Pacemaker hack can deliver deadly 830-volt jolt

Pacemakers and implantable cardioverter-defibrillators could be manipulated for an anonymous assassination

Pacemakers from several manufacturers can be commanded to deliver a deadly, 830-volt shock from someone on a laptop up to 50 feet away, the result of poor software programming by medical device companies.

The new research comes from Barnaby Jack of security vendor IOActive, known for his analysis of other medical equipment such as insulin-delivering devices.

Jack, who spoke at the Breakpoint security conference in Melbourne on Wednesday, said the flaw lies with the programming of the wireless transmitters used to give instructions to pacemakers and implantable cardioverter-defibrillators (ICDs), which detect irregular heart contractions and deliver an electric shock to avert a heart attack.

A successful attack using the flaw "could definitely result in fatalities," said Jack, who has notified the manufacturers of the problem but did not publicly identify the companies.

In a video demonstration, Jack showed how he could remotely cause a pacemaker to suddenly deliver an 830-volt shock, which could be heard with a crisp audible pop.

As many as 4.6 million pacemakers and ICDs were sold between 2006 and 2011 in the U.S. alone, Jack said. In the past, pacemakers and ICDs were reprogrammed by medical staff using a wand that had to pass within a couple of meters of a patient who has one of the devices installed. The wand flips a software switch that would allow it to accept new instructions.

But the trend is now to go wireless. Several medical manufacturers are now selling bedside transmitters that replace the wand and have a wireless range of up to 30 to 50 feet. In 2006, the U.S. Food and Drug Administration approved full radio-frequency based implantable devices operating in the 400MHz range, Jack said.

With that wide transmitting range, remote attacks against the software become more feasible, Jack said. Upon studying the transmitters, Jack found the devices would give up their serial number and model number after he wirelessly contacted one with a special command.

With the serial and model numbers, Jack could then reprogram the firmware of a transmitter, which would allow reprogramming of a pacemaker or ICD in a person's body.

"It's not hard to see why this is a deadly feature," Jack said.

His research is just beginning. The FDA, he said, just looks at the medical effectiveness of devices and does not do an audit of a device's code.

"My aim is to raise awareness of these potential malicious attacks and encourage manufacturers to act to review the security of their code and not just the traditional safety mechanisms of these devices," Jack said.

He also found other problems with the devices, such as the fact they often contain personal data about patients, such as their name and their doctor. Other tell-tale signs of sloppy code were also found, such as potential access to remote servers used to develop the software.

"The new implementation is flawed in so many ways," Jack said. "It really needs to be reworked."

Jack is developing "Electric Feel," an application with a graphical user interface that would allow a user to scan for a medical device in range. A list will appear, and a user can select a device, such as a pacemaker, which can then be shut off or configured to deliver a shock.

As if this wasn't bad enough, Jack said it is possible to upload specially-crafted firmware to a company's servers that would infect multiple pacemakers and ICDs, spreading through their systems like a real virus.

"We are potentially looking at a worm with the ability to commit mass murder," Jack said. "It's kind of scary."

Ironically, both the implants and the wireless transmitters are capable of using AES (Advance Encryption Standard) encryption, but it is not enabled, Jack said. The devices also have "backdoors," or ways that programmers can get access to them without the standard authentication using a serial and model number.

There a legitimate medical need since without backdoors, you might have to "cut someone open," Jack said. "But if they're going to have a backdoor, at least have it embedded deep inside the ICD core. These are expensive devices."

Jack's presentation was beautifully illustrated in a comic-book like fashion. At one point, a slide showed a man who looked quite similar to former U.S. vice president Dick Cheney, who has long suffered from heart problems. The flaws in the device, Jack said, could mean an attacker could perform "a fairly anonymous assassination" from 50 feet away.

"To me, a laptop doesn't look like a device that is capable of killing someone," Jack said.

Or as an audience member added: "There's no muzzle flash with a laptop."

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts