Pacemaker Hack Can Be Used To Kill People With Electric Shock

    October 18, 2012
    Zach Walton
    Comments are off for this post.

The pacemaker is a small electrical device that attaches to one’s heart. It controls heart beats through timed low-voltage electric shocks. The devices have saved countless lives, but these same devices now pose a serious threat.

New research from Barnaby Jack, Director of Security Research for IOActive, found that pacemakers could be easily hacked. It’s all because modern pacemakers have moved to a wireless control mechanism that can be activated from remote distances. Hackers can easily obtain the necessary information to take control of the devices from the pacemakers themselves.

So what could happen if a hacker were to take over a pacemaker? Jack demonstrated how he could force the pacemaker to deliver an 830-volt shock directly to a person’s heart. In short, a hacker could kill a pacemaker-equipped person with absolute certainty.

Unlike other hackers who reveal the names of companies to publicly shame them into fixing these problems, Jack has notified the pacemaker manufacturer in secret. There’s a big difference between hacking locks and murdering people. The worst part is that any deaths derived from this hacking method would be viewed simply as a tragic accident.

Even worse, a hacker could upload malicious software to a central server that would spread lethal shocks to everybody using that company’s pacemakers. If they so desired, a hacker could commit mass murder and everybody would be none the wiser.

The hacks don’t stop with killing people though. Jack also found that a hacker could access a patient records from their pacemaker. They could also gain remote access to the servers that run the pacemaker’s software.

The pacemaker was one of the first steps into merging man with machine. Since then, we have created countless technological breakthroughs that save lives through the use of machines. Unfortunately, the security of said machines have not kept up pace. This has led to today’s revelation that hacker’s can remotely kill you through a pacemaker. It’s kind of terrifying.

[h/t: Network World]
  • Joe

    The pacemaker design, one patent-holder of which can easily be determined by a Google search, “First WiFi Pacemaker” pointing to an article published in 2009, appears to log into any available open WiFi hotspot periodically to update its information.

    Presumably Barnaby Jack got a sales demonstration of the amazing WiFi capabilities and worked it out from there by getting one and observing its behaviour. One would assume he didn’t hack the one he was wearing.

    The idea that the device could have its software completely updated while being the only source of beats for a person needing a pacemaker does boggle the mind a bit. One would think such a vulnerability would have been noticed.

    Customers would also hope that the WiFi transaction necessary to authorize a defibrillation or stoppage of pulses would be a bit more involved than an open-text command through a WiFi telnet session.

    There are a few key pieces of technology that have no sensible business case justifying an unsecured connection to the internet, like military hardware, air traffic control, railway signalling, and electric power plants.

  • Internaut

    Is this just part of the beginning? I can imagine hackers ransoming anyone’s pacemaker. But as pointed out, all if this goes beyond and into the realm of all wireless hardware such as school surveillance cameras, hospital equipment, home/business alarm systems, key fobs, air traffic control, or control of Drones… just about anything that is wireless!

    Will our electronics become even more at risk to sysnappers (as in kidnappers)?

    The challenges to infiltrate and hold systems hostage are there. The expertise is there to sysnap (as in kidnap) and hold most anything hostage, or worse yet, used as terrorism tools.

    I can’t imagine that every attempt to hack have been realized or caught and security holes plugged. I’m concerned about those successful hacks we are not aware of.

  • Ted

    Everyone with a wireless pacemaker should thank Barnaby Jack and implore the FDA to engage stronger security measures in medical devices. Barnaby is the poster child of the benefit of white hat research and without ethical hackers we could see a society run amuck with black hat espionage. Hackers aren’t just pimply nosed teenagers seeking a cheap thrill.

  • http://www.ssrichardmontgomery.com ron

    They should use inductive coupling (similar to way a cordless toothbrush is charged in its holder without direct electrical contact) instead of wireless to prevent this sort of thing.

  • Borg

    As a recent recipient of an ICD, this article caught my attention. But I am not panicking. My ICD does use RF technology to allow my Dr to monitor my device. It is a great use of technology. But in order for the device to be programmed, a magnet must be held over it to engage programming mode. While this is all new to me and I could be wrong, but this seems to be fairly standard. So a remote reprogramming of a “Kill” command isn’t possible. That said, the possibility that the Programmer in the hospital or Drs office getting hacked is a real concern. On my first checkup, the staff was learning a newly installed major update. I am not sure what is worse, old vulnerable software, or the first run of a new version
    …makes my heart skip a few beats!

  • Dr A D Cunningham

    Interesting article, but we need to calm down a little. First of all there is NO capability for a standard 5 Volt pacemaker to be able to generate an 800 Volt lethal shock. That is electronically an impossibility and pacemaker users can be assured of that.
    Secondly, implanted defibrillators (ICDs), which are less common than pacemakers, CAN generate these high voltages (that is how they work when restarting the heart) but they can only be re-programmed under carefully controlled circumstances not replicatable by a remote hacker. SO that’s not going to happen either.
    The concerns about accessing secure information are much more feasible, but naturally all such traffic is heavily encrypted so it is no less secure, and probably much more secure, than Internet shopping.
    The last thing we want is multitudes of pacemaker patients panicking about this.

    Dr A D Cunningham
    National Pacemaker and ICD Registry
    United Kingdom

  • Aaron Sorkin

    Of course it’s possible, I’ve seen it done recently on both NCIS and Homeland… all you need is the serial number and a pimply hacker in his Mom’s basement.

  • Murali Dharan

    Just saw Home land where Abu Nazir kills Waldon by hacking into Waldon’s pacemaker. Looks fantasy becoming fact. Terrifying indeed.