Medical pacemakers are riddled with security vulnerabilities that could allow hackers to kill, a study finds.
In a blog post, details have emerged of research by Billy Rios and Jonathan Butts from IT security company Whitescope, in which they discovered over 8,000 vulnerabilities affecting four different pacemaker programmers from four different medical device manufacturers.
For the purposes of this research, the term ‘pacemaker’ is used to refer collectively to pacemakers, implantable cardioverter defibrillators (ICDs), pulse generators, and cardiac rhythm management (CRM) devices.
Radio-frequency pacemaker programmers, meanwhile, are devices used to make adjustments to the function of pacemakers once they’ve been implanted in a patient, thus avoiding the need for further surgery.
But flaws in these programmers, say the researchers, could make it possible for a hacker to remotely tamper with them.
“Pacemaker programmers do not authenticate to pacemaker devices. Any pacemaker programmer can reprogram any pacemaker from the same manufacturer,” the Whitescope researchers point out. “This shows one of the areas where patient care [has] influenced cybersecurity posture,” they add, presumably meaning to add, “and not in a good way.”
No password required
For obvious safety reasons, the report does not specify which manufacturers’ systems were tested or provide details of the vulnerabilities found. Six pacemaker programmer used unencrypted IDE hard drives. One pacemaker programmer used an unencrypted PCMICA flash drive.
“We saw a variety of operating systems such as the familiar Windows XP, Real-Time Operating Systems (RTOS) like MonteVista, old operating systems like DOS, we even encountered one programmer using OS2,” said the researchers.
While older pacemaker programmers only use a proximity ‘telemetry wand’, newer programmers from all vendors use longer range RF communications in addition to the close proximity telemetry wand.
Researchers found that the pacemaker devices do not authenticate these programmers, meaning that hackers with an external monitoring device could change the pacemaker’s settings resulting in harm, or even death, to a victim.
Sold on Ebay
They also discovered that, while the distribution of pacemaker programmers is supposed to be carefully controlled by manufacturers, they were able to buy all of the equipment they tested on eBay. Their conclusion? Any programmer bought on eBay has the potential to harm a patient.
“All manufacturers have devices that are available on auction websites,” the researchers said. “Programmers can cost anywhere from $500 to $3,000; home monitoring equipment from $15 to $300; and pacemaker devices $200 to $3,000.”
In some cases, unencrypted patients’ data was found stored on the pacemaker programmers, such as names, phone numbers, medical information and Social Security numbers (SSNs), all of which is useful to hackers. These were from a well-known US East Coast hospital, according to the Whitescope team.
“We believe that this statistic shows that the pacemaker ecosystem has some serious challenges when it comes to keeping systems up-to-date. No one vendor really stood out as having a better/worse update story when compared to their competitors,” said the researchers.