We have traditionally been good at patching software when vulnerabilities are discovered – but this becomes harder for embedded devices such as pacemakers because they cannot be independently updated.
First Published 1st September 2017
At some point in every person's life, an assisted medical device will be needed.
4 min read | Reflare Research Team
On August 29th, the US Food and Drug Administration (FDA) recalled more than 500,000 pacemakers by medical company Abbott Laboratories over cyber security concerns.
What happened?
During routine investigations, the FDA found that certain lines of pacemakers manufactured by Abbot were vulnerable to attacks as they either had vulnerable authentication mechanisms or no authentication whatsoever.
As we have mentioned in previous briefings, poor security in medical devices is surprisingly common. Implanted devices are usually designed to operate for many years or even decades. While the function of the human heart does not change during this timespan, what is acceptable in IT security definitely does.
The devices in question were designed to communicate with control devices using radio waves. The control devices could thus adjust the devices’ functionality or read patient data from them without the need to remove the implants from the patient.
Communicating on specific radio frequencies using specific protocols was very expensive only a decade ago. Specialized hardware had to be designed and built for each device, thus putting attacks against such devices out of the range of most attackers. The advance of Software Defined Radio (SDR) hardware however has lowered the price of such attacks to just a few hundred US dollars.
Now, anyone with an affected device is currently at the mercy of hackers.
How high is the risk?
Since communication is done over radio waves, attackers have to be in relatively close proximity to their victims and have a very good understanding of the protocol used by the pacemakers. Furthermore, there doesn’t seem to be a profit motive. When hacking corporate networks, the stolen data is easily monetized. But to most, physically killing a person has no immediate financial benefit. Murder is much more rigorously prosecuted than hacking.
When viewing proximity and monetization together, we consider it unlikely that this incident will be common and lead to many fatalities. It is however very important that the devices are correctly updated. Otherwise over time attackers may become able to blackmail governments or medical manufacturers with threats of country-wide pacemaker shutdowns.
What is the fix?
Luckily for patients, the insecure wireless communication protocol also represents the solution to the security issue. According to Abbot, pacemakers can be updated in a short non-invasive update performed at regional hospitals. The pacemaker receives a new (secured) firmware and should thereupon no longer be vulnerable to attacks.
Summary
As cyber security continues to gain importance in our everyday lives, regions previously thought to be unrelated such as medicine, factories or movie production are increasingly in need of good security. We expect the number of similar cases to rise and then fall over the coming decade as older medical devices are slowly audited and replaced.