Hackaday Prize Entry: Sniffing Defibrillator Data

There’s a lot of implantable medical technology that is effectively a black box. Insulin pumps monitor blood sugar and deliver insulin, but you can’t exactly plug in a USB cable and download the data. Pacemakers and cardiac defibrillators are the same way. For these patients, data is usually transmitted to a base station, then sent over the Internet to help doctors make decisions. The patient never gets to see this data, but with a little work and a software defined radio, a team on Hackaday.io is cracking the code to listen in on these implanted medical devices.

The team behind ICeeData was assembled at a Health Tech Hackathon held in Latvia last April. One of the team members has an implanted defibrillator keeping her ticker in shape, and brought along her implant’s base station. The implant communicates via 402-405MHz radio, a region of the spectrum that is easily accessible by a cheap RTL-SDR TV Tuner dongle.

Right now the plan is to intercept the communications between the implant and the base station, decode the packets, decipher the protocol, and understand what the data means. It’s a classic reverse engineering task that would be the same for any radio protocol, only with this ones, the transmissions are coming from inside a human.

 

The HackadayPrize2016 is Sponsored by:

46 thoughts on “Hackaday Prize Entry: Sniffing Defibrillator Data

  1. Well, for me this is scary .. My friends mom is a cardiologist and works with heart implants. Some time ago i heard a story about one of her patient that came for a checkup. I don’t know the model or more details about his pacemaker, but i’ve heard that she discovered that someone else was logging in .. and .. no, there were no logs about eventual changes in the devices settings :/ because the producer didn’t include such functionality .. and this is SCARY.

  2. Collecting this personal data and being able to do one’s own research as well as saving recording data permits a person to invest the time a physician can’t in researching their own condition as well as have an intelligent discussion when seeking a second opinion, especially for a person on a small budget without state or employer funded medical care.
    The US model closed, patent encumbered, overwhelmingly rent seeking (on even publicly funded research) medical economy complex kills excluded or under-served people who might otherwise be saved while also diverting a far larger percentage of the economic output of the world into a few very wealthy pockets. Many nations try to do it better but the US model is still backed by the largest economy, largest researcher pool, largest research budget, and controls the worldwide clearing currency so everyone else ends up in the passenger seat.

      1. Here in the US we have skilled surgeons who can assist in helping you with your rectal-cranial inversion, Riddick. I suggest that you set up a consultation with one right away.

    1. Objectively, I couldn’t agree more with your accurate assessment. It isn’t about “I want everything free” mentality, but more of a fight (maybe too strong a word) against monopolies. I had a pacemaker put i a couple of weeks ago. $52,000. In another part of the US, it is about $18,000. I would love to see the data being transmitted. Part of the reason for ‘hacking’

      1. Why wouldn’t you be able to have a different doctor treat you? They all use the same implant companies. It’s not like the company cares which doctor uses their tech.

  3. data extracted from your own body should be accessible to yourself at all cost. I welcome this action and I can imagine that this helps in other solutions too, but… Can you also read the pacemaker from any person on the street with this? This could go bananas when Mc. Donalds decides to read pacemaker data to deny selling a Mc. Burger to someone, or am I overreacting?

  4. You’re gonna kill her with this. Okay, intercepting the communication is fine, but you’ll want to replicate the reader later, and one typo or false assumption may be enough to reprogram the ICD to either lethal or ineffective settings. I don’t know how idiot-proof these ICDs are, but this is not a use case they had in mind and I’d guess they put most of the idiot-proofing in the reader, not the ICD.

    1. Well, IF the idiot-proofing is NOT in the ICD it would be a super moment to find out – with the life of the team member at stake though. Hopefully the ICD has certificate encrypted communication (or at least signed), otherwise I would be inclined to wear tinfoil around my chest :-) Sniffing the communication should hopefully not interfere with operation, and “one typo” (or radio interference) is hopefully not enough to make the ICD malfunction…

      1. I highly doubt there is any security on these devices at all. The companies that make them try very hard to keep them out of the hands of security researches; claiming the reason is that “a discovered bug would kill the person” while ignoring the undiscovered bug that goes unpatched could also kill a person.

    2. I’m inclined to agree, not only because of the potential for accident, but also in the case where self-diagnosis leads to self-medication or self-remediation or whatever. I feel like a good Dr. doesn’t treat themselves – they realize they have little objectivity when it comes to their own health and they visit another Dr.

      1. As for now, the balance is at the “you don’t know it at all” point, and that’s no less harmful. It doesn’t exclude learning about how you yourself should interpret that data, but it certainly will help more people than it’ll hurt.

    3. *team technical lead here* We’re *not* implementing a reader. For this exact reason – ain’t nobody got time for checking how ICD reacts to certain commands. Also, we”ll be making instructions on assembling your own reader with a Raspberry Pi and a RTL-SDR, if it proves to be possible.

  5. “understand what the data means” … uh, hello.. it’s probably an EKG of the heart rythym. bfd man. Guessing if the device detects an abnormal rate or rythym, it will respond accordingly. Sniffing the data used to create the EKG data is like monitoring the CAN bus on a GM vehicle for gas gage data. The end reading is what actually matters.

    1. Base stations for these devices are used once a day or so to download data from the device, and then transmit it to the doctor’s office. The data will include information about any anomalous heart events since the last sync, any activity that caused the device to fire, plus diagnostic data about the device itself.

      Because the devices have a finite battery life (“cut here to change batteries”), I suspect they are minimizing RF power consumption as much as possible, so they’re probably compressing it before transmission.

  6. Of course sonner or later they will tinker with the device. That is what tinkerers do. Unofficial firmware, anyone? “You seem to be short of breath today, is that a nightly release”? They might as well grab the OpenICD.com domain while it is free.

    If you think that nobody is that irresponsible, check out the “I built a full-scale jet engine in my garage” videos (happily reposted here).

  7. I’m going to be following this project. Not because I have a pacemaker, but because a month after receiving my new CPAP machine I got an automated phone call from my medical supplier telling my what a good job I was doing for using my CPAP equipment every night (well, duh. I like it when my brain gets enough O2, thank you very much).
    I’m curious by what mechanism they received this data.

    1. I’ve got a ResMed AirSense 10 that has a CDMA modem it in that phones in my nightly data. It also logs it to an SD card so I can take it to my provider if they don’t pull the website data. There’s an open-source program called SleepyHead that will read my card and give me a TON more data than their crappy website does.

  8. whether sniffed and decompiled or generated by the base station this data is useful to a patient. In cases of cardiac and diabetic illnesses the ability to track, within a specific time frame, can allow the patient to determine what external issues are at play. Diet, exercise, stress…good things to know, and nothing a physician can tell from raw data.

  9. Maybe the team should look for a second hand unit on the market (they refurbish pacemakers and sell them do veterinarians) and experiment on the unit exvivo, that way they can really put it through its paces (he-he, I made a funny) without exploding a team members heart.

    1. We didn’t manage to find an ICD. We will, however, order a base station – those are numerous. Also, there’s a question of how useful is the pacemaker data when the pacemaker is not getting any heart impulses or any other data. It’ll probably go into fault mode or something.

      1. Thanks for replying above, and also thank you for being responsible and not getting upset at my accusation. Also, I’m sorry for assuming you were the I’ll-build-a-jet-engine-in-the-garage type of hacker.
        Anyway; I’m a med student in Hungary, where autopsies are common. In the autopsy halls, there are these cupboards where they store all the stuff they removed from the cadavers, including ICDs. (Sadly I can’t get my hands on one.) They sporadically wake up, notice that the patient no heartbeat and emit this extremely annoying alarm sound. I’d guess they would return to normal operation if they detected a heartbeat – I can’t imagine someone in the programming department to trust their own code enough to permanently disable the ICD on detection of death. If you manage to get hold of an ICD, you could use an ECG trainer to simulate a heartbeat – AFAIK they ship them with training AEDs.

  10. I think that implanted defibrillator and pmk only send data when near base station for diagnostic purpose and remote medical diagnostics.
    To program that device you need a specific device for specific producer.
    Trasmission form programmer to device is done by a special antenna put over the implant (3 – 5 mm distance between antenna and device) that put device in program mode for security reasons.

  11. I’m divided on this. I have one of these (actually my second, this one was just put in first of this month), and I’d LOVE to have the data available. Trust me, you don’t always feel the difference when things are starting to go bad until it’s too late. Having that data might have saved me from a couple of the shocks I’ve gotten. Maybe it would have caused me to stop what I was doing and laid down. Who knows, not having the data is not having the option to try to change things.

    But I’m not sure I want to mess around with it, either. I know it can be shut down, at least temporarily, with a magnet. How would I know if it was shut off? Snooping the data from ten feet away that’s it’s already sending is one thing, but I’d really hate to be more aggressive and chance shutting it down without realizing it.

    The old one I had to hold a coil to my chest to read it once a week and then it would get uploaded to the Doc. This new one uses the cell network and sends it daily. All I have to do is be in the same room with it at least once a day. Pretty sweet.

    So I guess I’ll follow this project, and see what happens. But, please, be careful. I know you are doing that now, but it still makes me nervous.

    As an afterthought, did you know some manufacturers will let you keep the old one when it comes out? Mine kept me alive for 9 years, and when I asked about keeping it I found out I could. They take it and sterilize it, disable the batteries, plug the ports and, to my surprise, they are even engraving whatever I want on it before they send it back to me. Like I said, it kept me alive for years, saved my life at least twice, and I want it hanging on my shop wall. :)

    1. We’re not doing anything even remotely disruptive, at least if we’re not talking about the business model of companies collecting that data. No transmitting from our side.

      Is your base station a Merlin@Home one? If so, there’s a big chance we’ll be useful. Could you provide some contact info (at crimier@yandex.ru, if you wish)? We’ll contact you as soon as we’ve got a cheap setup with a Raspberry Pi & RTL-SDR, which anybody is supposed to be able to reproduce to log their data.

    2. Not to post to an old comment, but I saw you kept your defibrillator. I kept my first one too, but they didn’t even disable the batteries. It started beeping in a drawer when the batteries got low and my wife and I hunted for the beeping for a long time before we discovered what it was. I would really like to open it, but I haven’t figured out how to open the titanium shell.

      1. Now THAT would drive me nuts! Lol.

        I considered opening mine, but I think I’ll just let it be. It would almost be like destroying an old friend, at this point, and I’ve already seen what’s inside one of them from a video I saw on the web of a tear down.

  12. dave jones did a good autopsy on one or two,
    apparently some have beeper speakers inside em (implant)
    i can’t imagine how that would FEEL if the speaker starts beeping inside you.

    RE interference:
    while using a pacemaker, do not get close to the following (or avoid entirely):
    welding (tons of RF?)
    microwave oven (RF harmonics from non-inverter units go through door)
    brushed-motor sparks (spark RF)
    powered electronics in left shirt-pocket
    CB/GMRS/FRS/WiFi/CellPhone/SatPhone/GarageOpener (all Tx needs to be kept away from left side of chest)
    digital equipment where grounded shielding has been removed or modified or is not present (arduino)
    non-certified digital equipment or equipment with fake or knock-off certification (walmart & dollar stuff)
    many kinds of hazardous do-not-enter areas (power, radio)
    engine bays while running (sparkplug RF)
    NewCommentor1283’s bedroom

    RE security:
    sounds like people need at least a basic firewall and password.
    oops i forgot, whisper and pretend it’s the 90’s

    1. ‘i can’t imagine how that would FEEL if the speaker starts beeping inside you.’

      It’s actually not that bad. They are fairly high tones, and not all that loud. Mine started beeping when the battery was getting low and the charge time on the Caps was taking too long. It beeped four times a day, a series of 14 beeps each time, regular enough you could have set your clock to it. It’s not even loud enough to wake you up if you’re asleep, just loud enough that my wife could hear it if she was real close and there was no noise like a tv or radio playing.

      The interference is not that much of a problem any more. They are well shielded. I was working electrical maintenance for a large corporation at the time it was put in and there was some concern because I was working on large electrical equipment on a daily basis. Turned out to not be much of a problem. Even the large transformers coming in from the street with thousands of amps was okay. Eventually I got past that initial caution and was welding pretty much on a daily basis. Never had a problem.

        1. Mine’s a Boston Scientific Guidant. I wouldn’t hesitate to do some welding. I don’t really want to get carried away doing it for hours at a time anymore, but if I needed to weld again, I’d just do it. I really don’t think you’ll have any problems.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.