With a bit of luck, you’ll live your whole life without needing an implanted medical device. But if you do end up getting the news that your doctor will be installing an active transmitter inside your body, you might as well crack out the software defined radio (SDR) and see if you can’t decode its transmission like [James Wu] recently did.
Before the Medtronic Bravo Reflux Capsule was attached to his lower esophagus, [James] got a good look at a demo unit of the pencil-width gadget. Despite the medical technician telling him the device used a “Bluetooth-like” communications protocol to transmit his esophageal pH to a wearable receiver, the big 433 emblazoned on the hardware made him think it was worth taking a closer look at the documentation. Sure enough, its entry in the FCC database not only confirmed the radio transmitted a 433.92 MHz OOK-PWM encoded signal, but it even broke down the contents of each packet. If only it was always that easy, right?
Of course he still had to put this information into practice, so the next step was to craft a configuration file for the popular
rtl_433 program which split each packet into its principle parts. This part of the write-up is particularly interesting for those who might be looking to pull data in from their own 433 MHz sensors, medical or otherwise
Unfortunately, there was still one piece of the puzzle missing. [James] knew which field was the pH value from the FCC database, but the 16-bit integer he was receiving didn’t make any sense. After some more research into the hardware, which uncovered another attempt at decoding the transmissions from the early days of the RTL-SDR project, he realized what he was actually seeing was the combination of two 8-bit pH measurements that are sent out simultaneously.
We were pleasantly surprised to see how much public information [James] was able to find about the Medtronic Bravo Reflux Capsule, but in a perfect world, this would be the norm. You deserve to know everything there is to know about a piece of electronics that’s going to be placed inside your body, but so far, the movement towards open hardware medical devices has struggled to gain much traction.
12 thoughts on “Tuning Into Medical Implants With The RTL-SDR”
Great, now we have the surreal outlook of people hacking into this and seeing how many people they can simply tune in, turn off, hold for ransom or corrupt.
“Doctor, doctor, my pacemaker wasn’t running right so I fired up the transmitter and made adjustment”
Yes, because not publishing this information was going to keep the device 100% secure wasn’t it?
Not really. First, you can’t hold him to random as the device has no receiver and doesn’t respond to commands. Second, all you could do is disrupt or otherwise interfere with his doctor reading the data from it. And there are much easier ways of achieving that – just jam the signal. No need for reverse engineering at all.
Fun fact: I carry a Medtronic device *with* a built-in receiver. What, me worry?
Well… maybe :-)
I completely agree. Having my internal details broadcast unencrypted terrifies me. Surely something is required. I know this device is read only and who cares about my gut pH, however, this a start to his technology. What could happen when higher functions are available (e.g. brain / machine interfaces.)
This isn’t a reply, but a comment. Thanks for added info on 433 Mhz and OOK format. My “universal” TV clicker uses that as well, and I seek to decode it.
F.I.: In IARU zone 1 (Europe) 433MHz is in HAM radio band … Don’t cry if your device is going crasy …
Does it transmit a unique ID?
Nice way to track people, like apple’s rolling BLE MAC.
In fact you could do home automation with it.
What could possibly go wrong?
To learn more of risk assessment of cyber-attacks on telemetry-enabled in a medical implantable electronic devices (MIED) https://giammaiot.blogspot.com/2021/07/decoding-radio-protocol-ph-wireless.html , for anyone wishing to deepen the subject.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)