A recent study has found pacemaker cybersecurity protections not only to be lacking, but woefully inadequate. Many of the devices tested were discovered to contain thousands of software vulnerabilities, many of which could potentially be exploited by cybercriminals to gain access to the devices and their associated systems.
Medical device security issues have long been a concern, yet little is being done to address the problems. In some cases, the security vulnerabilities are severe and could easily result in the exposure or theft of sensitive data. Worse, vulnerabilities could be exploited to cause the devices to malfunction, which has potential to cause patients to come to serious harm.
Last year, MedSec conducted a study of pacemakers and associated devices manufactured by St. Jude Medical, with several vulnerabilities discovered.
The latest study was conducted by Billy Rios and Jonathan Butts of WhiteScope IO. The researchers examined seven pacemaker programmers from four manufacturers. The devices are all widely used in the United States.
Pacemaker programmers are used to set therapy parameters on implanted pacemakers and monitor their function. Many pacemaker programmers communicate with the implanted devices via radio frequencies.
The researchers found that any manufacturer’s pacemaker programmer could be used to reprogram all pacemakers from the same manufacturer. Those programmers could also be found on E-Bay and could be purchased by anyone. That is how the researchers obtained their devices.
The study revealed that pacemaker systems had unencrypted file systems with data stored on removable media. In one case, one of the devices purchased still contained the sensitive data of a patient, including that individual’s medical history and Social Security number.
Third party libraries used by the programmers were discovered to contain thousands of vulnerabilities. In total, 8,000 vulnerabilities were discovered across all devices. No device under test was free of security issues.
All of the programmers booted and launched their software without requiring any authentication, while there was no authentication needed to communicate with an implanted device. Firmware on the devices was not cryptographically signed, meaning new, tampered firmware could be easily uploaded to a device by a threat actor.
In short, the pacemaker cybersecurity protections were woeful. If pacemaker cybersecurity protections are not improved, sooner or later, someone will take advantage and steal data or cause patients harm.
The researchers now plan to look at the control systems used in conjunction with the devices and will evaluate the security on home monitoring systems.