Pacemaker device security audit finds 8,600 flaws, some potentially deadly
A recent report from security firm WhiteScope describes more than 8,600 flaws in pacemaker systems and the third-party libraries that power various components of the devices.
The broad list of flaws includes a lack of encryption and authentication, simple bugs in the code and poor design that can put patient lives at risk. These vulnerabilities were associated with outdated libraries used in pacemaker programmer software.
WhiteScope analyzed seven different pacemaker programmers from four different manufacturers with a focus on programmers that rely on modern radio frequency. The programmers are used to monitor the function of implantable devices and set therapy parameters.
Most of these systems run on a similar architecture including an implanted medical device, a home monitoring system, a pacemaker programmer and a cloud-based infrastructure that relayed data to a physician.
One manufacturer alone had 3,715 flaws and another had 2,354. In one instance, the researchers found the models didn’t require physicians to authenticate a programmer, and the programmers didn’t authenticate implantable pacemakers -- which means anyone who can get within range of the device can alter the implanted device’s settings.
“Any pacemaker programmer can reprogram any pacemaker from the same manufacturer,” the researchers said in a statement.
Further, these systems stored the unencrypted file data on removable media, which means anyone can pick up a device and figure out how to hack it. The design flaw highlights the need for a complete overhaul of the basic design that manufacturers need to address.
In another instance, actual unencrypted data that included Social Security numbers, names, medical data and other patient data of a “well-known hospital on the east coast” was left exposed on a pacemaker programmer. The researchers contacted the “appropriate agency” with their findings.
“As seen in other medical device verticals keeping devices fully patched and updated continues to be a challenge,” the researchers said in a statement. “Despite efforts by the FDA to streamline routine cybersecurity updates, all programmers we examined had outdated software with known vulnerabilities.”
“The pacemaker ecosystem has some serious challenges when it comes to keeping systems up-to-date,” the researchers said. “No one vendor really stood out as having a better/worse update story when compared to competitors.”
The researchers contacted ICS-CERT with their findings, so the manufacturers of the analyzed devices can address the flaws.
This isn’t the first time medical device security has been under fire. St. Jude and Abbot’s medical devices have been criticized since fall of 2016. ICS-CERT and the U.S. Food and Drug Administration have released warnings about medical devices since 2013.