Hacking medical devices

Stories about medical devices have come across my news feeds a few times in the last couple of months. Dutch security researchers found that they were able to hack several implantable medical devices.

implantable medical device, much smaller than a nearby writing pen

What’s interesting here is that the researchers were able to do this using a black-box approach: they just used radio equipment to eavesdrop on wireless signals between the implantable devices and the equipment used to maintain and control those devices. The researchers weren’t privy to the communication protocols the vendors use to control the devices, but the researchers were able to reverse-engineer these protocols and then send command signals of their own. These protocols typically used poorly-implemented encryption or no encryption at all.

The equipment the researchers used doesn’t come cheap, nor does the researchers’ expertise. Still, this makes it at least theoretically possible to do several things regarding devices like these:

  • Track the patient’s movements.
  • Trigger potentially fatal shocks in defibrillators and pacemakers.
  • Prevent a medical device from providing treatment.
  • Disable a device’s power-saving mode, causing its battery to drain too fast.

This isn’t entirely theoretical. Research like this has compelled at least one vendor to provide software upgrades to minimize these shortcomings. That’s probably an imperfect solution, but there are obviously some complications in providing firmware upgrades for already-deployed devices.

And in a case that’s presenting some interesting privacy questions, police arrested and indicted a man on charges of arson and insurance fraud. They used data from the suspect’s heart monitor as evidence that he set fire to his own house to collect the insurance money.

The radios in these implantable devices have a pretty short range, just around five meters. So your story’s character couldn’t run exploits like these from a great distance, but it provides some interesting possibilities.

Photo credit to ec-jpr for VVIR leadless St Jude Medical pacemaker


Physical access

You can do a lot if you have physical access to a computer.

Stealing login sessions with PoisonTap

PoisonTap is a pocket-sized Raspberry Pi device that you can plug into a computer’s USB port. It impersonates a new wired network connection and responds to outbound HTTP traffic. If the computer’s user is logged on to any of an extensive list of popular web sites, PoisonTap is able to capture the cookies and write them to a text file on the USB device.This works even if the screen is locked.

If your character needs to gain access to someone’s online accounts, your character could follow her target to the coffee shop, wait for the target to go to the bathroom, plug this device into the target’s computer for a minute, and be gone before the victim knew what was happening. If the target happened to be logged on to the online resource your character needs to access, she’ll have the session IDs on the USB drive. She may need to hurry: those session IDs will become invalid as soon as the target logs out of those web sites.

Reading the MacOS FileVault2 password with PCILeech

This is a vulnerability that Apple patched just this month, so it wouldn’t work on a real-world Mac running Sierra v10.12.2 or better. But Macs were vulnerable to this particular exploit for more than four months.

PCILeech refers to a mix of hardware and software that your character could use to break in to an unpatched Mac. The video shows using a laptop attached to the device that your character would plug into the target Mac. (Maybe it would be possible to use something smaller, like a tablet or a Raspberry Pi or Arduino.)

PCILeech is able to recover the FileVault2 password from the Mac’s memory after rebooting the Mac. Once your character has the FileVault password, she has full access to the Mac. This will work even if the Mac is locked with a screensaver or hibernating, but it won’t work if the Mac is completely powered off. And the target might notice that his Mac rebooted.

USB kill stick

And if your character just wants to destroy a target device, there’s the USB kill stick. It’s a USB device that looks like a harmless thumb drive. It has several capacitors that start drawing power as soon as it’s plugged in. When the capacitors are charged (which appears to take no time at all), the kill stick rapidly discharges the capacitors right back into the port. Some devices have hardware protection against this, but many do not. The video on the page shows the researcher plugging the stick into several devices, frying many of them. It makes a lovely noise when that happens.


I bet you think twice about leaving your laptop unattended. Remember to…

  • Hope that your favorite devices have overvoltage protection
  • Never, ever use the Internet for anything


Predictably insecure electronic locks

A couple of researchers recently presented their analysis of a dozen or so consumer electronic locks. Some of these locks are the kind that you’d use on a typical door in place of a deadbolt, and some of them work like padlocks. Most of them use bluetooth for wireless operation: you purchase the lock, install an app on your phone, and then use your phone to lock and unlock the device.

Sounds great, right? That’s fewer keys in your purse or pocket or in that not-very-fake-looking rock on your porch. You can enable a temporary code that you send to your plumber, so that he can enter the house while you’re at work. Some devices even have access logs. (Did the plumber come when he said he would? How long did he stay?)

The researchers found that 75% of the devices they studied were vulnerable to different kinds of attacks. In many or most cases, these attacks involved capturing and analyzing the traffic between the smart phone and the lock. The researchers notified the vendors of the affected products, but none of them was interested in doing anything about it. And why would they? At the very best, it would mean an expensive and embarrassing public relations campaign to notify consumers that they had purchased a lock with a defect.

This offers a plausible way for your character to do some breaking-and-entering. Maybe she needs to enter the home or storage building of a gadget-lover. She might need to plant some kind of sniffer device near the lock she wants to defeat and leave it there long enough for someone to use the lock. The FTS4BT bluetooth protocol analyzer and packet sniffer looks like a USB device that she could plug in to a Raspberry Pi. Tricking the lock might be as simple as replaying the signal that the sniffer recorded. If the devices doesn’t have access logs (or if the owner doesn’t bother looking at them), your character could come and go as she pleases from then on.

Oh, and don’t use electronic locks in real life. There’s a reason people have used metal keys to secure their stuff for hundreds of years.

Scanner hell

Here are a couple of “life in IT” horror stories, both involving desktop scanners. This is to give some idea of what it’s like when things go wrong while working in information technology. These particular misadventures were more frustrating that terrifying.

While my main responsibilities at work involve programming, I’ve ended up helping out with our imaging system. This means that I set up desktop scanners and configure desktop software to interface with the document management software running on one of our servers. I’ve probably done this kind of thing several dozen times. Although it can be time-consuming, it usually goes pretty smoothly.

Last week it didn’t go smoothly.

It was a brand new scanner and a brand new computer. I installed the scanner drivers off the installation CD, told the installer to download and apply the latest driver updates, hooked up the scanner, and configured the software to allow the user to scan pages (things like transcripts, release forms, etc.) into the imaging system. Like I’ve always done, I enabled the image processing feature to do things like deskew the images (that helps if the paper feeds into the scanner a little bit crooked). Every time I tried scanning a page into the imaging system, the desktop software would crash.

I un-installed the drivers, re-installed the drivers, reconfigured the desktop software, and the same thing happened. So I called technical support at the imaging system software company. A very patient technician made a remote connection to the PC so that he could try fixing it. For two hours I watched him do the same things I’d done with the same result.

He finally tried configuring the software without enabling the image processing feature. I saw him skip that step and almost said something about it, but I was tired and didn’t say anything. And of course that time it worked. Then I asked him to enable the feature, we tried it again, and the software was back to crashing. Disabling the feature again made the software start working again. So we left that feature disabled and called it “good enough.”

So as near as we could determine, the only thing wrong was enabling a helpful feature that I’ve used for years.

The other scanner nightmare was a few years ago. This one was a flatbad scanner–the type where you open a lid, put a single sheet of paper on a glass pane, close the lid, and the scanner moves a lamp back and forth under the page, taking a picture of it.

This was an older scanner that had been in storage for a while. That fact turned out to be significant.

I installed the drivers, hooked up the scanner, and tried to scan a page. I could see the lamp come on, and I could hear it trying to move. It made a delightful kuh-KUNK noise, and it was clear that the lamp wasn’t moving back and forth like it should.

This episode also involved a long phone call to the software vendor. In retrospect I probably should have called the scanner manufacturer, but it wasn’t clear to me where the problem was. The help desk at the software vendor has lots of experience with scanners, and I think they must have a room that’s nothing but scanner after scanner sitting on shelves, because they came up with a scanner just like the one I was struggling with–same manufacturer and model.

After an hour or two, the two technicians on the call were finally able to reproduce the problem I was having. I could hear them chuckling as one of them said, “Pick up the scanner and look on the bottom. Do you see a black slider switch with a couple of little padlock icons? And is the switch in the LOCKED position?”

Some helpful soul had locked the scanner when they put it in storage. So I moved the little switch, and was done setting up the scanner a few minutes later.

This is what happens when they put a programmer in charge of things with moving parts. It always ends in tears.