Security researchers and hackers have spent the last 20 years or so tearing apart all manner of software and hardware, looking for vulnerabilities, attack vectors and bugs, and the advent of embedded and implantable devices has now drawn their attention to this new class of targets. Medical devices, both implantable and external, have become the subjects of quite a lot of research lately, and the results are not encouraging.
One of the more troubling examples of what’s happening is the research that’s being conducted on implanted medical devices, such as pacemakers. Barnaby Jack, a researcher at IOActive, this week delivered results of research he’s done on this topic and said that several manufacturers are selling pacemakers that have a bug that could enable an attacker with nothing more than a laptop to send a signal to the pacemaker that would deliver a potentially lethal electric shock to a patient. The research, presented at the Breakpoint conference in Australia, showed that the pacemakers, which can be controlled wirelessly, contain programming errors that allowed Jack to send a special command to them and get their model and serial numbers back in return.
Jack then developed a method to send remote commands to the pacemakers, including one that would deliver a massive 830-volt shock to the patient wearing the pacemaker, Jeremy Kirk from the IDG News Service reported. This is not the first time that Jack has been able to exploit vulnerabilties in critical medical devices. Last year he demonstrated an attack on insulin pumps that enabled him to cause the pump to give the wearer a lethal dose of insulin. He can execute that attack against a pump within about 300 feet.
Jack is not alone in his success finding vulnerabilities in medical devices. There have been a number of other such demonstrations, including another attack on insulin pumps presented at DEFCON in 2011 that allowed an attacker to remotely mess with the dosage levels. And other researchers have discovered flaws in artificial external defibrillators (AEDs), as well.
“The problems boil down to important but boring things: diffusion of responsibility and planning for the security development lifecycle. In short, there’s still a lot of fingerprinting over who is responsible and accountable for ensuring medical device security. The current answer is: everyone, so no one,” said Kevin Fu, an associate professor of computer science and engineering at the University of Michigan, who has done considerable research on the subject of medical-device security.
Nor are implantable devices the only weak link in the chain. The medical equipment used in medical offices and hospitals also have some serious security problems. Security researchers have been warning for years that the monitoring devices in hospitals and physicians’ offices often run outdated versions of Windows that have myriad known and exploitable security vulnerabilities. Researchers have shown that these devices, while sometimes considered safe because they’re not readily accessible to attackers, are, in fact, potential targets for malware. The government has taken note of the problem to a certain degree, and the Government Accountability Office in August issued a report on the security issues inherent in many medical devices and the lack of agreement on what to do about it. The problem is a difficult one, given the challenges of updating the software on these devices, and the non-security considerations such as reliability and battery life.
“Although researchers have recently demonstrated the potential for incidents resulting from intentional threats in two devices—an implantable cardioverter defibrillator and an insulin pump—no such actual incidents are known to have occurred, according to the Food and Drug Administration (FDA). Medical devices may have several such vulnerabilities that make them susceptible to unintentional and intentional threats, including untested software and firmware and limited battery life. Information security risks resulting from certain threats and vulnerabilities could affect the safety and effectiveness of medical devices. These risks include unauthorized changes of device settings resulting from a lack of appropriate access controls. Federal officials and experts noted that efforts to mitigate information security risks need to be balanced with the potential adverse effects such efforts could have on devices’ performance, including limiting battery life,” the GAO report says.
It’s not often that the malware attacks that compromise medical devices make their way into the news or onto the desks of regulators in Washington. Part of the problem is that no one is entirely sure who is responsible for the security of the devices: the manufacturers or the customers. Each group believes the other should be responsible, and as a result, no one is, and there are obstacles for each of the parties involved to take serious action.
“There’s kind of the perfect storm of disincentives to make sure the right thing doesn’t happen,” Fu said. “No stakeholder is singularly to blame. The manufacturer who doesn’t regularly issue updates isn’t helpful to the hospital. Hospitals that don’t report problems that could lead to patient harm are complicit. Regulators have guidance on security and say manufacturers should keep these devices up to date, but the problem is patches don’t require further FDA review unless there’s a safety issue. And that causes manufacturers to make decisions that aren’t in the best interest of patients. It’s common for manufacturers not to issue patches because they could require review.”
Fu said that despite the problems, there are some good things happening in the medical device security field.
“There’s some good things going on, some level-headedness,” he said. “There are some engineers doing good things. But the engineers need help translating this into language that executives can understand.”