Hacking an ICD - A Dual Medical Informatics/Ham Radio Perspective

Roy Poses wrote at "Hacking an ICD" that:

An ICD is a device whose correct operation is critical for the health and safety of patients in whom it is implanted. One would think that the managers responsible for the design of such devices would have pushed to make sure that the operation of such devices could not be hacked or accidentally altered in ways that could put patients' health and lives at risk.

Indeed.

It is probably not well known that in addition to being a Medical Informaticist, I am also a ham radio enthusiast, licensed at the Extra class. I know more about electronics than most physicians - and most IT people in hospitals to boot, although that often didn't matter in the dysfunctional world of hospitals and health IT.

As a medical informaticist and ham radio operator, I am concerned by the possibility of long(er) range hacking of implantable medical devices than that accomplished by researchers recently.

Apparently ICD's use a frequency of about 175 kHz for data communications. 175 kHz is in a band known as longwave. For comparison and orientation, the bottom of the familiar medium wave band -- a.k.a. ordinary AM radio-- is 520 kHz.

(An aside for those interested: shortwave starts at about 1,800 kHz or 1.8 MHz and extends to about 30,000 kHz or 30 MHz, and is called "shortwave" for historical reasons; the actual wavelengths are appx. 160 meters to 10 meters. These wavelengths were considered "short", comparatively speaking, in the early days of radio. The shortwaves have the property, under proper conditions, of being refracted back to earth by the earth's ionosphere and can be reflected by the earth itself. This allows the waves to do "multiple hops" and propagate over great distances far in excess of line-of-sight, even around the world. Hence the ability of ham radio enthusiasts to talk to people all over the world on the shortwave bands allocated to them.)

When I was 13 years old I built a one-transistor transmitter on a cigar box from a plan by Heathkit that transmitted low power morse code at a frequency of about 550 kHz. It ran off a few AA batteries and used a short wire as an antenna. It was easily receivable on a radio across the house.

The first cordless phones ca. early 1980s, wireless baby monitors, and other devices operated at about 1,700 kHz, just above the AM radio band. They were very low power devices with short antennas relative to wavelength (~175 meters) but were usable at dozens of feet from their base units.

Using an antenna, say, the size of a CB whip (properly loaded electrically to resonate at 175 kHz, not very efficient but usable), or even better, a directional loop antenna, plus a transmitter of 5 or 10 or, perhaps, 100 watts of power (not very hard to build), and using a sensitive receiver designed for those frequencies (my $150 retail Grundig Yacht Boy is an example, http://www.eham.net/reviews/detail/816) with modifications and a suitable low-noise receiving antenna, would potentially extend the range of communications with RF-controlled implantable devices.

Not to miles with any type of portable equipment, I should add, due to efficiency issues with very short antennas (relative to wavelength) and the low power of the ICD's transmitter, but tens of feet might be possible. Throw in digital signal processing on the hacker's receiver, which is available via common, cheap, off-the-shelf DSP chips and algorithms, and even more range would be likely. You would be surprised at what a DSP-equipped and/or computer-enhanced receiver can pull out of the "ether" even under extremely poor signal conditions.

One wonders if any ICD's transmitter and receiver are encrypted in any way - apparently the devices tested were not. My car FOB is, although even those can be hacked (e.g., "Prius Security System Cracked", http://www.treehugger.com/files/2007/08/a_talk_given_at.php):

A talk given at the computer security conference, CRYPTO 2007, explained how the key-fob system installed on the Toyota Prius has been cracked. The KeeLoq auto anti-theft cipher is used in common devices made by Microchip Technology Inc, which are also used by Chrysler, Daewoo, Fiat, General Motors, Honda, Volvo, Volkswagen, and Jaguar. The attack requires that the thief gets within range of your RFID keyfob, in order to break the encryption. This could mean stealing your keys, or just sitting next to you in a cafe with a laptop. The cipher used in these devices is 64 bit, which has always been theoretically possible to break, but has now been shown to be breakable in about an hour. This is important, because the shorter the amount of time required with the key, the more likely this attack is to become used outside of a research lab.

May I add that while encryption is not foolproof, lack of encryption seems the work of fools.

On a somewhat unrelated note, you can buy a wrist watch that picks up time-setting signals from an atomic clock via station WWVB, Fort Collins, Colorado (http://en.wikipedia.org/wiki/WWVB) at long wave frequency 60 Khz for $30. I have one and in Philadelphia, it works well.

Some hams bounce signals off the moon for earth-moon-earth communications. They use high power, high gain antennas, and very low noise receivers. It works quite well.

Never underestimate what can be done at RF.

On one (predictable) industry response:

Medtronic's Rob Clark said the company's devices had carried such telemetry for 30 years with no reported problems. 'This is a very low-risk event for patients that have these devices,' Clark said in a telephone interview."

It would have been just a bit harder to hack a computerized device 30 or 20 or even 10 years ago. When kids can buy a laptop with computing power exceeding that of the Cray supercomputer for $500 and crack into, say, the Pentagon's systems, we are indeed living in different times.

Dr. Poses also wrote that:

The most charitable explanation for why they [the manufacturers] did not think to [engineer ICD's to be exceptionally hacker-proof] is that they really did not understand the clinical context in which this device would be used.

I think a better explanation is that the manufacturers' management has little imagination and underestimate the capabilities of people much smarter and more creative than themselves (e.g., tech-savvy kids). It would not surprise me to find engineering memos warning management that more safeguards needed to be incorporated, only to be asked "What's the ROI?"

The bottom line is: manufacturers might need to work a little harder when they deploy wireless devices, as hacking of gadgets and computerized equipment such as cell phones seems to be an increasingly common pastime for today's youth. (It's too bad ham radio is itself losing numbers as the previous generation ages and dies out.) The internet itself is used to spread techniques and malicious code among hackers.

One can imagine the consequences of a malicious RF device hacker or smart-but-delinquent kid in, say, a crowded shopping mall.

Finally, ham radio experimenters worldwide are not unfamiliar with longwave experimentation. Note in particular the bolded statement below:

With no Amateur Radio low-frequency [longwave -ed.] allocation in North America, stations operating under FCC Part 5 Experimental licenses in the US or under special experimental authorizations in Canada nonetheless continue to research the nether regions of the radio spectrum. By and large, LF experimentation is occurring in the vicinity of 136 kHz--typically 135.7 to 137.8 kHz--where amateur allocations already exist elsewhere in the world. The FCC rejected the ARRL's 1998 petition for LF allocations at 135.7 to 137.8 kHz and 160 to 190 kHz, however, after electric utilities objected that ham radio transmissions might interfere with power line carrier (PLC) signals used to control the power grid.

"Most of the new LF activity of Part 5 licensees has been in the shared 137 kHz amateur allocation available in some parts of the world," says low-frequency experimenter Laurence Howell, KL1X/5. "Although not in the Amateur Radio Service, these Part 5 experimental stations continue to add to our knowledge on propagation and engineering."

The holder of Part 5 Experimental license WD2XDW, Howell who's also GM4DMA, previously operated LF from Alaska. He's since relocated to Oklahoma, and has now resumed his LF work on 137.7752 and 137.7756 kHz. Already he's reporting some spectacular success, despite antenna limitations. On October 28, New Zealand LFer Mike McAlevey, ZL4OL, copied WD2XDW's 137 kHz carrier "bursts" over a path of more than 13,000 km (8000 miles).

The take-away message is that:

• In biomedicine, the most meticulous resilience engineering is never a bad idea.

When drug and device manufacturers understand this fully, perhaps we will no longer have incidents of bad health informatics that can kill.

-- SS