Security researchers at Whitescope have found over 8,600 vulnerabilities in the devices regarded as in the broader pacemaker ambit. These vulnerabilities were found across four producers of several products defined as pacemakers. These vulnerabilities were discovered in radio controlled devices such as pacemakers, Implantable Cardioverter Defibrillators, Pulse Generators, and Cardiac Rhythm Management collectively termed “pacemaker devices” in the study. These vulnerabilities not only raise worrying questions as to the safety of such devices but also the vulnerabilities that may come to plague the fabled Internet of Things.
Convenient, most definitely
The rise of appliances connected to the internet that enables users to change heat settings, lock doors, order food, and connect to other drivers have undoubtedly added new convenience to today’s refrigerators, motor vehicles, LCD television sets, and thermostats. However, they may be a future source of strife and frustration. Such convenience comes at a cost, the devices are practically unpatchable. Combine this with that such devices are intended to have a longer lifetime than the laptop this article is been written on and the company’s manufacturing such devices do not have the budget to pour into security features and upgrades means that they are extremely vulnerable to attack.
With the recent spate of ransomware attack campaigns, imagining that such devices will be next in line for an attack is not out of the realms of possibility. Your locking system that is linked to the internet and provides keyless entry via a smartphone may one day be attacked with you receiving a ransom note on your phone to unlock the door for 100USD in Bitcoin. Researchers recently managed to gain access to internet connected thermostat system and could alter the temperature as they saw fit, potentially causing damage to the system and building if they so choose. In another imaginary scenario which may be experienced in the not too distant future, cars may need a ransom to merely start the engine, or a driverless taxi service may be hacked to devastating effect.
Been unpatchable, in their current state, would mean that if hit by a ransomware attack they would have to be replaced or the ransom being paid. If paid, this would be no guarantee of future attack or the same code been used again to attack the device once more. Given the highly organized nature of syndicates using such techniques, the amount asked for in ransom will be carefully considered to make it appear worth paying to be free from the inconvenienced caused.
Patients at Risk
While the examples listed above could be considered irritating, frustrating, and potentially infuriating the risks posed by vulnerable pacemakers is potentially life threatening. According to the report compiled by Whitescope not only did the products in question have poor design features they were vulnerable to third party malicious attack. The products in question lacked authentication procedures allowing for a third party to hack the device if close enough and change vital settings to the patient's overall health. Further problematic is the devices do not require physician authentication meaning the device can be stolen and the third party can do what they wish without having to access the programs interface. Adding to the nightmare scenario is the fact that the systems store data on unencrypted filesystems on removable media meaning that anyone can get access to one of the devices and learn how to hack them. All of the above led Whitescope to conclude the following:
“The findings reveal that the inherent architecture and implementation interdependencies are susceptible to security risks that have the potential to impact the overall confidentiality, integrity, and availability of the ecosystem. The findings are relatively consistent across the different vendors, highlighting the need for all vendors to perform an in-depth and holistic evaluation of implemented security controls. Given the commonality of the findings across different vendors, identification of implementation vulnerabilities as to any one vendor may expose those same vulnerabilities in other vendors and should be considered carefully before public disclosure.”(Rios, Butts. 2017. Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependencies)
Although the paper compiled by Whitescope creates awareness as to the potential vulnerabilities of pacemakers and place them in black and white, the vulnerabilities are not a new phenomenon. In 2013 both the FDA and ICS-CERT issued numerous warnings about the safety concerns relating to unsecured pacemakers as well as insulin pumps. The FDA even released a guide which recommended how to solve the problem including recommendations pertaining to limiting access to trusted users and ensuring trusted content.
This matter was further brought to the public attention last year January when Eireann Leverett, ICS security researcher at Cambridge University, Mrs. Moe presented their findings at the 32nd Chaos Communication Congress (32C3). Their findings led them to conclude that the devices when used to collect data used trivial and fundamentally unsafe modes of communication easily hacked such as email, SMS, and GSM. This not only posed serious questions as to the maintenance of the patient’s overall health but also legal questions as to jurisdiction and the patients’ rights to privacy. Leverett and Moe, within the scope of their studies, were not interested in hacking the device for obvious safety reasons as the device investigated was connected to Moe’s heart but concluded that the device is hackable. This discovery is further verified by being able to buy a pacemaker programming device via eBay. The pair did acknowledge that, despite the vulnerabilities discovered, the pacemaker’s ability to send data to doctors and physicians could indeed save lives.
It is clear that within the medical internet of things more regulation and better use encryption technology is necessary to prevent potential attacks. One would assume that this needs to be done as protection of the patient is a priority, hopefully, this is done sooner rather than later to prevent potential loss of life and a legal fall out. As to your convenient household appliances that order your milk and eggs, you may have to shop for a low-fi solution in the near future.