In a development that I think was inevitable, the New York Times published an article about hacking pacemakers from afar. Of course, “afar” in this case means a few inches, but it’s the principle of the matter that counts.

This article is laughable for a number of reasons:

First, we in the medical industry are well-aware of these “vulnerabilities” and have been for years. Older devices didn’t have the processing power to implement a meaningful encryption scheme. When your main processor is an 8-bit microcontroller running at a few hundred kilohertz, and your power budget is low enough to ensure operation from a primary-cell battery for several years, there isn’t a lot of headroom to address an impractical security threat.

Second, the attack requires extreme proximity to be functional. All older implanted devices incorporating telemetry do so using H-field communications; Maxwell tells us that these magnetic fields decay by the cube of the distance, as opposed to the square of the distance for E-fields. The signals are so weak that we had trouble making reliable connections from inches away, and we designed the things. It is possible to make receivers that can pick up the signal from much farther away (meters), but sending commands back to the implanted device still requires extreme proximity due to the design of the implanted receiver. Cutting-edge devices that use E-field telemetry in the MICS band (and thus a range measured in meters instead of centimeters) have much-improved security.

Third, the comments by Boston Scientific that they have “mitigated these risks” are misleading at best. Any sufficiently determined attacker can break any practical system. Plus, their older (and widely used) H-field devices are just as vulnerable as Medtronic’s older H-field devices.