Security

Fatal flaws in ten pacemakers make for Denial of Life attacks

Brit/Belgian research team decipher signals and devise wounding wireless attacks

By Darren Pauli

20 SHARE

A global research team has hacked 10 different types of implantable medical devices and pacemakers finding exploits that could allow wireless remote attackers to kill victims.

Eduard Marin and Dave Singelée, researchers with KU Leuven University, Belgium, began examining the pacemakers under black box testing conditions in which they had no prior knowledge or special access to the devices, and used commercial off-the-shelf equipment to break the proprietary communications protocols.

From the position of blind attackers the pair managed to hack pacemakers from up to five metres away gaining the ability to deliver fatal shocks and turn off life-saving treatment.

The wireless attacks could also breach patient privacy, reading device information disclosing location history, treatments, and current state of health.

Singelée told The Register the pair has probed implantable medical device and pacemakers, along with insulin pumps and neurostimulators in a bid to improve security understanding and develop lightweight countermeasures.

"So we wanted to see if these wireless attacks would be possible on these newer types of pacemakers, as this would show that there are still security problems almost 10 years after the initial security flaws have been discovered, and because the impact of breaking the long-range wireless communication channel would be much larger as adversaries can be further away from their victim," Singelée says.

"We deliberately followed a black-box approach mimicking a less-skilled adversary that has no prior knowledge about the specification of the system.

"Using this black-box approach we just listened to the wireless communication channel and reverse-engineered the proprietary communication protocol. And once we knew all the zeros and ones in the message and their meaning, we could impersonate genuine readers and perform replay attacks etcetera."

Laboratory setup: A USRP (left) and DAQ with antennas below.

Their work is detailed in the On the (in)security of the Latest Generation Implantable Cardiac Defibrillators and How to Secure Them [PDF] authored by Marin and Singelée, KU Leven colleague Bart Preneel, Flavio D. Garcia and Tom Chothia of the University of Birmingham, and cardiologist Rik Willems of University Hospital Gasthuisberg.

The team describes in limited detail to protect patients how the wireless communications used to maintain the implantable medical devices can be breached.

"Adversaries may eavesdrop the wireless channel to learn sensitive patient information, or even worse, send malicious messages to the implantable medical devices. The consequences of these attacks can be fatal for patients as these messages can contain commands to deliver a shock or to disable a therapy."

No physical access to the devices is required to pull off the attacks.

The researchers say attackers could install beacons in strategic locations such as train stations and hospitals to infer patient movements, revealing frequented locations, and to infer patient treatment.

Attackers could trigger a reprogramming session in order to grab that data.

Programming flaws relating to the devices' standby energy saving mode allow denial of service attacks to be performed which will keep units in battery-draining alive states through continuous broadcasting of messages over long-range wireless. This could "drastically reduce" the units' battery life, the team says.

The research, like all medical device hacking, has scope limitations that mean mass targeting of pacemakers is not immediately possible. Nor can attacks be extended to many metres.

Another happy fact: the gear required isn't cheap. National Instruments sells its URSP-2920 for US$3670 (£2930, A$4972) and USB-6353 for US$2886 (£2724, A$3910).

The team tells The Register they have been informed that the compromised vendor has issued a patch, but further details are not known.

Medical devices' wireless could be jammed as a stop-gap measure, while the addition of shutdown commands to the devices would best serve long-term fix, as would the inclusion of standard symmetric key authentication.

"We want to emphasise that reverse engineering was possible by only using a black-box approach," the team says. "Our results demonstrated that security-by-obscurity is a dangerous design approach that often conceals negligent designs."

Medical device hacking has picked up pace in recent years, with much work made through the I Am The Cavalry research and activist group. ®

Sign up to our NewsletterGet IT in your inbox daily

20 Comments

More from The Register

Facebook back in court fighting claims it nicked British data centre IP

UK-based BladeRoom's founder airs grievances

Good guy Logic Supply resolves breach in days, unlike some companies

*cough* Yahoo! *cough* What? No, I have a terrible cold

The only way is ethics: UK.gov emphasises moral compass amid deluge of data plans

Civil servants get cheat sheet for procuring analytics

30,000 London gun owners hit by Met Police 'data breach'

Who gave marketing agency access to super-sensitive address database?

Is it a bird? Is it a plane? No, it's a terrible leak of drone buyers' data

Exclusive Tens of thousands of online shoppers' payment details left totally unencrypted

India's prime minister accused of privacy breaches

Narendra Modi's app may be a bit too slurpy

Perusing pr0nz at work? Here's a protip: Save it in a file marked 'private'

No, your snooping boss did not breach your human rights, Euro court tells sacked Frenchman

SAP agrees to pay Oracle $120m over 'industrial espionage'

TomorrowNow and TomorrowNow and TomorrowNow

Consent, datasets and avoiding a visit from the information commissioner

Idiot's guide to keeping your GDPR nose clean

Gits exposed, kinky app devs spanked, Feds spy on spyware buyers, etc

Roundup Mac APT unearthed and other infosec bits and bytes summarized just for you