Health IT, Devices & Diagnostics

Analysis finds 8,000+ security flaws in pacemakers

Cybersecurity issues on any device are scary enough. A frightening new report from WhiteScope shows security vulnerabilities in pacemaker systems aren’t as rare as one might think.


Is your pacemaker susceptible to cybersecurity issues? It might be.

A recent report from WhiteScope, a security firm, found approximately 8,600 security vulnerabilities in third-party data libraries in four pacemaker programmers from four separate manufacturers.

As part of the report, WhiteScope analyzed seven pacemaker programmers from four manufacturers, but the majority of the report looked at programmers with RF capabilities.

One vendor alone had 3,715 identified vulnerabilities in third-party components. Another had 2,354, and a third had 1,954.

“We believe that this statistic shows that the pacemaker ecosystem has some serious challenges when it comes to keeping systems up-to-date,” WhiteScope wrote in a blog post about the analysis. “No one vendor really stood out as having a better/worse update story when compared to their competitors.”

Frighteningly, WhiteScope researchers were able to obtain all the pacemakers used in the analysis through public auction sites like eBay. Pacemaker programmers cost between $500 and $3,000. Pacemaker devices run between $200 and $3,000, and home monitoring equipment can be purchased for between $15 and $300.

“These devices are supposed to be ‘controlled,’ as in they are supposed to be returned to the manufacturer after use by a hospital, but all manufacturers have devices that are available on auction websites,” according to WhiteScope.

As far as the security vulnerabilities go, a lack of encryption seems to be a major problem for the vendors.

In one case, WhiteScope found unencrypted patient data — including names, phone numbers, Social Security numbers and medical data — on a pacemaker programmer. On top of that, all the systems examined in the analysis had unencrypted filesystems on removable media devices, meaning anybody can pick one up and hack it.

Another difficulty is the absence of authentification.

For example, pacemaker programs don’t authenticate to pacemaker devices, making it easy for a pacemaker programmer to reprogram another device from the same manufacturer. Additionally, pacemaker programmers don’t require physicians to authenticate to the programmer.

Overall, these issues foreshadow a horrifying landscape in which potential attackers can easily make their move.

For instance, “if a vendor utilizes common hard-coded credentials, an attacker has the potential to glean the credentials from a subsystem purchased through a public auction site and subsequently leverage the credentials as an attack surface for multiple subsystems.”

All the vulnerabilities WhiteScope uncovered were or will be reported through DHS ICS-CERT.

In recent years, the FDA has put out warnings about cybersecurity issues with medical devices. But apparently it’s not enough for right now.

Photo: bdspn, Getty Images