return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Active and passive telemetry attacks against medical implantable devices ]

Active and passive telemetry attacks against medical implantable devices


Attacking medical implantable devices, cardiac or otherwise, is long overdue for examination as this device class contains:

Wirelessly reprogrammable implantable medical devices (IMDs) such as pacemakers, implantable cardioverter defibrillators (ICDs), neurostimulators, and implantable drug pumps use embedded computers and radios to monitor chronic disorders and treat patients with automatic therapies.

If the device can be interrogated, adjusted or reprogrammed - as most can be, it can be actively attacked. If you are limited to passive scanning in which the device offers a serial number or patient information, you can know where its wearer is and possibly gain some insight to the stress and physical condition of the wearer; Is the target running, for example?

While the University of Washington computer researchers have not laid out a stepwise attack profile per se, they defined passive and active attacks recognizable to any signals intelligence (SIGINT) practitioner. Furthermore, the countermeasures they put forward are susceptible to spoofing techniques and  counter-countermeasures:

Since health care is a very sensitive and personal subject for many people, we explicitly choose to deviate from standard practice in the academic security research community and do not describe specific scenarios in which an attacker might compromise the privacy or health of a victim. We also do not discuss the potential impact on patients if an adversary were to carry out an attack in vivo. Rather, when discussing attacks we focus solely on the technical properties of those attacks. In addition, in each case where we identify a vulnerability, we propose a solution or technical direction to mitigate it...

Successful passive and active attacks

Notwithstanding the above, the researchers' successful attack vectors would be recognized by a physician:

Passive attacks:

  • Trigger ICD identification (disclosing ICD presence and details about the device)
  • Disclose cardiac data (by detecting ICD telemetry transmissions)

Active attacks:

  • Change patient name stored on the ICD (which a consulting physician might prescribe inappropriate treatment)
  • Reset the ICD clock (changing session timestamps, invoking new programming sessions)
  • Change therapies (the ICD’s responses to cardiac events)
  • Turn off therapies (ICD nonresponsive to threatening cardiac conditions)
  • Induce fibrillation (by invoking surgical implant test modes) even after shutting down all ICD automatic therapies
  • Denial of service attack (battery depletion by forced continuous wireless transmission)

The researchers achieved these results against Implantable Cardioverter Defibrillators (ICDs) with only three classes of adversaries:

An adversary with a commercial ICD programmer, i.e., an external device commercially produced and marketed for use with ICDs. At least for the programmers with which we have experimented, there are no technological mechanisms in place to ensure that programmers can be operated only by authorized personnel.

A passive adversary who eavesdrops on communications between the ICD and a commercial programmer. This adversary can record RF messages output by ICDs and programmers. This adversary might use standard or custombuilt equipment, including oscilloscopes, software radios, amplifiers, and directional antennas.

An active adversary who extends the passive adversary with the ability to generate arbitrary RF traffic, not necessarily conforming to the expected modulation schemes or FCC regulations. This attacker may interfere with legitimate transactions or create spurious ones by, e.g., spoofing a commercial programmer.

For the purposes of this research we assume that ICDs are honest and that they attempt to follow the protocols as specified; we do not experiment with adversarial actions that employ (possibly fake) ICDs to compromise or otherwise adversely affect the operation of commercial programmers.

The authors did not attempt to pursue "attack vectors against IMDs, such as insecure software updates or buffer overflow vulnerabilities," but given that virtually all hardware/software combination appears prone to such flaws, attacks against implantable devices should be possible. They note that use of cryptographic keys will have to balance security with the medical threat of an unavailable key hindering emergency treatment. Encryption mechanisms can also cause excessive power consumption as well as be prone to "spurious wake-ups or a cryptographic authentication process" that intentionally drains power.

The authors three zero-power defense postures strike this analyst as running out of ammunition during a firefight, e.g., if the target is already under attack harvesting induced RF energy to audibly alert the patient of a security event has little merit. As they approach the subject as investigators rather than as SIGINT analysts they do not address spoofing and counter-countermeasures. While proposing a key protocol, the authors then understandably steer around the thorny issue of key management for any encryption strategy.

Operational issues unaddressed

Effective attack range is an issue for the moment, but the same attack profiles used to capture RFID data in passports and credit/ID cards (waiting by the door or portal, walking through a crowd, etc.) are more immediately applicable. (Also here)

Attacking implant devices has the potential of a useful denial weapon to frighten away those who have such devices implanted. (One already sees signs that warn patients that potentially damaging RF signals are likely to be broadcast.) Without warning, it makes an interesting area attack weapon, especially in the vicinity of a hospital.

If an implant wearer is taken prisoner whereby your captors are close at hand with any technology they wish, he or she falls prey to an exquisite torture instrument that leaves no external physical effects.

Misleading, even dangerous press comments

It was startling to read a New York Times reporter out of his depth with this erroneous comment:

The report, to published at, makes clear that the hundreds of thousands of people in this country with implanted defibrillators or pacemakers to regulate their damaged hearts they include Vice President Dick Cheney have no need yet to fear hackers. The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists from the University of Washington and the University of Massachusetts to interpret the data gathered from the implant’s signals. And the device the researchers tested, a combination defibrillator and pacemaker called the Maximo, was placed within two inches of the test gear.

I read the report and it says no such thing. To a reader with a military signals intelligence (SIGINT) background, the effort to determine phase modulation (differential binary phase shift keying (DBPSK)) and symbol rate (pulse repitition frequency (PRF)) was trivial. An "eavesdropper" (passive intercept unit) was built using the "Universal Software Radio Peripheral (USRP) in concert with the open source GNU Radio libraries." As the authors note, "Even without knowledge of the semantics of the packet format, these data are easily extractable":

The personal data transmitted in cleartext include the patient’s name, date of birth, medical ID number, and patient history. Equally easy to find are the name and phone number of the treating physician, the dates of ICD and lead implantation (which may differ), the model, and the serial number of the ICD and leads. This list is not exhaustive; we observed other items of personally identifying data being transmitted in cleartext. [And] for the fields we manipulated via reprogramming attempts, these fields are sent in the clear from the programmer to the ICD.

The IEEE paper is quite accessible despite its technical content. Reading through the neutral technical verbiage, I got the reverse impression from that carried in the Times. I felt that the researchers were surprised at the ease of their chosen attack vectors. Furthermore:

  • Equipment can be stolen (the researchers provide a shopping list to any researcher that tinkers with hardware).
  • The effort to analyze has been achieved with the report; others have only to cobble together a crude attack platform.
  • A high value target such as VPOTUS Cheney would be worth the effort.
  • Anti-terrorist efforts would tend to be looking for explosives instead of the tools for an RF attack.

The takeaway should be that this is a long overdue exploit vector which should be considered more seriously.

A Heart Device Is Found Vulnerable to Hacker Attacks
New York Times
March 12, 2008

Researchers find implantable cardiac defibrillators may expose patients to security and privacy risks; potential solutions suggested
University of Washington press release

March 11, 2008

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses
Tadayoshi Kohno, Kevin Fu, William H. Maisel, Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, and Will Morgan
University of Washington and University of Massachusetts Amherst
Research paper reviewed and accepted for presentation at the 2008 IEEE Symposium on Security and Privacy
March 2008

RFID passports with improper shielding triggers bomb in simulation
Posted by George Ou @ 12:17 am
August 9th, 2006

Gordon Housworth

InfoT Public  Risk Containment and Pricing Public  Terrorism Public  


  discuss this article

<<  |  September 2019  |  >>
view our rss feed