The Hacker News today reported in a recent study, researchers from security firm White Scope analyzed seven pacemaker products from four different vendors and discovered that they use more than 300 third-party libraries, 174 of which are known to have over 8,600 vulnerabilities that hackers could exploit in pacemaker programmers.
“Despite efforts from the FDA to streamline routine cyber security updates, all programmers we examined had outdated software with known vulnerabilities,” the researchers wrote in a blog post about the study.
“We believe that this statistic shows that the pacemaker ecosystem has some serious challenges when it comes to keeping systems up-to-date. No one vendor really stood out as having a better/worse update story when compared to their competitors.”
The White Scope analysis covered implantable cardiac devices, home monitoring equipment, pacemaker programmers, and cloud-based systems to send patient’s vital data over the Internet to doctors for examining.
All of the programmers examined by the security firm had outdated software with known vulnerabilities, many of which run Windows XP.
What’s even more frightening? Researchers discovered that the Pacemaker devices do not authenticate these programmers, which means anyone who gets their hands on an external monitoring device could potentially harm heart patients with an implanted pacemaker that could harm or kill them.
Another troubling discovery by researchers is with the distribution of pacemaker programmers.
Although the distribution of pacemaker programmers is supposed to be carefully controlled by the manufacturers of pacemaker devices, the researchers bought all of the equipment they tested on eBay.
“All manufacturers have devices that are available on auction websites,” the researchers said. “Programmers can cost anywhere from $500-$3000, home monitoring equipment from $15-$300, and pacemaker devices $200-$3000.”
In some cases, researchers discovered unencrypted patients’ data stored on the pacemaker programmers, including names, phone numbers, medical information and Social Security numbers (SSNs), leaving them wide open for hackers to steal.
Another issue discovered in the pacemaker systems is the lack of the most basic authentication process: login name and password, allowing the physicians to authenticate a programmer or cardiac implant devices without even have to enter a password.
This means anyone within range of the devices or systems can change the pacemaker’s settings of a patient using a programmer from the same manufacturer.
Matthew Green, a computer science assistant professor at Johns Hopkins, pointed out on Twitter that doctors are not willing to let security systems block patient care. In other words, the medical staff shouldn’t be forced to log in with credentials during an emergency situation.
“If you require doctors to log into a device with a password, you will end up with a post-it note on the device listing the password,” Green said.
The list of security vulnerabilities the researchers discovered in devices made by four vendors includes hardcoded credentials, unsecured external USB connections, the failure to map the firmware to protected memory, lack of encrypted pacemaker firmware updates, and using universal authentication tokens for pairing with the implanted device.
White Scope has already contacted the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), so the manufacturers of the tested devices can address the flaws.
CyVision Technologies, Inc