redOrbit Staff & Wire Reports – Your Universe Online
The sensors used by implanted cardiac defibrillators and pacemakers to detect the rhythm of a person´s beating heart are vulnerable to computer hackers, say researchers from the US and South Korea.
Implanted defibrillators monitor the heart for irregular beating and administer an electric shock to restore normal rhythm when needed. Pacemakers use electrical pulses to continuously maintain the heart´s rhythm. Both types of cardiac devices can be tampered with externally and digitally, according to research scheduled for presentation on May 20 at the IEEE Symposium on Security and Privacy in San Francisco.
Researchers from the University of Michigan, University of South Carolina, Korea Advanced Institute of Science and Technology, University of Minnesota, University of Massachusetts and Harvard Medical School report that they were able to use radio frequency electromagnetic waves to create an erratic heartbeat in simulated human models.
In theory, they say such a fake signal could interfere with the operation of cardiac health devices by preventing necessary pacing operations or creating unneeded — and extremely painful — defibrillation shocks. However, the investigators emphasize that they know of no real-world instances in which a hacker has successfully corrected an implanted heart device, and that it would be exceptionally difficult for anyone to actually do so.
“Security is often an arms race with adversaries,” said Wenyuan Xu, assistant professor of computer science and engineering at the University of South Carolina. “As researchers, it’s our responsibility to always challenge the common practice and find defenses for vulnerabilities that could be exploited before unfortunate incidents happen. We hope our research findings can help to enhance the security of sensing systems that will emerge for years to come.”
According to the researchers, this is not the first time that vulnerabilities in implantable medical devices have been discovered. However, the findings demonstrate previously unknown security risks in fairly common “analog” sensors, which rely on the human body or the surrounding environment to trigger specific functions. Analog sensors are also typically used in Bluetooth headsets and computers in web-based phone calls, they added.
Denis Foo Kune, a postdoctoral researcher at the University of Michigan and the individual who will present the findings, said that analog devices typically trust the information received from their sensors, and that the path tended to be weak and exploitable. While the researchers note that these medical systems do have security mechanisms, they are bypassed by the information received by the devices´ sensors.
The investigators tested both cardiac defibrillators and pacemakers in open air in order to determine which types of radio waveforms could interfere with their normal functions. Next, they exposed the medical devices to those waves in both a saline bath and a patient simulator, and discovered that a person´s body shields the devices from the ill effects of the radio waveforms to a large degree. In fact, their findings suggest that a hacker would need to be about two inches away from a patient in order to interfere with their cardiac instruments.
“People with pacemakers and defibrillators can remain confident in the safety and effectiveness of their implants,” said Kevin Fu, an associate professor of electrical engineering and computer science at the Ann Arbor, Michigan-based university.
“Patients already protect themselves from interference by keeping transmitters like phones away from their implants. The problem is that emerging medical sensors worn on the body, rather than implanted, could be more susceptible to this type of interference.”