Kevin Fu, 33

Could implanted medical devices that use wireless communication, such as pacemakers, be maliciously hacked to threaten patients' lives? Kevin Fu is no stranger to such overblown scenarios based on his research, though he prefers to stick to talking about technical details. But Fu, a software engineer and assistant professor of computer science, is a security guy. And security people think differently.

"Anyone who works in the world of security--they always have an adversary in mind," Fu explains, sitting behind his desk on the second floor of the UMass Amherst c­omputer science building. "That's how you can best design your systems to defend against it."

The threats Fu researches are chiefly those connected to the security of radio ­frequency identification, or RFID. RFID is an increasingly common technology, used in everything from tags for shipping containers to electronic key cards, from Exxon­Mobil's Speedpass key-chain wands to Chase's no-swipe "Blink" credit cards. It allows billing and personal information to be shared quickly and wirelessly. But not, Fu realized back in 2006, very securely.

After testing more than 20 such "smart" or no-swipe credit cards from MasterCard, Visa, and American Express, Fu and his colleagues found that they could lift account numbers and expiration dates from several of the cards--even cards inside a wallet--just by walking past them with a homemade scanner.

Criminals troll mailboxes, shopping malls, and airports, harvesting nearby RFID information for use in identity-theft scams. Basically, they pick your pocket without ever touching your pocket. Making these cards truly secure would require good encryption software--Fu's specialty. But encryption requires a steady supply of energy, something that the passive, externally powered RFID chips used in these applications don't have. "The inspiration was about the programming," Fu explains. "But the programming won't work without an RFID computer to program. And the RFID computer won't work without solving the energy issues." He breaks a weary smile. "So, thus far, it's been something like a two-year sideline."

The only way for Fu to resolve this catch-22 is to invent new technology--a project he's working on with a team led by Wayne Burleson, a professor of electrical and computer engineering. But even as he wrestled with this problem, Fu found himself wondering, as only a security guy can: if financial information is vulnerable, what about seemingly more obscure targets with far bigger consequences?

This is what first brought him to the heart-attack machine.

At his desk, Fu clicks through a ­Power­Point slide show of bad-guy examples, from the madman who put cyanide-laced Tyleno­l on Chicago drugstore shelves in 1982 to the hacker who posted seizure-inducing animations on an Internet message board for epileptics.

"It might seem paranoid," Fu admits, "but from a security standpoint, you need to start with the fact that bad people do exist." And there seemed no better place to hunt such misanthropes than the world of medicine.

Fu began wondering about the security of medical devices that use RF communication, such as pacemakers and defibrillators. He discussed the problem with his longtime colleague Tadayoshi Kohno, assistant professor of computer science and engineering at the University of Washington and a veteran investigator into the vulnerabilities of computer networks and voting machines (see TR35, September/October 2007).