Pacemaker Code ‘Contains 8,000 Vulnerabilities’

A second warning about the cyber safety of medical equipment has been issued this week, after a researcher found more than 8,000 known vulnerabilities in the code inside pacemakers.

The revelation came from researcher Billy Rios and Dr Jonathan Butts from security company Whitescope. Besides the alarming number of vulnerabilities with the cardiac devices, their study also found that hackers can easily purchase ‘pacemaker programmers’ from online auction websites.

These pacemaker programmers can reprogram any pacemaker from the same manufacturer. To make matters worse these pacemaker programmers do not authenticate to pacemaker devices, exposing obvious security concerns.

Pacemaker Flaws

The experts said in a blog post that potential vulnerabilities had been discovered in all pacemaker systems, but refused to discuss the specifics of those flaws and instead reported them to the relevant US authorities.

“We examined seven different pacemaker programmers from four different manufacturers,” they wrote. “Most of our efforts were focused on 4 programmers that had RF capabilities.”

“We discovered over 8,000 known vulnerabilities in third party libraries across four different pacemaker programmer from four different manufacturers,” they blogged. “This highlights an industry wide issue associated with software security updates.”

And they found how easy it was to obtain pacemaker programmers that can reprogram cardiac devices.

“For this project, we acquired pacemaker programmers, home monitors, and pacemaker devices made by four different manufacturers,” they blogged. “These devices are supposed to be ‘controlled’, as in they are supposed to be returned to the manufacturer after use by a hospital, but all manufacturers have devices that are available on auction websites.”

The researchers said that pacemaker programmers can as little as $500 (£389) to $3,000 (£2,332).

“Despite efforts from the FDA to streamline routine cybersecurity updates, all programmers we examined had outdated software with known vulnerabilities,” the researchers wrote. “Across the 4 programmers built by 4 different vendors, we discovered over 8,000 vulnerabilities associated with outdated libraries and software in pacemaker programmers.”

Medical Security

This is the second time this week that concern has been raised about the cyber security of medical devices.

Research from Synopsys (with the Ponemon Institute) this week discovered while most medical device manufacturers and healthcare delivery organisations (HDOs) expect an attack on medical devices in the coming months, they are doing little to prevent it.

And to make matters worse, the Synopsys study found that only nine percent of manufacturers and five percent of HDOs test medical devices at least once a year. And unbelievably, 53 percent of HDOs and 43 percent of manufacturers do not test devices at all.

And this is not a new concern either.

Two researchers said in 2015 that commonly used medical equipment was vulnerable to online hackers. Those researchers found that devices such as MRI machines, infusion systems, and pacemakers were vulnerable to attack.

And prior to that in 2012, researchers from McAfee showed that they could take control of insulin pumps implanted inside diabetes patients.

Scientists at the University of Massachussetts also showed that they can use radio attacks to turn off defibrillators inside heart patients.

Quiz: Are you a security pro?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

14 hours ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

16 hours ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

18 hours ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

1 day ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

1 day ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

2 days ago