Three medical schools demonstrate the wireless dangers that can disturb an implantable cardioverter defibrillator like the Medtronic Maximo DR.

Thomas Claburn, Editor at Large, Enterprise Mobility

March 12, 2008

3 Min Read

Implantable medical devices like pacemakers seem secure, buried within one's body. But a team of researchers have demonstrated that's not the case.

In a newly published academic paper, computer scientists from the Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington have shown that a combination pacemaker and defibrillator with wireless capabilities, the Medtronic Maximo DR, can be hacked.

"Our investigation shows that an implantable cardioverter defibrillator (1) is potentially susceptible to malicious attacks that violate the privacy of patient information and medical telemetry, and (2) may experience malicious alteration to the integrity of information or state, including patient data and therapy settings for when and how shocks are administered," the paper states.

Such a shock could induce ventricular fibrillation, which is potentially lethal.

Several million pacemakers and defibrillators have been implanted in patients in the United States.

The paper, "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," is scheduled to appear in May, as part of the proceedings of the 2008 IEEE Symposium on Security and Privacy. It was co-authored by Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel.

The researchers say they believe that their attempts to reverse-engineer the communications going to and from the Medtronic implantable cardioverter defibrillator represent the first use of software defined radios in the security community for reverse engineering wireless protocols. The group used the GNU Radio software toolkit to create a radio receiver capable of processing radio waves as defined by software.

In publishing the findings, the researchers are not suggesting that heart patients face significant imminent risk from hackers. They say in a statement published on the research group's Web site, secure-medicine.org, that their findings should not deter patients from accepting these devices if deemed appropriate by a physician.

"We believe that the risk to patients is low and that patients should not be alarmed," the researchers say. "We do not know of a single case where an IMD [implantable medical device] patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs."

Clearly, medical device makers have room for improvement. In his blog post about the findings, security expert Bruce Schneier said, "Of course, we all know how this happened. It's a story we've seen a zillion times before: The designers didn't think about security, so the design wasn't secure."

In an e-mailed statement, Medronic said, wireless security issues have been known for 30 years and that Medronic pays close attention such issues. The company said it welcomed the opportunity to address security concerns with regulators and researchers, but noted that "such dialogue must be accurate, balanced and responsible."

"While all implanted devices must use wireless telemetry for programming -- typically in very close range (several inches to several feet) -- the risk of any deliberate, malicious, or unauthorized manipulation of a device is extremely low," Medtronic said. "In fact, to our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide."

Nonetheless, Medtronic said the technology in these devices continues to improve and that the company will continue to incorporate security measures to protect patient safety.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights