New research shows an alarming number of security vulnerabilities in pacemakers and other implanted medical devices. As these types of devices become more prevalent in society, so to the risks someone will become victim to an external attack.
According to an article by Gizmodo, security firm WhiteScope published a report focusing specifically on cardiac devices (e.g.: pacemakers). The 17th May document showed the four major manufacturers of such devices shared similar programming and communication protocols. More alarmingly, authentication requirements to access and update the devices remotely was often non-existent.
Increasingly Complicated Ecosystem for Pacemakers and Implants
WhiteScope found up to 8,000 security vulnerabilities at various stages of the pacemaker ecosystem. And it’s an ecosystem that grows increasingly complicated as technology improves.
“The findings reveal that the inherent architecture and implementation interdependencies are susceptible to security risks that have the potential to impact the overall confidentiality, integrity and availability of the ecosystem.”
Other concerns included use of off-the-shelf parts and use of third-party libraries, which could introduce known vulnerabilities to the health infrastructure. All this put both the patients’ health and privacy at risk — though the idea of having a device’s function tampered with is probably of highest concern.
WhiteScope’s diagram shows how how the implant ecosystem is structured, with vulnerable points not just in the device itself, but throughout the network. All major manufacturers displayed similar vulnerabilities.
WhiteScope made several recommendations to vendors on how they could improve security. Top of the list is stronger device authentication requirements, both wireless and via USB. others include file system encryption and variable name obfuscation in code, and not using removable drives on physician-programmer machines.
“Andy”, a 49 year-old pacemaker wearer, expressed his concerns:
“Everyone with a pacemaker is at risk. This hacking has to stop. It is not like they are going after a corrupt politician that has a slew of documentation stashed away in some dingy corner of a hard drive. That people can just hack a pacemaker and thus killing said person is murder and should be viewed as murder. Go after corrupt politicians all you want but do not play with someone’s life.”
History of Pacemaker Hacking
That implantable medical devices are vulnerable to hacking is not a new idea, but vendors may not be taking it seriously enough. To add intrigue to the story, New Zealand hacker Barnaby Jack died suddenly and mysteriously in 2013 — one week before he was scheduled to present a report called “Implantable Medical Devices: Hacking Humans” at the Black Hat conference.
Jack had a history of demonstrations involving hacking pacemakers and insulin pumps. He had spent six months researching the latest issue and claimed to have a live demonstration which sent a high-voltage shock to a device from 50 feet away.
In 2012 he performed an “assassination demonstration” that referenced an episode of “Homeland” where attackers used such an exploit on a (fictional) U.S. Vice President.
Former (real) U.S. Vice President Dick Cheney took the risk seriously enough to have his own device’s wireless capability disabled, even though this meant it couldn’t be reprogrammed without surgery.
Other Implantable Devices Also at Risk
While WhiteScope’s report focused on cardiac devices (e.g.: pacemakers) there are plenty of other implantable devices similarly at risk. Even wearers of devices not tied to vital life-support functions are concerned at the prospect a hacker could bend parts of their bodies to their will.
“Sam” had a spinal cord stimulator implanted after a spinal injury left him unable to walk properly. He told Bitsonline helps him deal with the pain, and become more mobile.
“Being able to have life-changing or even life-saving computerized technology implanted is an amazing thing. For some it’s pumping insulin, and for others it keeps their heart beating. For those like me it is a spinal cord stimulator.”
He described the vulnerabilities to these types of devices as “staggering and terrifying”. Users have a false sense of security, yet the devices are as open as those from the earliest days of wireless technology.
“On one hand you want the technology to help save or improve your life, on the other the escalating risks of being hacked is something to give anyone the creeps who has something implanted.”
“While adjusting my implant programming I asked the technician about the risks of being hacked. While he didn’t discount the risks he did state that they are doing more and more to work on the security of the devices. I don’t want mine taken out, but being in the tech industry for so long makes me wary — like there is some other cybersecurity threat above and beyond the norm. I hope that medical implant device companies get more proactive with security, before we do see some horrors pop up with people’s implants being hacked.”
Real Science Fiction Territory
The thought of body parts being hacked is almost science fiction territory. And so far there aren’t any (known) examples in real life. Yet as wireless, internet-connected technology pervades more aspects of our daily lives every year, we’ll be dealing with real science fiction villains too if we’re not more careful.
Do you, or do you know anyone who wears a medical implant device? What concerns you about this? Let’s hear your thoughts.
Images via Boston Scientific, WhiteScope, YouTube
Names in this article have been altered to protect medical privacy.