Fifty bucks could be all it takes to hack a powered wheelchair. Using two low cost chipsets, MSU Denver computer science student Stephen Chavez showed off his hack to a packed convention hall at the annual hacker convention, DEF CON, in Las Vegas on Aug. 6.
“A person can hack your chair within three seconds if they have a physical contact,” Chavez said, “then walk off without you knowing about it.”
Using an Arduino, a low cost microchip found online or at retail, Chavez was able to interface with his chair by reverse engineering the protocol that the chair uses to communicate with its attached subsystems. Called RNET, other chairs besides his use the same protocol.
The exploit takes advantage of something called the Controller Area Network Bus. The role of the bus is to let different components inside a car (or similar devices) communicate with each other, such as the brakes, steering, and motors. Originally designed for use in cars, the CAN Bus is now found in several other devices, in entertainment, cycling and industry.
A shield is a component that lets the CAN Bus inside a car or wheelchair talk to a computer. Automotive repair shops use CAN shields inside diagnostic machines. The chipsets themselves can easily be purchased online.
In order for the hack to work, an Arduino and CAN Bus shield must be physically attached to the chair.
The ability to take complete control over a wheelchair poses a risk for users of power wheelchairs, Chavez said. The security vulnerability not only gives an attacker the ability to take control of the motor systems on the chair, but also access to any connected device on the chair. Someone exploiting the vulnerability in the wheelchair’s electronics could give an attacker access to the air and oxygen tanks controlled by the chair, endangering the user.
Permobil Inc., the manufacturer of Chavez’s wheelchair, declined to comment.
Chavez also hacked the chair using a Raspberry Pi 3, another low-cost microprocessor similar to the Arduino. The Raspberry Pi 3 comes with Wi-Fi capability, allowing Chavez to gain control of the chair wirelessly. He showed this ability off in one of the hallways of the convention center in Vegas.
Mark E. Smith, an electrical engineer with 40 years of experience working with chairs, called the claim the mother of all urban legends. However, when he was told that Chavez had demonstrated the hack in our office, he said that Chavez must have modified his wheelchair in some way.
“It doesn’t really exist,” Smith said, “Power wheelchairs are FDA regulated devices and as such, they go through the most stringent EMI and EFI testing you can imagine. Obviously, you can’t have someone with a serious disability have their chair somehow lose control beyond their joystick.”
Smith said that the security on the chairs met the most stringent FDA requirements as class II medical devices, saying it was way beyond cell phones.
“If it was really going on, I would have heard about it,” Smith said. “This sounds like such an outlandish story, that if I were a reporter I would not put my credibility on the line.”
Otto Bock, another manufacturer, also said in an email statement that wireless hacking is not possible, as hacking equipment would have to be physically connected to the wheelchair. They also said that the company complies with international regulations, including safety standards.
By using the wireless functions on the Raspberry Pi 3, though, Chavez seems to have done just that.
“I hate it when people try to do cyber security when it’s not their field at all,” he said. “No matter how long people work on projects, if they don’t do cyber security then they shouldn’t give security suggestions. It can’t be any more real than this. There’s even a video.”
Chavez’s presentation at DEF CON was a success. He is the first student from MSU Denver to present at the convention. Afterward, he received job offers from SpiderOak and Independent Security Evaluators, as well as invitations to give presentations at other cyber security conferences.
As for the future of power wheelchair security, Chavez said that the only thing the industry can do now is invest in
new technologies that are designed with security in mind. Any new technology will not have the same track record as the current one when it comes to safety standards and other needs. The technology used in wheelchairs today has been around for a decade or two, and over time has been hammered into meeting safety standards in hundreds of other countries. When RNET was first implemented security was not an issue, Chavez said.
“We use technology from decades ago with no security at all,” Chavez said. “But we will keep using it because it works very well for what we need it for. And because of this, RNET will stay for a long time too.”
Editor’s note: This story was originally published on Aug. 17, 2016.