Can the heart be hacked? Experts find 8,000 security flaws in pacemaker software
Security research firm WhiteScope carried out the assessment on implantable cardiac devices, physician programmers and home monitoring devices for four major manufacturers.
The researchers found a worrying consistency across all vendors, highlighting inherent system weaknesses in file system encryption and storage of unencrypted patient data.
The report notes that pacemaker security faces “some serious challenges”.
The recent WannaCry ransomware attack, which reportedly infected a medical device in a US hospital as well as medical services in the US and the UK, once again highlighted the potential implications of software vulnerabilities in the health sector.
The new study builds on earlier research which raised concerns over security flaws in cardiac devices such as the implantable cardioverter defibrillator (ICD) and the pacemaker, with WhiteScope researchers easily able to obtain subsystems for the four major vendors through public auction sites such as Ebay.
One particular concern is the use of third party components, software that is sold by a company other than the original vendor. These components often have vulnerabilities that go unpatched.
The report notes that as home monitoring devices receive updates to their permanent software, or firmware, via the patient support network, “the potential exists to perform a man-in-the-middle attack and issue counterfeit firmware” to the devices.
A total of more than 8,000 vulnerabilities in third party components were identified across the four manufacturers.
“Given the commonality of the findings across different vendors, identification of implementation vulnerabilities as to any one vendor may expose those same vulnerabilities in other vendors and should be considered carefully before public disclosure,” the report warns.
The system used in diagnosis and programming the cardiac implants, which uses removable media/hard-drives, is also at risk from hackers who could extract the file system, according to the report.
The study recommends vendors evaluate their systems and put effective security controls in place. It suggests techniques such as firmware packing, obfuscation and encryption would make it much more difficult to reverse engineer firmware.
In 2013 the US Food and Drug Administration (FDA) published guidelines highlighting the security loopholes in various medical devices connected to the internet.
In 2012, the late New Zealand Black Hat hacker Barnaby Jack famously demonstrated hacking a pacemaker to deliver a deadly electric shock at the BreakPoint security conference in Melbourne.