FortiGuard Labs Threat Research
X-ray image of installed pacemaker showing wire routing - Image from Wikipedia
Recently, journalists reported a man had been charged with arson using data retrieved from his own pacemaker (see here). One article showed a "funny" image of a man's chest with stitches to insert or access the pacemaker. This, and the comments, led me to some research on pacemakers.
Pacemakers transmit data over radio frequencies. They typically use the 402-405 Mhz band which is assigned to Medical Implant Communications (MICS). Transmission is triggered either by approaching a magnet to the pacemaker (this closes an inner switch and triggers RF transmission) or by sending an appropriate RF wave pattern.
I had heard that pacemakers were now connected, wireless, etc. Much of this, however, is more or less wrong, at least in the way we computer science people mean it.
Decades ago, pacemakers would only pace at a given speed. If the patient's heart dropped below a given value, the pacemaker would activate and assist the heart. Today, pacemakers are rate-responsive. For instance, if you are climbing up stairs, a pacemaker will detect the additional stress and quicken its pace so that your body gets the "power" it needs.
Normally, pacemakers are made of:
Because these leads can sometimes cause medical issues and because leads require surgery to be fixed onto the patient's heart, researchers have come up with a new solution: wireless pacemakers (or as they are more technically named, Wireless Cardiac Stimulation Systems WiCS.) However, in this case, wireless means without leads, and does not refer to WiFi... Some manufacturers actually refer to these devices as lead-less pacemakers, which is less confusing to computer science people ;)
The definition of Internet of Things (IoT) is often vague. At the least, for an object to qualify as an IoT device it needs to be connected to Internet at some point.
In the most obvious cases, the connection is direct: an IP webcam, or an IP-connected smart fridge or smart coffee maker. In some other cases, the connection is indirect. For example, sports trackers that send information to the Internet via smartphones are considered to be IoT devices.
A pacemaker’s connection to the Internet is very indirect. They only know RF, so they communicate via RF to a stationary unit (e.g. Merlin@Home transmitter etc.) usually close to the patient's bed. The unit then transmits the data over a phone line to a medical network (e.g. Merlin.Net Patient Care Network, Biotronik Service Center...) Only then is the data attached to a medical network that is accessible on the Internet where is typically accessed by physicians.
This sounds like 80's or 90's technology, and quite far from today’s idea of IoT, right?
Naturally, vendors are shifting towards newer technology, and we can now find Android applications for pacemakers. Oh? So, they are connected in the end? Well, no, they are not. This is how it works in that case. The Android application comes with a mobile RF reader. The patient puts the reader close to his/her chest. The pacemaker then sends data via RF to the mobile reader. The mobile reader then sends data via Bluetooth to the smartphone (by the way, I checked in the application: the communication is encrypted with AES-CCM.) Then, the smartphone sends the data, along with user credentials to a remote server (via HTTPS).
So, while I had heard that pacemakers were now supporting Bluetooth, unless I missed it, this is the only scenario I found that involves Bluetooth. As near as I can tell, Pacemakers do not support Bluetooth (for now). The use of the mobile reader and app is simply a commodity of convenience so the patients do not have to carry a stationary unit around with them, and it allows them to use their mobile phone network instead a regular phone line.
So, is that IoT? I'll let you decide. But, for me, it's really borderline. It's close to some SCADA systems, which although not theoretically connected to Internet, still actually are in the end through some roundabout networking side effects.
In the end, however, we don't really care whether pacemakers are IoT or not, do we? What's really important is whether an attacker can attack a pacemaker locally or remotely over Internet - listen to Marie Moe's talks for background on hacking pacemakers.
In this regard, the research timeline below should answer the question:
Going back to the arsonist case at the start of this blog, I initially wondered if the data from the pacemaker could have been tampered with. It's an important point, especially if the data is going to be used in court...
In my humble opinion, everything is hackable. It's just a question of time, luck and skill. So, yes, the data can be tampered with. Was it? Probably not, because there are currently no known attacks or research that demonstrate the modification of pacemaker data. Does that mean that the pacemaker data proves the suspect set fire to his house? That's not for me to answer.
Finally, though I absolutely condemn arson, I am surprised one's pacemaker can be turned "against" one's self. Do pacemaker holders sign a form where they accept that the pacemaker can be used for legal actions? Does this cross the line protecting suspects from incriminating themselves? Using the device's data sounds a lot like involuntary polygraph testing...
-- the Crypto Girl