Thousands of Vulnerabilities found in Pacemakers


According to a study conducted by WhiteScope, thousands of pacemakers are vulnerable to attacks. 

Today millions of people with serious heart conditions rely on pacemakers, but these pacemakers are extremely insecure as they run outdated, unpatched software.

Pacemakers used to be standalone devices with no communication with the external world, and that isolation kept them secure. However, with the advancement in technology, connected pacemakers allow doctors to better monitor patients and offer better healthcare. But this connectivity also exposes these devices to external threats, just like any other connected devices.

WhiteScope performed an exhaustive security evaluation on the implantable cardiac device ecosystem. In order to conduct their study, WhiteScope obtained physician programmers, home monitoring devices, and implantable cardiac devices for the four major device vendors. According to WhiteScope, the devices use similar architectural frameworks that include communication protocols, device intercommunications, embedded device hardware, and device authentication.

It wasn’t surprising that vendors failed to keep these devices fully updated and secure, despite efforts from the FDA to streamline routine cyber security updates.

WhiteScope found that all devices were running outdated software. “Across the 4 programmers built by 4 different vendors, we discovered over 8,000 vulnerabilities associated with outdated libraries and software in pacemaker programmers,” wrote researchers Billy Rios and Jonathan Butts.

The report said, “No one vendor really stood out as having a better/worse update story when compared to their competitors. In two instances, we were able to confirm that patient data was stored unencrypted on the programmer. In one instance, we discovered actual unencrypted patient data (SSNs, names, phone numbers, medical data, …, etc.) on a pacemaker programmer. The patient data belonged to a well-known hospital on the east coast and has been reported to the appropriate agency. These types of issues highlight the need for strong device disposal policies from hospitals.”

The findings of the report may lead to industry-wide reform to make such critical, life-saving devices more secure.


Related content

comments powered by Disqus