Beware hacking of implanted medical devices

LAS VEGAS -- Wireless security experts have another area to worry about: embedded medical devices that communicate with the world outside the body via radio waves, speakers at Black Hat warn.

The potential exists for attackers to reset the devices, steal personal data that is stored on them and run down their batteries, forcing patients to have replacement surgery sooner than would otherwise be necessary, say Tadayoshi Kohno, an assistant professor of computer science and engineering at the University of Washington, and Kevin Fu, an assistant professor in the Department of Computer Science at the University of Massachusetts Amherst.

While they see no immediate threat to patients, the professors call for the U.S. Food and Drug Administration and possibly the Federal Communications Commission to get involved with making sure the devices are secure.

Malicious parties have already randomly attacked people with epilepsy by introducing malware on epilepsy Web sites that flicker at a frequency that can cause seizures, so it's not much of a stretch to imagine someone randomly attacking the embedded devices, Fu said.

Fu and Kohmo said they have hacked a cardiac defibrillator using a programmable radio and some reverse engineering and can identify other ways hackers might access such devices. They hacked a 2003 model, and vendors may have since made changes, but some fundamental problems still exist.

These include authenticating machines and individuals trying to access the devices, which is difficult because in an emergency when a patient is out of town, emergency medical technicians won't have the appropriate credentials. Being locked out could be life threatening, the researchers said.

They propose a separate device to authenticate outside devices and then relay outside traffic to the defibrillator via a wired connection. The separate device could be run using an RFID tag that would get power from the device contacting it, Fu said. The patient could be warned about attempts to connect to the defibrillator via an audible beep or a vibration and decide whether malicious behavior was underway.

If the auxiliary device failed, it would fail open so the embedded device could still be contacted.

They proposed a second device called a cloaker that would be worn as a bracelet and would block access to the device but contain data on how to access it. When the cloaker is removed, the device would fail open and trigger an alert to let the patient know.

Fu and Kohmo said they captured the traffic between an embedded cardiac defibrillator and its external programmer machine and then mimicked the traffic using a programmable radio in a replay attack. Others could carry out similar attacks if they stole legitimate programmer machines, they said..

Other implanted devices that rely on wireless communication include insulin pumps, cochlear imlants, neurostimulators, pacemakers and even prosthetic limbs.