Friday, March 14, 2008

Hacking an ICD - A Dual Medical Informatics/Ham Radio Perspective

Roy Poses wrote at "Hacking an ICD" that:

An ICD is a device whose correct operation is critical for the health and safety of patients in whom it is implanted. One would think that the managers responsible for the design of such devices would have pushed to make sure that the operation of such devices could not be hacked or accidentally altered in ways that could put patients' health and lives at risk.

Indeed.

It is probably not well known that in addition to being a Medical Informaticist, I am also a ham radio enthusiast, licensed at the Extra class. I know more about electronics than most physicians - and most IT people in hospitals to boot, although that often didn't matter in the dysfunctional world of hospitals and health IT.

As a medical informaticist and ham radio operator, I am concerned by the possibility of long(er) range hacking of implantable medical devices than that accomplished by researchers recently.

Apparently ICD's use a frequency of about 175 kHz for data communications. 175 kHz is in a band known as longwave. For comparison and orientation, the bottom of the familiar medium wave band -- a.k.a. ordinary AM radio-- is 520 kHz.

(An aside for those interested: shortwave starts at about 1,800 kHz or 1.8 MHz and extends to about 30,000 kHz or 30 MHz, and is called "shortwave" for historical reasons; the actual wavelengths are appx. 160 meters to 10 meters. These wavelengths were considered "short", comparatively speaking, in the early days of radio. The shortwaves have the property, under proper conditions, of being refracted back to earth by the earth's ionosphere and can be reflected by the earth itself. This allows the waves to do "multiple hops" and propagate over great distances far in excess of line-of-sight, even around the world. Hence the ability of ham radio enthusiasts to talk to people all over the world on the shortwave bands allocated to them.)

When I was 13 years old I built a one-transistor transmitter on a cigar box from a plan by Heathkit that transmitted low power morse code at a frequency of about 550 kHz. It ran off a few AA batteries and used a short wire as an antenna. It was easily receivable on a radio across the house.

The first cordless phones ca. early 1980s, wireless baby monitors, and other devices operated at about 1,700 kHz, just above the AM radio band. They were very low power devices with short antennas relative to wavelength (~175 meters) but were usable at dozens of feet from their base units.

Using an antenna, say, the size of a CB whip (properly loaded electrically to resonate at 175 kHz, not very efficient but usable), or even better, a directional loop antenna, plus a transmitter of 5 or 10 or, perhaps, 100 watts of power (not very hard to build), and using a sensitive receiver designed for those frequencies (my $150 retail Grundig Yacht Boy is an example, http://www.eham.net/reviews/detail/816) with modifications and a suitable low-noise receiving antenna, would potentially extend the range of communications with RF-controlled implantable devices.

Not to miles with any type of portable equipment, I should add, due to efficiency issues with very short antennas (relative to wavelength) and the low power of the ICD's transmitter, but tens of feet might be possible. Throw in digital signal processing on the hacker's receiver, which is available via common, cheap, off-the-shelf DSP chips and algorithms, and even more range would be likely. You would be surprised at what a DSP-equipped and/or computer-enhanced receiver can pull out of the "ether" even under extremely poor signal conditions.

One wonders if any ICD's transmitter and receiver are encrypted in any way - apparently the devices tested were not. My car FOB is, although even those can be hacked (e.g., "Prius Security System Cracked", http://www.treehugger.com/files/2007/08/a_talk_given_at.php):

A talk given at the computer security conference, CRYPTO 2007, explained how the key-fob system installed on the Toyota Prius has been cracked. The KeeLoq auto anti-theft cipher is used in common devices made by Microchip Technology Inc, which are also used by Chrysler, Daewoo, Fiat, General Motors, Honda, Volvo, Volkswagen, and Jaguar. The attack requires that the thief gets within range of your RFID keyfob, in order to break the encryption. This could mean stealing your keys, or just sitting next to you in a cafe with a laptop. The cipher used in these devices is 64 bit, which has always been theoretically possible to break, but has now been shown to be breakable in about an hour. This is important, because the shorter the amount of time required with the key, the more likely this attack is to become used outside of a research lab.

May I add that while encryption is not foolproof, lack of encryption seems the work of fools.

On a somewhat unrelated note, you can buy a wrist watch that picks up time-setting signals from an atomic clock via station WWVB, Fort Collins, Colorado (http://en.wikipedia.org/wiki/WWVB) at long wave frequency 60 Khz for $30. I have one and in Philadelphia, it works well.

Some hams bounce signals off the moon for earth-moon-earth communications. They use high power, high gain antennas, and very low noise receivers. It works quite well.

Never underestimate what can be done at RF.

On one (predictable) industry response:

Medtronic's Rob Clark said the company's devices had carried such telemetry for 30 years with no reported problems. 'This is a very low-risk event for patients that have these devices,' Clark said in a telephone interview."

It would have been just a bit harder to hack a computerized device 30 or 20 or even 10 years ago. When kids can buy a laptop with computing power exceeding that of the Cray supercomputer for $500 and crack into, say, the Pentagon's systems, we are indeed living in different times.

Dr. Poses also wrote that:

The most charitable explanation for why they [the manufacturers] did not think to [engineer ICD's to be exceptionally hacker-proof] is that they really did not understand the clinical context in which this device would be used.


I think a better explanation is that the manufacturers' management has little imagination and underestimate the capabilities of people much smarter and more creative than themselves (e.g., tech-savvy kids). It would not surprise me to find engineering memos warning management that more safeguards needed to be incorporated, only to be asked "What's the ROI?"

The bottom line is: manufacturers might need to work a little harder when they deploy wireless devices, as hacking of gadgets and computerized equipment such as cell phones seems to be an increasingly common pastime for today's youth. (It's too bad ham radio is itself losing numbers as the previous generation ages and dies out.) The internet itself is used to spread techniques and malicious code among hackers.

One can imagine the consequences of a malicious RF device hacker or smart-but-delinquent kid in, say, a crowded shopping mall.

Finally, ham radio experimenters worldwide are not unfamiliar with longwave experimentation. Note in particular the bolded statement below:

With no Amateur Radio low-frequency [longwave -ed.] allocation in North America, stations operating under FCC Part 5 Experimental licenses in the US or under special experimental authorizations in Canada nonetheless continue to research the nether regions of the radio spectrum. By and large, LF experimentation is occurring in the vicinity of 136 kHz--typically 135.7 to 137.8 kHz--where amateur allocations already exist elsewhere in the world. The FCC rejected the ARRL's 1998 petition for LF allocations at 135.7 to 137.8 kHz and 160 to 190 kHz, however, after electric utilities objected that ham radio transmissions might interfere with power line carrier (PLC) signals used to control the power grid.

"Most of the new LF activity of Part 5 licensees has been in the shared 137 kHz amateur allocation available in some parts of the world," says low-frequency experimenter Laurence Howell, KL1X/5. "Although not in the Amateur Radio Service, these Part 5 experimental stations continue to add to our knowledge on propagation and engineering."

The holder of Part 5 Experimental license WD2XDW, Howell who's also GM4DMA, previously operated LF from Alaska. He's since relocated to Oklahoma, and has now resumed his LF work on 137.7752 and 137.7756 kHz. Already he's reporting some spectacular success, despite antenna limitations. On October 28, New Zealand LFer Mike McAlevey, ZL4OL, copied WD2XDW's 137 kHz carrier "bursts" over a path of more than 13,000 km (8000 miles).


The take-away message is that:

  • In biomedicine, the most meticulous resilience engineering is never a bad idea.

When drug and device manufacturers understand this fully, perhaps we will no longer have incidents of bad health informatics that can kill.

-- SS

4 comments:

Anonymous said...

Instead of asking the "WHAT" you need to ask the "WHY".

Why would somebody invest the time/energy/money to hack into some guy's pacemaker or ICD? There are far easier ways to kill people and its really not clear that screwing up the programming on a pacemaker/ICD would really be a high yield way to kill someone anyways.

I guess another use for hacking an ICD is to glean private medical information. But again that seems low yield and an expensive way to get the same info you could get out of digging thru hospital trash or sneaking peeks at medical charts inside the hospital.

One comment about implanted electronic devices. I work in MR pulse sequence programming which requires a strong base in math, physics, and RF/EMF. Sticking a random ICD into an MR scanner and cranking it up can indeed cause interference, however when its implanted inside the body, the chest wall serves as a natural EMF shield which drastically decreases the probability of external EMF influence. Our lab found that once implanted, the chances of interference drop by almost 3 orders of magnitude. This was done in a 3T environment with active gradient switching and high RF loads as well, which is about the most EMF intensive environment that you are going to find on the planet.

MedInformaticsMD said...

Instead of asking the "WHAT" you need to ask the "WHY". Why would somebody invest the time/energy/money to hack into some guy's pacemaker or ICD?

First, let's agree that the likelihood is low.

That said:

Do you really mean you cannot answer your own question?

Why do people invest the time and energy (and take the risk) of spreading malicious computer code?

Why do people tailgate and drive recklessly?

People do the darndest things. You'd be amazed at the stories we hear in ER's, for example.

Our lab found that once implanted, the chances of interference drop by almost 3 orders of magnitude. This was done in a 3T environment with active gradient switching and high RF loads as well, which is about the most EMF intensive environment that you are going to find on the planet.

Thanks. I'm not very concerned about external, random RF/EMF sources as a problem.

In fact I mentioned the power grid issue to show how another industry's concerns -- on an unlikely possibility, ham radio operators running low power at longwave causing interference to powerline carrier signals - led to action by the electric utilities "just in case."

In the practice of medicine, there's a rule. Get complacent, and your patient's dead.

fairhavenhorn said...

This is more of a tempest in a teapot. From a safety perspective the reports indicate a good job with maybe (just maybe) a minor problem.

First, you a right about there being a world of RF interference. The reports indicate that this was considered. The ICD's RF receiver is usually disabled when a strong magnet is missing. (My guess is that they incorporated a safety relay.)

This deals with the primary RF concern. You do not want accidental interference. It is conceivable that installing a microwave oven (or any other transmitter) might interfere with devices. They considered that, and the reports indicate that this danger was properly protected against.

The remaining danger (if it exists) is that of intentional harm. This kind of risk is different. There is a world of possible methods for inflicting intentional harm. There are automobiles, poisons, bombs, knives, etc. Inside a hospital there are many more ways to inflict intentional harm.

In assessing this risk, you have to consider many things. First, there is the question of what is your duty to protect against intentional harm. Someone who needs an ICD is at much greater risk of harm from various poisons. But, we do nothing about that. They are also less likely to survive an automobile crash, knife wound, bomb, etc. We do nothing about that. We don't even give them a crash helmet. There is the question whether the ICD itself actually increases the risk of intentional harm. The testers found a way to bypass the magnetic protective switch on a bench test. In some devices, there are parts removed and disabled during surgery as part of the installation. These are there for last minute programming. The reports are unclear whether that is the case here.

If it is not disabled during surgery, there may be a reason to leave the programming ability there. I don't know whether the danger from that reason is greater than the danger of intentional harm. If not, future versions could be modified to make sure that the magnetic safety switch covers that programming mode also.

Encryption is very unlikely to be the proper answer. As you have pointed out, computer equipment available is many orders of magnitude faster. The processor in the ICD needs to operate for years off a tiny battery. It is a puny little thing compared with the massive computer power at the disposal of the attackers. Approaches like the magnetic safety switch are much more appropriate.

Also, you need to deal with the environment of intentional harm. I have seen intentional harm by crackers who wanted zombie PCs for other purposes. They were not intending to harm the patients. They were intending to take over general purpose computers. The ICDs do need to remain obviously not useful to those crackers. The email trojans, etc. have very poor ability to assess their targets. The ICD needs to remain obviously not a useful PC, and so far they have done so.

This makes it much more likely that the ICD owner will be targeted using autos, poisons, bombs, etc.

MedInformaticsMD said...

This makes it much more likely that the ICD owner will be targeted using autos, poisons, bombs, etc.

Indeed. I agree with this and much of what you wrote. However, I discussed this issue with an engineering expert, Felix Fulmer, who points out the following:

The managers overseeing the space shuttle Challenger's booster didn't think exhaust blowby at the O-rings sealing the joints between the solid rocket booster (SRB) segments woiuld be a high risk, nor did the managers and engineers overseeing the Columbia think a little piece of foam could cause lead to catastrophe.

Remember, all it takes is one mischievous hacker who doesn't have to be any smarter or talented than, say, Tim McVeigh.

One needs to balance low risk vs. cost of elimination of that risk, of course.

Personally, unless the cost were paralyzing, I'd rather that manufacturers of biomedical devices tended towards the side of caution, as opposed to the ideology of "proof by lack of evidence" that someone might actually attempt such a thing.

As this issue is really in the realm of one's philosophy about risk mitigation and is not resolvable via short discussions, I am closing this comment thread.