Bill Pollock -- [email protected]
15.4K posts
@billpollock
Founder, No Starch Press and Hacker Initiative. Views expressed are *entirely* my own. He/him/his Contact our editors at: [email protected]
For the Nancy Guthrie case, an idea and maybe a crazy one but she had a pacemaker which often implantable devices use bluetooth such as Medtronic's. Couldn't you war-drive (drones even better) with a high gain antenna with amplifiers - get the MAC address from the provider, and comb the city and locations looking for that specific mac? I'm also sure if you had cooperation with the manufacturer they may provide the protocol, law enforcement could use a custom interrogator to "ping" the device and elicit a response. Pacemakers last months or years. It would continue to transmit even if (God forbid) someone was deceased. High gain + LNA + good SDR - 500+ ft possible with class 2 transmitters (normally in bluetooth pacemakers - common in implants, ~10 mW output) Parabolic + high sensitivity gear - 1000+ ft in ideal RF conditions Not saying this range is possible, with BLE + body interference + 2.4ghz being a heavily used spectrum = much lower range. Previous research has tested insulin pumps upward of 300+ ft in the past in BLE. Companies that use bluetooth in pacemakers: Medtronic Abbott Laboratories Boston Scientific Now in stating that - there's a bunch of limitations here - broadcast timing. They all use low power bluetooth, but if they have access to Nancy's phone and paired - would there be a way to take that pairing connection, amplify it and run it through? You could potentially extract pairing keys/secrets and emulate the phone's connection with an amplified setup (e.g., SDR spoofing the phone's BLE master role). A lot of "ifs" here just wondering if it's technically possible based on what I know these conditions would need to be true: The implant uses RF telemetry that can transmit without an external programmer actively interrogating it. The device is configured to advertise or beacon. The identifier is detectable passively. The identifier is not randomized. The device is currently transmitting. You are within viable range (which is likely very short). The RF environment is not swamping it. If solely using MICS frequencies this wouldn't work (402-405mhz): Very low power Designed for short-range use Often magnet-activated or programmer-initiated Session-based communication Encrypted/authenticated in modern systems The 2.4 GHz band is crowded; distinguishing one pacemaker from thousands of BLE devices in a city like Tucson would require a lot of noise reduction/filtering, but technically I think it's possible. Also note that law enforcement did state that the phone disconnected from the pacemaker - hinting at bluetooth was actually enabled. Papers used for analyzing this as a viable option: mdpi.com/1424-8220/20/1… mdpi.com/1424-8220/23/7… mdpi.com/1996-1073/13/4… pmc.ncbi.nlm.nih.gov/articles/PMC28… pmc.ncbi.nlm.nih.gov/articles/PMC10… digitalcommons.calpoly.edu/cgi/viewconten… secure-medicine.org/hubfs/Archimed… sciencedirect.com/science/articl… medtronic.com/en-us/e/produc… armis.com/research/bleed… thinkmind.org/articles/cyber…
