Thousands of Vulnerabilities found in Pacemakers

By

According to a study conducted by WhiteScope, thousands of pacemakers are vulnerable to attacks. 

Today millions of people with serious heart conditions rely on pacemakers, but these pacemakers are extremely insecure as they run outdated, unpatched software.

Pacemakers used to be standalone devices with no communication with the external world, and that isolation kept them secure. However, with the advancement in technology, connected pacemakers allow doctors to better monitor patients and offer better healthcare. But this connectivity also exposes these devices to external threats, just like any other connected devices.

WhiteScope performed an exhaustive security evaluation on the implantable cardiac device ecosystem. In order to conduct their study, WhiteScope obtained physician programmers, home monitoring devices, and implantable cardiac devices for the four major device vendors. According to WhiteScope, the devices use similar architectural frameworks that include communication protocols, device intercommunications, embedded device hardware, and device authentication.

It wasn’t surprising that vendors failed to keep these devices fully updated and secure, despite efforts from the FDA to streamline routine cyber security updates.

WhiteScope found that all devices were running outdated software. “Across the 4 programmers built by 4 different vendors, we discovered over 8,000 vulnerabilities associated with outdated libraries and software in pacemaker programmers,” wrote researchers Billy Rios and Jonathan Butts.

The report said, “No one vendor really stood out as having a better/worse update story when compared to their competitors. In two instances, we were able to confirm that patient data was stored unencrypted on the programmer. In one instance, we discovered actual unencrypted patient data (SSNs, names, phone numbers, medical data, …, etc.) on a pacemaker programmer. The patient data belonged to a well-known hospital on the east coast and has been reported to the appropriate agency. These types of issues highlight the need for strong device disposal policies from hospitals.”

The findings of the report may lead to industry-wide reform to make such critical, life-saving devices more secure.

06/06/2017

Related content

  • Live Migration

    A big advantage in virtualization is the ability to move systems from one host to another without exposing the user to a long period of downtime. To that end, the hypervisor and storage component need to cooperate.

  • Live migration of virtual machines
    A big advantage in virtualization is the ability to move systems from one host to another without exposing the user to a long period of downtime. To that end, the hypervisor and storage component need to cooperate.
  • High Availability without Pacemaker
    Managing your cluster could be so simple if it weren't so complicated. The object of many an admin's wrath in such cases is often a single component: Pacemaker. Luckily, other open source tools offer alternative options for high availability.
  • OpenStack workshop, part 3:Gimmicks, extensions, and high availability
    OpenStack has a number of useful extensions that can help admins protect their cloud against failures.
  • The new openAttic 1.1 storage manager
    Although the lastest version of the openAttic storage manager was announced as a conservative maintenance release, openAttic 1.1 is actually a feature-rich new development.
comments powered by Disqus