WhiteScope security researchers have discovered over 8.600 security blanks in third-party pacemaker systems and routines used in their various subsystems.
These security gaps are of various kinds ranging from simple code errors to misconceived design choices that endanger the lives of patients.
The researchers discovered these defects in seven different ones productfrom four different manufacturers. All research is presented in detail in one report released by the team this week.
The emphasis on their research was on implantable devices such as pacemakers, implantable cardiac-defibrillators (ICDs), pulse generators, and heart rate monitors (CRMs). We will collectively refer to this article as "pacemaker systems" and we should know that all these systems are remotely controlled by special devices (pacemaker programmer) and under the instructions of the physician monitoring the patient.
What the researchers found is that most of these pacemaker systems work on a similar architecture that includes the real implanted medical device, a home monitoring device, a cloud-based infrastructure from which data is transmitted to a physician and a pacemaker programmer, and which the physician uses this data to adjust the implant.
The denergy control security of this entire infrastructure led to the discovery of over 8.600 vulnerabilities, most linked to an outdated library used for software owned by pacemaker developers.
In addition, there are also basic design issues that pacemakers have to deal with.
For example, pacemaker developers and the implantable pacemaker, although belonging to the same manufacturing company, do not validate each other, allowing a malicious third programmer who may come close enough to the victim to change the implant settings.
Similarly, pacemaker developers do not need the doctor's authentication, which means if a third one steals one of these devices can use them to do bad.
Last but not least, the data of the pacemaker systems are stored in unencrypted file systems on removable media, meaning that anyone can get one of these systems and read secret medical information.
Naturally the team did not mention the names of the manufacturers. Nevertheless, the researchers said they had contacted ICS-CERT and transmitted their findings so that organizations could address security gaps, at least privately.
The fact that pacemakers and other implantable medical devices have blatant safety holes is already known. From 2013 there have been many warnings from both ICS-CERT as well as by FDA. The FDA also issued a guide on how to secure medical devices products.
Nevertheless, security researchers have still found vulnerabilities in these devices in the years that followed, including in addition to pacemakers and insulin pumps.
