Half a million Pacemakers are vulnerable to new hacker attacks

If past years have taught us anything is that, living in this day and age, there is no machine nor device that cannot be hacked, not even a pacemaker.

Namely, almost half a million pacemakers, 465,000 to be exact, implemented in the patients, are being recalled after the US Food and Drug Administration agency found out about their hackable potential.

The shortcoming was discovered by a cyber security company, called MedSec, whose specialty is discovering vulnerabilities in the healthcare industry devices.

The researchers were able to hack a pacemaker using the equipment that costs as little as $15, running the pacemaker’s battery flat and altering the pacing of the device, all the actions that, if conducted on the implemented pacemakers, could result in death.

Six types of affected radio-controlled cardiac pacemakers were manufactured by the health tech company Abbott and sold under the St Jude Medical name, prior to August 28th. Their main function was to monitor and help the patients recovering from heart failure or with irregular/slow heartbeats.

St Jude Medical Company already experienced an FDA recall prior to this one, when in January another warning was issued about implantable RF pacemakers and their transmitters, pointing out that they could be responsible for irregular pacing and shocks.

St Jude Medical’s answer to the half a million of potential hackable pacemakers came in the form of a firmware update, as it is a much easier option and far less dangerous than undergoing surgery for a new unhackable pacemaker. 

This firmware update should last about 3 minutes and it is to be administered by healthcare providers, as during the update, the pacemakers might experience loss of diagnostic information or ,even worse, bricking, as devices are to run in backup mode during the update.

Though this firmware represents essentially just software for hardware, there are risks involved about which patients should be thoroughly informed by their doctors.

So far, there hasn’t been any real hacker attack aimed at patients with the vulnerable pacemakers, at least, according to St Jude Medical’s statistics.

Why pacemaker is perfect for hacking

As FDA has warned, any device that connects to the Internet is exposed to hacking, pacemakers are not an exception.

Though they do have advantages, including more convenient and safer health care, IoT devices carry with them the risk of cyber attack and cyber crime.

One of the reasons why medical devices, such as pacemakers are easily hackable, lies in its lack of memory or power that would be otherwise used to support access control, encryption or cryptographic security.

For example, if a device is equipped with HTTPS ( encryption that prevents eavesdropping) instead of HTTP, it uses as much as 30% more of the energy, due to the loss of proxies.

As the usually cryptography suites( the ones used to prove identity and encrypt the information transmitted) are designed for PCs, they usually involve complex mathematical operations, which, in turn, require a machine much powerful than a simple IoT device.

NIST, the US National Institute of Standards and Technology has recognized the problem and are working on developing so called light weight cryptographic suites, specifically designed for low-powered Internet of Things devices.

Another problem lies in the everlasting convenience vs security battle.

Doctors and patients do not usually expect to log in to the medical devices all the time, in the same way taht they are used to log in to their smart phones.

And the question arises, when the pacemaker fails and the ambulance comes, how possible it would be for a patient with the implemented device to find the device serial number and authentication information and give them to the paramedics.

The third reason lies in the remote monitoring, as most medical devices, have this option.

Though it is a far better option than a surgical removal/replacement of devices when the device malfunctions, remote monitoring opens another type of vulnerability, that is, it makes a device hackable.

In plain English, if a doctor can remotely update the software of a medical device, then anyone can do it as well.

What lies ahead

This connectedess of everything is sure to stay here for good.

With each day more and more devices are being connected to the Internet and use Wi-Fi in all fields of our lives, medicine included.

But with all the benefits that this connectivity brings, it also brings a major issue, and that’s security. Keeping everything hack-free takes a lot of power and memory, two things that most small IoT devices lack.

However, the solution seems to be on the horizon, as each day new low-cost cryptographic hardware chips are being designed.

Together with light-weight cryptographic suites, it seems that programmers are on their way to providing a long-lasting solution to the more than ever present security problem.