Hacking the Robotic Surgeon’s Hands and Eyes

May 1, 2015

A group of academic security researchers remotely hacked and took control of a robot designed to perform telesurgery, according to the MIT Technology Review.

Researchers hack and totally hijack Raven II remote surgery system

Telesurgery — perhaps better known as remote surgery — is exactly what it sounds like. Simply put, a doctor sits on a computer (fixed with highly specialized software and hardware) somewhere in the world and controls a robot performing surgery in some other part of the world. Perhaps not surprising to anyone who’s ever looked at a surgical bill, human-guided, robot performed surgeries are actually less expensive than human-only operations, particularly when travel is involved.

Therefore, telesurgery offers highly-trained doctors the ability to perform critical surgeries on patients living in parts of the world that lack highly-trained surgeons — without having to travel. This technology opens up an large revenue potential for (relatively) cheap medical procedures all around the world. However, as you may have guessed, certain telesurgery devices and protocols are vulnerable to dangerous electronic attacks.

The researchers not only found it possible to monitor or disrupt remotely performed surgeries but to completely hijack them as well

In this case, the University of Washington researchers, led by cyber-physical interaction expert Tamara Bonaci, targeted the communication technologies necessary to perform telesurgery. The researchers not only found it possible to monitor or disrupt remotely performed surgeries but to completely hijack them as well.

As the MIT Technology Review notes, early telesurgery was performed via dedicated fiber lines. This tactic is simultaneously secure, assuming all the machines involved are malware free, and wildly expensive. Unfortunately, the monetary benefits of telesurgery all but disappear when there is a direct, dedicated line between surgeon and patient. In order for telesurgery to work well, financially speaking, tele-surgeons have had to experiment with cheaper communication solutions, like the Internet.

To this point there have been no real-world attacks targeting tele-surgical operations, but we all know the Internet is just not that secure. So Bonaci and friends went to work attacking the Raven II surgical robot. On the doctor’s end there’s a mechanical apparatus through which the surgeon can watch and control the robot performing the surgery on the other end. In addition to the video, the advanced console also offers touch-based sensory feedback to the surgeon so he or she can have a real-world feel for the operation.

The largely Linux based system on the doctor’s side and the Robot Operating system on the other communicate over the public Internet using a specially designed protocol called the the Interoperable Telesurgery Protocol.

The researchers told the MIT Technology Review that taking complete control of the telesurgery device was fairly simple because the Interoperable Telesurgery Protocol is completely open and publicly available. Beyond that, the researchers were also able to delay signals to the robotic device or make it act erratically by modifying signals from the surgeon as they were sent over the Internet. In a number of cases, the researchers were able to trigger the robot’s automatic stop safety mechanisms, performing what amounts to a denial of service attack.

Perhaps most surprisingly, video for Raven II’s telesurgery operations were broadcasting publicly over the Internet without encryption, meaning anyone could watch the footage.

In a test case, the researchers built encryption into the telesurgery protocol for commands. It had no material negative impact, financial or performance, on the Raven II’s capacity to perform surgery. However, they say that encrypted video would not be feasible for Raven II systems, as they often attempt to perform surgeries in remote parts of the world with somewhat restricted data networking equipment.

The MIT Technology Review is reporting that the sale of tele-operated medical devices is increasing at a rate of 20 percent per year.