16 October 2020

Dr Marie Moe was in the skies above the Netherlands, on the way to speak at a cyber security conference, when she suddenly realised something was going very wrong with her pacemaker.

“Normally I don’t feel it doing its thing, constantly pacing my heart,”

she explains.

“But suddenly I could feel it, which was so weird. I could feel the electrical current. I looked down and I could see that my chest muscle was twitching involuntarily in the rhythm of my heart.”

The pacemaker had gone into failure mode. The cabin crew alerted Schiphol airport and an ambulance was waiting to blue light her to the nearest hospital on landing.

It was terrifying. But it also provided the breakthrough she needed for her research – into the vulnerabilities of the very implant that was keeping her alive.

The story begins a few years earlier, in 2011, when Moe, a cyber security researcher in her early 30s, was first fitted with a pacemaker after collapsing at home.

The procedure was reassuringly straightforward but Moe became intrigued by the security of medical implants – and even more so when she discovered how little research had been done into the subject at that time.

On reading the technical manual and discovering that her pacemaker had two antennas – one for configuring the device using special equipment at the hospital and the other for connecting the pacemaker to the internet wirelessly – her interest turned to concern. Could someone hack into the device and compromise her heart function?

Moe’s project started small, in her spare time, without funding and by experimenting with used devices of the same kind that communicated with her pacemaker, which she found for sale on eBay. Then it snowballed. Chatting to information security friends in the bar at a conference, her story caught their imagination and she was invited to give a keynote at a security conference in Luxembourg in 2015. It was a turning point.

“I had to think about it for a while because it was all very personal to me. I’d never talked about it publicly before. I was wondering, ‘Do I want to stand on the stage in front of a room of potential hackers and tell them about this apparent vulnerability inside me?’

“I decided that I did; I wanted bring some attention to the issue because it seemed that was the only way that the manufacturers would be forced to build better security into their products.”

That appearance led to some funding and an opportunity to speak at the Chaos Communication Congress, an annual gathering of more than 10,000 security experts in Germany.

By then, Moe was an associate professor at the Norwegian University of Science and Technology and was supervising masters’ students. She was able to create a masters’ thesis topic on pacemaker hacking, and six “really good” students were inspired to apply, who threw themselves into the unusual project.

But the big break came as a result of that scary mid-air glitch.

“My pacemaker had been hit by cosmic radiation, a very rare event, which caused bit flips in the memory of the device,”

explains Moe.

“In the computer code, zeros became ones and ones became zeros, because they were hit by this radiation.”

When the pacemaker technician checked it out at the hospital, he explained that it was a software problem that could be fixed with a firmware update – a reset.

“What was interesting was that, since this was a failure – a crash file – a log file was created on the programmer device for further investigation to see what had gone wrong. And this log file was an encrypted zip file. And I had a USB memory stick in a bag…”

The surprised technician gave Moe a copy of the data that had been generated by her heart and she passed the file to her students as an assignment to figure out what kind of encryption was being used and how well the data was protected. By reverse-engineering the code they were able to find the password that protected her patient data.

It turned out to be a hard-coded password – and it was simply ‘BIOTRONIK’, the name of the pacemaker manufacturer.

“And with access to this, we could take any file from any pacemaker programmer anywhere in the world and decrypt it,”

says Moe.

In addition, the team discovered vulnerabilities in how that internet connection was set up. The security just wasn’t good enough.

A long process followed of reporting the vulnerabilities to the manufacturer, seeking acknowledgement and submitting CVEs (a numbered way of identifying or enumerating known vulnerabilities in software).

The issues have not all been resolved, but mitigation on the manufacturer’s side prevents them from being exploited. Moe’s team has also since investigated devices from a range of other manufacturers and found that some were even less secure, with little or no encryption at all. Where there was encryption, it was often supported by outdated legacy protocols.

Through work with grassroots cyber security organisation I Am the Cavalry, Moe’s research has now changed the way the US Food and Drug Administration (FDA) has issued guidance to manufacturers, helping to ensure that future pacemakers are more secure.

So, is Moe reassured?

“I feel like at least my suspicion about enabling the internet connectivity on the device was justified. It was not to be trusted.

“The good thing, though, is that we found that it’s not possible to exploit this vulnerability in way that could harm the pacemaker. So, nobody can change the settings of the pacemaker remotely by using the internet connection.

“I also now know, through that accidental discovery in the sky, that there is a backup program keeping the device running, even if the software is not working properly.

“For me, having more knowledge about how the device works makes me feel safer and more secure. That’s why I’m working for better transparency and for devices to be built on open standards in the future and not proprietary protocols like they are today.”

And how worried should the rest of us be? Moe believes that it’s an issue that will affect more and more people in the future as we live longer and better-quality lives because of medical implants.

“In the future, as well as having to update your laptop or phone, you’ll have to update all your sensors and implants – and you might want to have a privacy check-up of all of your implants,”

she warns.

“What kind of information is your body giving away at any given time? This is going to become more and more important.

“I really think that the work my team has been doing has impacted the future versions of medical implants, which is good for me and for other pacemaker patients who are going to receive new devices with improved security.

“But, of course, the most important thing is that it’s keeping me alive,“

concludes Moe.

To hear more from Dr Marie Moe, sign up for Jisc’s security conference, free to attend online from 3-5 November 2020. Dr Moe is speaking at 13:00 on 4 November.