Pacemaker Code ‘Contains 8,000 Vulnerabilities’

A second warning about the cyber safety of medical equipment has been issued this week, after a researcher found more than 8,000 known vulnerabilities in the code inside pacemakers.

The revelation came from researcher Billy Rios and Dr Jonathan Butts from security company Whitescope. Besides the alarming number of vulnerabilities with the cardiac devices, their study also found that hackers can easily purchase ‘pacemaker programmers’ from online auction websites.

These pacemaker programmers can reprogram any pacemaker from the same manufacturer. To make matters worse these pacemaker programmers do not authenticate to pacemaker devices, exposing obvious security concerns.

Pacemaker Flaws

The experts said in a blog post that potential vulnerabilities had been discovered in all pacemaker systems, but refused to discuss the specifics of those flaws and instead reported them to the relevant US authorities.

“We examined seven different pacemaker programmers from four different manufacturers,” they wrote. “Most of our efforts were focused on 4 programmers that had RF capabilities.”

“We discovered over 8,000 known vulnerabilities in third party libraries across four different pacemaker programmer from four different manufacturers,” they blogged. “This highlights an industry wide issue associated with software security updates.”

And they found how easy it was to obtain pacemaker programmers that can reprogram cardiac devices.

“For this project, we acquired pacemaker programmers, home monitors, and pacemaker devices made by four different manufacturers,” they blogged. “These devices are supposed to be ‘controlled’, as in they are supposed to be returned to the manufacturer after use by a hospital, but all manufacturers have devices that are available on auction websites.”

The researchers said that pacemaker programmers can as little as $500 (£389) to $3,000 (£2,332).

“Despite efforts from the FDA to streamline routine cybersecurity updates, all programmers we examined had outdated software with known vulnerabilities,” the researchers wrote. “Across the 4 programmers built by 4 different vendors, we discovered over 8,000 vulnerabilities associated with outdated libraries and software in pacemaker programmers.”

Medical Security

This is the second time this week that concern has been raised about the cyber security of medical devices.

Research from Synopsys (with the Ponemon Institute) this week discovered while most medical device manufacturers and healthcare delivery organisations (HDOs) expect an attack on medical devices in the coming months, they are doing little to prevent it.

And to make matters worse, the Synopsys study found that only nine percent of manufacturers and five percent of HDOs test medical devices at least once a year. And unbelievably, 53 percent of HDOs and 43 percent of manufacturers do not test devices at all.

And this is not a new concern either.

Two researchers said in 2015 that commonly used medical equipment was vulnerable to online hackers. Those researchers found that devices such as MRI machines, infusion systems, and pacemakers were vulnerable to attack.

And prior to that in 2012, researchers from McAfee showed that they could take control of insulin pumps implanted inside diabetes patients.

Scientists at the University of Massachussetts also showed that they can use radio attacks to turn off defibrillators inside heart patients.

Quiz: Are you a security pro?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Norway Hit By DDoS Cyber Attacks From Pro Russian Group

Norwegian national security agency warns pro-Russian group has targetted private and public institutions in Norway…

16 hours ago

Google Tells Staff They Can Relocate After Roe v Wade Ending

After US Supreme Court last week removed women's reproduction rights, Google tells staff they can…

17 hours ago

Taiwan Developing Own Digital Currency – Report

Central bank of Taiwan confirms it is still working on its digital currency, but has…

19 hours ago

Tesla Cuts 200 Autopilot Jobs, Closes San Mateo Office – Report

More restructuring at Tesla with hundreds of bob losses and California office closure, where staff…

20 hours ago

US FCC Commissioner Urges Apple, Google To Remove TikTok

Fresh worry for TikTok, after FCC Commissioner writes to Apple and Google about removing the…

21 hours ago

Airbnb Permanently Bans Parties, With Few Exceptions

Victory for irate neighbours? Airbnb confirms its temporary Covid ban on parties in its listings…

22 hours ago