How safe is your defibrillator? The flight of this question across the Internet earlier this year helped fuel the buzz at the IEEE Symposium on Security and Privacy in Oakland, Calif., in May. In a session unnervingly titled Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses, several members of a three-university research team that included IEEE members outlined how implanted defibrillators—which use electrical shocks to jump-start arrhythmic hearts so that they return to beating normally—were vulnerable to hacking.
The team of computer scientists, electrical engineers, and cardiologists were able to obtain private patient information wirelessly from the computer chip in a Medtronic defibrillator; they were then able to get the defibrillator to fire improperly and deplete its battery.
WIRELESS WORRIES The study began in early 2006 as a way to head off the potential problems that may arise from implantable devices’ relying too heavily on wireless communication. Beyond the 160 000 defibrillators and 250 000 pacemakers implanted each year in the United States alone, there are millions of patients with implanted devices, such as spinal cord stimulators, insulin pumps, and cochlear implants, that rely on wireless technology for monitoring and external control by medical staff. In turn, this communication is taking place over longer distances, meaning hackers could potentially wreak havoc from farther away.
“This is the first paper to demonstrate real security issues with a real common wireless medical device,” says one of the researchers, IEEE Member Tadayoshi Kohno, an assistant professor of computer science and engineering at the University of Washington. The researchers tricked the defibrillator into responding to their signals by recording a real device programmer talking electronically to a defibrillator, then replaying the signals wirelessly back to the defibrillator. On the flip side, the researchers also came up with ways to prevent someone from externally draining the battery—by ensuring that the device is used only for primary therapy and by alerting patients when their device has been reprogrammed.
“These findings will keep us and many others busy for years,” says IEEE Member Kevin Fu, another of the researchers and an assistant professor of computer science at the University of Massachusetts at Amherst.
STRANGE BEDFELLOWS The research caused ripples, not only for its findings but for the kind of collaboration that was formed—namely one between security architects and physicians. In fact, one of the authors is a cardiologist.
“I saw a lot of open jaws,” says Fu, laughing as he describes the audience reaction to the symposium presentation. “It’s rare for the computer security industry to reach so far into the medical community. Usually, scientists stay in their comfort zone. We spent time in operating rooms, interviewed nurses and doctors—things that computer scientists wouldn’t normally do.”
The immersion paid off for the team, winning it the best paper award at the symposium, which was sponsored by the IEEE Computer Society Technical Committee on Security and Privacy in cooperation with the International Association for Cryptologic Research.
“People appreciated that our work spanned the computer security, technical, and medical communities,” adds Kohno. “There were lots of discussions [at the conference] about how we, as a community, would like to see more cross-disciplinary work between security and other fields."
The idea is to troubleshoot the devices now, when security risks are small, so that safety features can be built into future models from the start instead of after things go wrong. “Patients should not be alarmed by this work; they are much safer having the devices then not, and the security risks are small,” says another of the researchers, Dr. William Maisel, a cardiologist with Beth Israel Deaconess Medical Center and Harvard Medical School. “They should be comforted that people are thinking of ways to improve the safety of the next generations of these devices.”