Study Uncovers More Than 8,000 Security Flaws in Pacemakers from Four Major Manufacturers

Over the past 12 months, security vulnerabilities in implantable medical devices have attracted considerable attention due to the potential threat to patient safety.

Last year, MedSec conducted an analysis of pacemaker systems which revealed security vulnerabilities in the [email protected] transmitter and the associated implantable cardiac devices manufactured by St. Jude Medical. Those vulnerabilities could potentially be exploited to cause device batteries to drain prematurely and the devices to malfunction.

A recent study of the pacemaker ecosystem has uncovered a plethora of security flaws in devices made by other major manufacturers. Those flaws could potentially be exploited to gain access to sensitive data and cause devices to malfunction.

Billy Rios and Jonathan Butts, PhD., of security research firm WhiteScope has recently published a white paper detailing the findings of the study.

The pair conducted an analysis of seven cardiac devices from four major device manufacturers. The researchers evaluated home monitoring devices, implantable cardiac devices and physician programmers, with most effort concentrated on four programmers with RF capabilities.

All of the devices under study were obtained from auction sites such as eBay, even though the devices are supposed to be controlled and returned to the manufacturer or hospital when no longer required. The report explained that all of the manufacturers under test had home monitoring equipment listed for sale on public auction sites. The researchers found security flaws existed on all pacemaker systems under study.

The filesystems used by the pacemaker systems were unencrypted, with data stored on removable media. Some of the devices stored highly sensitive data such as medical histories and Social Security numbers, yet the data were not encrypted to prevent unauthorized access.

The pacemaker systems allowed physicians to reprogram the devices without authentication and pacemaker programmers did not authenticate with pacemaker devices. The researchers explained that any pacemaker programmer could be used to reprogram any pacemaker from the same manufacturer.

The software used by the pacemaker systems was discovered to contain more than 8,000 known vulnerabilities in third-party libraries across all the devices. One vendor had 3,715 vulnerabilities in its third-party libraries. The researchers said it was clear there was “an industry wide issue associated with software security updates.”

The study also revealed firmware used by the devices was not cryptographically signed, therefore it would be possible to replace firmware with a custom firmware.

Rios and Butt said, “The findings are relatively consistent across the different vendors,” and recommended “vendors evaluate their respective implementations and validate that effective security controls are in place to protect against identified deficiencies that may lead to potential system compromise.”

The researchers did not disclose the specifics of the vulnerabilities, although they were passed to the Department of Homeland Security’s ICS-CERT, while a report has been submitted to “the appropriate agency” about the discovery of Social Security numbers and other sensitive data from a patient of a prominent east coast hospital.

The researchers now plan to evaluate the home monitoring systems associated with implantable cardiac devices.

The report – Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependenciescan viewed on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.