A staggering 8,000 vulnerabilities have been discovered in one of the most widespread medical advancements keeping people alive today: The pacemaker.
White Scope, which has reported all of the vulnerabilities to DHS ICS-CERT, examined seven different pacemaker programmers from four different manufacturers, with a focus on programmers that have RF capabilities. Thousands of flaws in third-party libraries came to light—a state of affairs that outlines the issues involved in software security updates for these devices.
All of the programmers that White Scope examined had outdated software with known vulnerabilities. Many of them run Windows XP.
“As seen in other medical device verticals, keeping devices fully patched and updated continues to be a challenge,” the team said. “Despite efforts from the FDA to streamline routine cybersecurity updates.”
The firm also uncovered that pacemaker programmers do not authenticate to pacemaker devices, and don’t require that physicians do, either; programmers instead boot directly into the programming software on the device without first requiring any type of login or password. Any pacemaker programmer can reprogram any pacemaker from the same manufacturer. Also, all of the pacemaker systems the researchers examined had unencrypted filesystems on removeable media.
White Scope also noticed a lack of cryptographically signed pacemaker firmware, adding another layer of security problems: It would be possible to update the pacemaker device with a custom firmware.
This is already a raft of potential issues, but that’s not where it ends. Worryingly, they were able to obtain pacemakers to test directly from eBay auctions. Some were used and contained patient data. Programmers can cost anywhere from $500-$3000, home monitoring equipment from $15-$300 and pacemaker devices $200-$3000.
“These devices are supposed to be controlled, as in they are supposed to be returned to the manufacturer after use by a hospital,” researchers said. “In two instances, we were able to confirm that patient data was stored unencrypted on the programmer. In one instance, we discovered actual unencrypted patient data (SSNs, names, phone numbers, medical data…etc.) on a pacemaker programmer. The patient data belonged to a well-known hospital on the east coast and has been reported to the appropriate agency. These types of issues highlight the need for strong device disposal policies from hospitals.”
To change this state of affairs, information-sharing is a real opportunity in this space, the firm said.
“Surprisingly, the architecture and even technical implementation of pacemaker systems across manufacturers is very similar,” White Scope said. “We suspect that some of this similarity is due to the technical restraints associated with implanted technologies. Other similarities, however, indicate that there is some cross-pollination between pacemaker manufacturers. Given the similarities between systems, we hope that pacemaker manufacturers work together to share innovative cyber security designs and compete on user experience and health benefits as opposed to competing on cybersecurity.”
Pacemakers are not a new source of concern. Back in 2012, Barnaby Jack of security vendor IOActive found that several vendors’ pacemakers can be remotely controlled and commanded to deliver an 830-volt shock via a laptop, thanks to software programming flaws on the part of medical device companies. That is, of course, enough to kill someone, and Jack noted that the vulnerabilities open the door to “mass murder.”