A Password Even a Hacker Supervillain Can't Crack

Photograph by Photo Researchers

[It goes without saying that any piece of writing that includes a reference to Homeland should begin with a spoiler alert, so spoiler alert.]

Previously on Showtime’s Homeland, viewers watched someone hack into a pacemaker remotely to try to kill its owner. Plenty of the plot points in the addictive and Emmy-winning series strain credulity, but this one, apparently, should not. This summer the FDA warned medical device makers about precisely this possibility. At a hacker conference last year, Barnaby Jack demonstrated how to take over an implantable insulin pump remotely and tell it to deliver a deadly dose. Earlier this year he claimed to have developed software that allowed him to send a fatal electric shock to anyone within 50 feet—though, in a chilling turn of events, he died before he could present the technology. (The San Francisco police have ruled out foul play.)

The reason pacemakers and other implantable devices are open to this kind of manipulation is that they’re radio controlled. That makes it possible to program and reprogram them and get data from them without opening a person back up and taking it out, an understandable advantage. And they don’t have passwords because paramedics and physicians need to be able to get that information in an emergency, even if the person with the pacemaker is unconscious. In other words, the benefits of the technology outweigh the vanishingly small chance that a malicious technologist will figure out how to kill you through it. Also, outside of TV, there are exactly zero recorded incidents of murder by pacemaker hack.

Still, when even home Wi-Fi systems can have password protection, doesn’t it seem rash to leave such a piece of equipment with life-or-death consequences unprotected? A team at Rice University in Houston and RSA Laboratories in Cambridge, Mass., have proposed a clever solution. Their Heart-to-Heart system uses a person’s heartbeat itself as a password. It has two components: software in the implanted medical device and a “touch” device that would be wielded by a medical technician.

The key to it is the fact that a human heartbeat constantly varies, a sort of rhythmic fingerprint. “The signal from your heartbeat is different every second, so the password is different each time,” Masoud Rostami, one of the researchers, said in a press release announcing the finding. “You can’t use it even a minute later.”

When the medical technician touches the patient, the touch device would pick up the electrocardiogram (EKG) signature of the patient’s heartbeat at that instant and compare it with the EKG picked up by the implanted device itself. If the two match, then it’s proof that the technician is actually with the patient and not someone trying to hack in from afar.

“We treat your heart as if it were a random number generator,” Rostami is quoted as saying. It sounds like the title of a very, very nerdy country music ballad, but it’s unquestionably a clever idea, and one that could help pacemaker carriers—and the rest of us—sleep a little better. At least until this Sunday, when Homeland returns to Showtime, complete with a whole new season of paranoid imaginings.