this stuff. 99.9% of the guys at these conventions are the 'good guys' and are showcasing these hacks in an effort for the companies to close the holes before the 'bad guys' take advantage of them... if they were intended for malicious use, the hackers would be shooting themselves in the foot by publicly exposing them.
AlphaTeam @ Aug 10th 2008 11:55PM
See the issue here is they will just leak the hack if they can't give the talk.
haynesjgator @ Aug 11th 2008 1:40AM
I am a heart patient who has a pacemaker and a student majoring in Computer Information Science. I have always wondered about this. Every year when I have my 'tune up' all the tech does is place a device with a radio sensor (size of a computer mouse), and a signal bar not unlike a cell phone indicates the connecting to the computer. That is it. No passwords, no nothing, tap the touch panel and access my heat! ;-) I actually asked my doctor about security once and he said the range is very limited to communicate with the device preventing most issues and there are not passwords just in-case you are hit by a bus, heart attack, coma, etc.
Also must people don't know that patients with pacemakers have devices that will send medical data back to there doctor via telephone. Place you phone on the machine, wear wrist bracelets to detect electrical activity, place provided magnet over pacemaker, and it will 'chirp' your data back to the 800 service and your doctor. I hope all this is done with read-only privileges to the pacemaker...
siddharth s @ Aug 11th 2008 12:47PM
You should print the PDF slides and show to your doctor next time you meet him. Have him show interest to the next medical sales device salesman and the sales guy takes it back to the HQ ("hey ... xyz is a real concern out in the field").
One feedback isn't going to change things overnight, but with enough feedback, people start noticing.
BTW, stay healthy!
Ethan Fahy @ Aug 11th 2008 12:12AM
so based on the pdf without audio it's a bit hard to follow. anybody want to throw together a step by step guide to making an unlimited charliecard?
A.C.E.R. @ Aug 11th 2008 1:58AM
It doesn't get any more step by step than that.
neofolklore @ Aug 11th 2008 8:17AM
that was really straight forward to me
Justin @ Aug 11th 2008 1:21AM
its pretty easy, and poor programming on MBTA's part:
1. grab a MSR decoder/encoder
2. swipe an existing paper charlie card, view 16 bit hex code in 24th, 25th, 26th & 27th digit positions (example: 00C8)
3. change said code to your desired amount (in cents) for example 00C8 = $2.00/200 cents ... 03E8 = $10.00/1,000 cents
4. encode card with new information
above is for informational and educational purposes only
Wwhat @ Aug 11th 2008 2:00AM
Doesn't cheney have a pacemaker? I'm just saying...
spacey @ Aug 11th 2008 3:31AM
If I ate bird's nest soup during the Olympics, I'll be fined by our
government for creating misunderstandings and sabotaging the
friendship between the American people and the Chinese people. You
know what, those Chinese who commented negatively on foreign
political leaders during the opening ceremony were already detained
by the government and some will be secretly executed.
"Knock, knock..."
"Open the door! Public security bureau! You are under arrest for
violating the internet safety laws!"
"Damn it! Give me freedom of speech!"
- best regards from Shanghai, China
drmarvin2k5 @ Aug 11th 2008 12:28PM
I work with pacemakers and ICD's every day. There are a lot of safeguards against these hacks, and if you don't notice someone doing most of the things that would allow changes, you are not very observant. Since the wireless ICD's require activation within less than a centimeter, and pacemakers don't have the wireless ability, there isn't much that is really dangerous in regular life. Sure, it is possible to change some of these things, but it's really, really unlikely.
Stop freaking people out.
siddharth s @ Aug 11th 2008 12:56PM
Exactly. The pacemaker "doesn't have the wireless ability". Since you're a doctor and I'm an RF engineer, that isn't exactly true (since the RF channel is 2 way, it has to have 'wireless ability') - but I get your point.
The pacemaker doesn't have to be an 'active radiator'. What happens is that your reader sends out a high freq. (but low energy; low range) signal. This signal resonates within the internal circuit and supplies enough power to activate the processing unit inside as well as to activate the RF portion (to send the data back out, via FSK encoding).
To increase range I can
1) Use a very high energy signal (~20 dBm)
2) Use a very sensitive receiver for the return path.
Just because your compliant device works over a small range doesn't mean that folks wanting to circumvent will also use the same restricted/compliant devices.
All said and done, there are technical solutions to solve this, factoring in emergencies etc. The companies manufacturing these devices simply need better engineering resources to use it. Safety first.
Cheers
Siddharth
Brady @ Aug 11th 2008 5:25PM
This is simply remarkable. MIT students are so smart. Too bad authorities will be all over this now.
Joel Huschle @ Aug 12th 2008 1:08AM
The pacemaker hack is some scary shit. Hope it's used for good and not evil, seeing that I already fear the microwave oven!
Jonathan @ Aug 13th 2008 2:11AM
The Fastrak talk was at Black Hat, not at Defcon.