Pacemaker Code ‘Contains 8,000 Vulnerabilities’

A second warning about the cyber safety of medical equipment has been issued this week, after a researcher found more than 8,000 known vulnerabilities in the code inside pacemakers.

The revelation came from researcher Billy Rios and Dr Jonathan Butts from security company Whitescope. Besides the alarming number of vulnerabilities with the cardiac devices, their study also found that hackers can easily purchase ‘pacemaker programmers’ from online auction websites.

These pacemaker programmers can reprogram any pacemaker from the same manufacturer. To make matters worse these pacemaker programmers do not authenticate to pacemaker devices, exposing obvious security concerns.

Pacemaker Flaws

The experts said in a blog post that potential vulnerabilities had been discovered in all pacemaker systems, but refused to discuss the specifics of those flaws and instead reported them to the relevant US authorities.

“We examined seven different pacemaker programmers from four different manufacturers,” they wrote. “Most of our efforts were focused on 4 programmers that had RF capabilities.”

“We discovered over 8,000 known vulnerabilities in third party libraries across four different pacemaker programmer from four different manufacturers,” they blogged. “This highlights an industry wide issue associated with software security updates.”

And they found how easy it was to obtain pacemaker programmers that can reprogram cardiac devices.

“For this project, we acquired pacemaker programmers, home monitors, and pacemaker devices made by four different manufacturers,” they blogged. “These devices are supposed to be ‘controlled’, as in they are supposed to be returned to the manufacturer after use by a hospital, but all manufacturers have devices that are available on auction websites.”

The researchers said that pacemaker programmers can as little as $500 (£389) to $3,000 (£2,332).

“Despite efforts from the FDA to streamline routine cybersecurity updates, all programmers we examined had outdated software with known vulnerabilities,” the researchers wrote. “Across the 4 programmers built by 4 different vendors, we discovered over 8,000 vulnerabilities associated with outdated libraries and software in pacemaker programmers.”

Medical Security

This is the second time this week that concern has been raised about the cyber security of medical devices.

Research from Synopsys (with the Ponemon Institute) this week discovered while most medical device manufacturers and healthcare delivery organisations (HDOs) expect an attack on medical devices in the coming months, they are doing little to prevent it.

And to make matters worse, the Synopsys study found that only nine percent of manufacturers and five percent of HDOs test medical devices at least once a year. And unbelievably, 53 percent of HDOs and 43 percent of manufacturers do not test devices at all.

And this is not a new concern either.

Two researchers said in 2015 that commonly used medical equipment was vulnerable to online hackers. Those researchers found that devices such as MRI machines, infusion systems, and pacemakers were vulnerable to attack.

And prior to that in 2012, researchers from McAfee showed that they could take control of insulin pumps implanted inside diabetes patients.

Scientists at the University of Massachussetts also showed that they can use radio attacks to turn off defibrillators inside heart patients.

Quiz: Are you a security pro?