Image: Cathryn Virginia

'I’m Possibly Alive Because It Exists:' Why Sleep Apnea Patients Rely on a CPAP Machine Hacker

An Australian hacker has spent thousands of hours hacking the DRM that medical device manufacturers put on CPAP machines to create a free tool that lets patients modify their treatment.

|
Nov 15 2018, 6:03pm

Image: Cathryn Virginia

The Weakest Link is Motherboard's third annual theme week dedicated to the future of hacking and cybersecurity. Follow along.

Listen to Motherboard’s new hacking podcast, CYBER, here.


Christy Lynn was tired all the time, and, after months of trying to diagnose the problem, one of her doctors thought they’d figured out why.

“I didn’t fit any of the descriptions for sleep apnea,” she told me on a phone call. “I’m a woman, I wasn’t overweight. No one would have thought to test me, except I was seeing a doctor who had a similar medical history.”

Lynn, who lives in rural Arizona, did an at-home oximetry test, which tests blood oxygen levels, and then a sleep study. She was diagnosed with a difficult-to-treat form of sleep apnea, a disorder in which patients suddenly stop breathing for periods of time while they sleep that most often affects overweight men. She was given a continuous positive airway pressure (CPAP) machine and face mask—which blows air down a patient’s windpipe to keep the airways open—and sent home.

But a year-and-a-half and three sleep doctors later, her symptoms hadn’t improved. Her Apnoea-Hypopnea Index (AHI), which refers to the number of times she stopped breathing per night, was “horrible.”

“None of the doctors could get my AHI down and none of them seemed particularly concerned about it, to be honest,” she said. She started Googling for help, and came across a forum called CPAPtalk.com.

On the forum, users were talking about a piece of software called “SleepyHead.”

The free, open-source, and definitely not FDA-approved piece of software is the product of thousands of hours of hacking and development by a lone Australian developer named Mark Watkins, who has helped thousands of sleep apnea patients take back control of their treatment from overburdened and underinvested doctors. The software gives patients access to the sleep data that is already being generated by their CPAP machines but generally remains inaccessible, hidden by proprietary data formats that can only be read by authorized users (doctors) on proprietary pieces of software that patients often can’t buy or download. SleepyHead and community-run forums like CPAPtalk.com and ApneaBoard.com have allowed patients to circumvent medical device manufacturers, who would prefer that the software not exist at all.

“I cannot tell you enough how different my CPAP experience is with this software. It’s the difference between night and day,” Lynn said. “I’m possibly alive because it exists.”

*

1542304334204-J9xkHx4
Image: SleepyHead

Most modern CPAP machines create reams of data while they’re being used. They track things like average air pressure, AHI, average use per night, mask leak rates, “flow limitation index,” and other statistics about what the machine is doing and the patient’s sleep quality. Generally, the data is stored on an SD card, which a patient takes to their doctor once every six months (some new devices also transmit data wirelessly to an app; the data available on apps, patients told me, is rarely as thorough as what the machine is actually collecting.) This data can be used to alter a patient’s treatment; increasing or lowering pressure thresholds and other settings on the machine can lead to better outcomes.

But many doctors, several SleepyHead users told me, take a passing glance at the numbers and send patients on their way. Several academic reviews of the industry have found that there is a shortage of sleep specialists, which means that few doctors can give patients the personalized care that many of them want; a 2015 paper by the American Academy of Sleep Medicine found a “substantial shortage of board-certified sleep medicine providers,” and noted that “parts of the United States are grossly underserved or not served at all.”

Thomas Penzel, a sleep physiologist who is the scientific lead of the European Sleep Research Society, told me in an email that he “believes any bright patient can do what they want”

“A patient might modify the pressure if they know what they’re doing. Some of our patients have modified pressure themselves,” he added. “If things go wrong, they may end up dead in their bed. This is their own risk. CPAP is not a toy but a medical treatment.”

He agreed that most sleep apnea patients around the world are underserved: “Doctors don’t listen and don’t have time anywhere in the world.”

“Your doctor says bring in your chip or card, and they read it, but they don’t read it for diagnostics. They read it for insurance compliance to make sure you’re actually using it,” Steve Levine, a SleepyHead user from California, told me on the phone. “Everybody is trying to get you in and out the door, and take some profit from your pocket.”

"I became increasingly disgusted at how the CPAP industry is using and abusing people"

Some CPAP machines allow patients to see rudimentary data on the screens of the machines themselves, but very few machines actually give patients access to all the data that’s being collected. One popular CPAP manufacturer, ResMed, makes data analysis software called ResScan, which, because of federal law, is only available to medical professionals or “on the order of a physician.”

This walled-garden approach to sleep apnea treatment and CPAP user data has resulted in the creation of the DIY world of CPAP hacking and settings modification.

Much of the discussion at CPAPtalk.com and ApneaBoard.com, the latter of which has roughly 71,000 members, centers around SleepyHead, which decodes the data created by CPAP machines and allows ordinary patients to access it. The software decodes the data quite literally: Watkins has painstakingly hacked and cracked the proprietary data formats for each individual CPAP machine that the software supports. These data formats are intended to only be read by the manufacturers’ own software.

1542304726085-Screen-Shot-2018-11-15-at-125808-PM
Image: ApneaBoard

“All machines have antitamper signing/checksumming built into the data formats, some more elaborate than others,” Watkins told me in a Facebook message. “Hacking the file formats is a complicated process that requires known data to compare against, this often means flipping settings in the machine menus or working of PDF reports generated from commercial software with known data sets, which have to first be begged for and collected from people with access to the machine and software.”

Watkins started the SleepyHead project seven years ago because he was interested in the “forbidden secrets” of his CPAP machine’s SD card. Since he first got started, SleepyHead has become a lifeline for the sleep apnea community.

“As time progressed, I became increasingly disgusted at how the CPAP industry is using and abusing people, and it became apparent there was a serious need for a freely available, data focused, all-in-one CPAP analysis tool,” he said.

*

Digital rights management and technical protection measures implemented to keep the owners of devices from accessing them have grown common across a wide swath of industries; the problem that CPAP users face is similar to one faced by farmers who want to repair their John Deere tractors, by people who own Keurig coffee machines that will only brew authorized coffee pods, and by independent electronics repair professionals who are increasingly locked out of iPhones, MacBooks, servers, air conditioning systems, vacuum cleaners, and internet of things devices.

CPAP users like Watkins are part of a new push by patients to take control of their own data; activist Hugo Campos gave a TEDx talk in 2011 about his fight to gain access to the data generated by his pacemaker, while a DIY group called Nightscout has launched an unsanctioned app that breaks DRM in order to allow parents to remotely monitor their diabetic child’s glucose monitors.

Medical device companies have generally not been very happy about this new DIY movement, but what Watkins is doing with SleepyHead is legal.

1542304743877-Screen-Shot-2018-11-15-at-125412-PM
Image: SleepyHead

In 2015, Campos’s Coalition for Medical Device Researchers petitioned the Librarian of Congress and the US Copyright Office to create an exemption to the Digital Millennium Copyright Act—the most important law governing software copyright—that would allow patients to legally hack medical devices for security research and to gain access to the data that it generates.

The medical industry argued that "patients directly accessing the data on their devices may not understand the format of the data or may misinterpret the data. Such data access rights can be exercised (and already are provided) through health care providers"

Campos “was tracking his Pacemaker data on a Google Spreadsheet—not an ideal patient care situation,” Andrew Sellars, who at the time was a lawyer at Harvard’s Berkman Center for Internet and Society and represented Campos, told me on the phone. “The pacemaker transmits data to a base station. His idea was to intercept that signal as it’s taken off the pacemaker in order to find out what his heart was doing.”

Medical device companies vehemently fought Campos and Sellars’s petition: “The medical device manufacturers took the position that the data is formatted in such a way that it’s protected, copyrighted information that’s protected by the DMCA,” Sellars, who is now director of the Boston University/MIT Technology & Cyberlaw Clinic, added.

AdvaMed, a trade organization that lobbies on behalf of the medical device industry, told the copyright office in a petition to block Campos’s request that “patients directly accessing the data on their devices may not understand the format of the data or may misinterpret the data. Such data access rights can be exercised (and already are provided) through health care providers having the appropriate tools and training to collect and protect patient data without compromising the safety and longevity of his or her device.”

1542304854056-shutterstock_498393739
Image: Shutterstock

The organization also argued that an exemption that legalized patient data access would put patients’ health and privacy at risk and could “accelerate battery drain.” The Medical Alley Association—another medical device manufacturer trade group—argued that “allowing this exemption will directly interfere with the doctor-patient relationship—in effect inducing patients to make decisions without the support of their doctor.”

"Apnea Board freely distributes CPAP Clinician Manuals and publicizes the ‘secrets’ of these CPAP machines to our members so they can educate themselves and take control of their own sleep apnea therapy if they so choose"

The FDA, meanwhile, told the Copyright Office at the time that any device that was user-modified could not be marketed or resold without FDA approval, and that if any modified machine hurt a patient, the agency could have trouble determining whether it was the device manufacturer’s fault or the software modifier’s fault. But ultimately, the FDA did not try to stop the exemption from going through: “FDA recommends that the final rule explain that nothing in the rule will affect the regulation of products that fall within the jurisdiction of other federal agencies.”

In a major win for consumers, the Librarian of Congress granted the exemption, which legalized not only Campos’s attempts to gain access to his pacemaker data, but also the type of hacking that Watkins is doing with SleepyHead. Earlier this year, the exemption was renewed, and no medical device manufacturers (nor anyone else) attempted to stop it. AdvaMed declined to comment for this article. Medical Alley did not respond to a request for comment in time for publication; none of the CPAP manufacturers I contacted responded to a request for comment.

*

But just because hacking CPAP machines to gain access to the data is now legal doesn’t mean that medical device manufacturers have to make it easy. Watkins says that, without leaked documentation, hacking a new data format (and most manufacturers have their own formats) can take hundreds of hours. He uses a hexadecimal editor called Synalize It! to analyze the data formats and reverse engineer data against verified data that is shared with Watkins from friendly insiders.

“It’s been my experience that getting documentation out of manufacturers without a NDA is like getting blood out of stone,” Watkins said. “Most [manufacturers] have completely ignored my emails, some have even expressed displeasure at my efforts.”

1542304762647-Screen-Shot-2018-11-15-at-125824-PM
Image: ApneaBoard

CPAP patients regularly ask Watkins to hack new machines for them, and it’s gotten to the point where Watkins has had to basically stop development of the core software in order to spend time supporting new machines. Though he has done most of the software development and hacking, others in the community have helped with specific projects, and there are occasionally group hacking efforts to figure out the data format for a particularly difficult machine.

“Contec oximeters were fun, the ‘Protocol 7’ hack was an all-nighter team effort by myself, and a couple of other hackers supplying me with serial port captures, helping break protocols with python code, and testing the importer I wrote and tweaked it in SleepyHead,” he said.

The thousands of hours of development work has been tough on Watkins—he said he regularly suffers from spells of burnout, and development on SleepyHead has gone in fits and starts depending on his own health and job situation (he is currently looking for paid development work.)

“I've been on the sidelines away from the workforce as a stay at home dad, which while it has been beneficial to the SleepyHead project and my daughter, it hasn't exactly been so beneficial for my family's long term wellbeing,” he said. “Over the past seven years I've been mostly supported by my wife who's been patient with me and supportive of my project activity, but now my health has improved a lot and my daughter is old enough, I've really got no choice but to put family responsibilities ahead and return to work. Until I get into a rhythm with that and find some suitable paid work that fits my circumstances, I'll have to pause SleepyHead development for a while.”

He said his dream would be to create an open-source, easily repairable, DRM-free CPAP machine.

“I'm pleased others have found it genuinely helpful, their words of encouragement, donations, data samples, and willingness for patience despite slow development have helped keep me motivated,” he said. “I'm proud of my accomplishments so far, despite it being difficult doing this without any kind of commercial backing.”

1542304872174-shutterstock_537317164
Image: Shutterstock

When a new machine is hacked and added to SleepyHead’s list of supported machines, it’s documented in a Facebook group and on CPAPtalk and Apnea Board, which also play a crucial role for patients: The userbase on those forums helps new patients make sense of the data that SleepyHead is spitting out. It also helps patients decide what tweaks to make to their treatment and has information about how to actually make those changes on the machines (treatment modification menus are often hidden and are supposed to be accessed only by doctors.)

“Apnea Board’s primary goal is to promote ‘patient empowerment’ (where the patient takes a more active role in their own sleep apnea treatment),” SuperSleeper, who founded the forum in 2004, told me in a private forum message. “Quite simply, the sleep apnea industry as a whole is overwhelmed and cannot provide the one-on-one follow-up service that many CPAP users need. They're very good at creating ‘billable events’ (for a sleep study, a doctor's visit, or the sale of a CPAP machine and supplies), but they have little time and not enough of a financial incentive to help with ongoing detailed questions and problems that many CPAP users have.”

"I would be devastated if I lost the software. If it quit working, I don’t know what I would do.”

Apnea Board has become a bastion of information and self-taught sleep apnea experts; the forum features a private section in which users can download user manuals and, in some cases, leaked manuals that are intended for doctors. These manuals teach users how to get into the “clinician menu” where they’re able to modify their CPAP’s settings to tailor their treatment in coordination with what SleepyHead is telling them about their treatment.

“Apnea Board freely distributes CPAP Clinician Manuals and publicizes the ‘secrets’ of these CPAP machines to our members so they can educate themselves and take control of their own sleep apnea therapy if they so choose,” SuperSleeper told me. “Once one knows these ‘secrets,’ it's relatively easy to get into and program the ‘Clinician Menu’ of most CPAP machines, although increasingly, manufacturers are making it more difficult for patients to do that, and a bit of ‘hacking’ might become necessary with some machines.”

Both Levine and Lynn say that the combination of SleepyHead and the forums has completely changed their lives and their treatments.

“When you’re first diagnosed, you feel alone,” Levine said. “On the forum, people say ‘hey, this is what happened to me last night, and this is what I did. What do you recommend?’”

Lynn said that, when her doctors analyzed her numbers, they were looking at an average of her last six months, and not individual nights that may have been harder than others: “They’re not drilling down to where your problems are happening.”

“I can see the numbers every day on SleepyHead and I can tweak my settings,” she said. “I’ve been upping my exhale pressure to get my numbers down. I feel a lot better than I did when I was first diagnosed. I have more energy, I sleep better.”

Several people with sleep apnea I spoke to said that any concern that altering their treatment is dangerous is misplaced; many said they believe it’s fear-mongering by doctors and device manufacturers, and all of them stressed that they would never make modifications without fully understanding how the machines work and what the data is telling them.

Lynn said that treating herself is the only option that’s ever worked, and it’s the only option she has.

“I’m 62 years old and I don’t have health insurance because I can’t afford it and I’m self employed,” she said. “I would be devastated if I lost the software. If it quit working, I don’t know what I would do.”