WhiteScope security researchers have discovered over 8.600 security blanks in third-party pacemaker systems and routines used in their various subsystems.
These security gaps are of various kinds ranging from simple code errors to misconceived design choices that endanger the lives of patients.
The researchers discovered these flaws in seven different products from four different manufacturers. All research is presented in detail in one report released by the team this week.
The emphasis on their research was on implantable devices such as pacemakers, implantable cardiac-defibrillators (ICDs), pulse generators, and heart rate monitors (CRMs). We will collectively refer to this article as "pacemaker systems" and we should know that all these systems are remotely controlled by special devices (pacemaker programmer) and under the instructions of the physician monitoring the patient.
What researchers have found is that most of these pacemaker systems are working on a similar architecture that includes a real implanted medical device, a home monitoring device, a cloud-based infrastructure from which data is transmitted to a doctor and a pacemaker programmer, and the physician uses these data for implant settings.
Carrying out security checks on all of this infrastructure has led to the discovery of more than 8.600 vulnerabilities, most of which are linked to an outdated library used for the software of the pacemaker developers.
In addition, there are also basic design issues that pacemakers have to deal with.
For example, pacemaker developers and the implantable pacemaker, although belonging to the same manufacturing company, do not validate each other, allowing a malicious third programmer who may come close enough to the victim to change the implant settings.
Similarly, pacemaker developers do not need the doctor's authentication, which means if a third one steals one of these devices can use them to do bad.
Last but not least, the data of the pacemaker systems are stored in unencrypted file systems on removable media, meaning that anyone can get one of these systems and read secret medical information.
Naturally the team did not mention the names of the manufacturers. Nevertheless, the researchers said they had contacted ICS-CERT and transmitted their findings so that organizations could address security gaps, at least privately.
The fact that pacemakers and other implantable medical devices have blatant safety holes is already known. From 2013 there have been many warnings from both ICS-CERT as well as by FDA. The FDA also issued a guide on how to ensure medical devices.
Nevertheless, security researchers have still found vulnerabilities in these devices in the years that followed, including in addition to pacemakers and insulin pumps.