By Veronica Schmitt
This article was originally featured in PenTest Magazine.
Once, I was pretty much a regular girl. That was before my improvements, which made me more Cyborg-like than pure human. I was unlucky that the “natural” pacemaker in my heart failed. In the end, I had to hand over this very important function over to a machine. I had to get an implantable medical device to save my life. As someone who is interested in the workings of these wonderful machines, it became difficult getting medical staff to answer my questions regarding them. Is this device really secure? I know it will help me live, but can someone pwn my heart? The silence received, when raising these questions left me despondent. I then started doing my own research to try and identify why there is so little thought given to security in medical devices. Surely, the matter of life and death here should play a factor over convenience and power?
The question is not: “what kind of person would hack a pacemaker?”. The answer to that one is easy – it is the same kind of person that walks up to someone and stabs them. The world is full of bad people doing bad things. Now, we live in an age where we are adding each device to the Internet of Things because it is convenient. I cannot see why we should make it easier for someone to have unlawful access to my heart.
I agree this sounds like a scene from a sci-fi movie. This is, however, the struggle facing many individuals who require medical devices to survive. There has been big technological advancements and it would seem that even though these devices last longer and do more, they remain insecure and open to attack. Medical devices are becoming more sophisticated; however, the sad truth is that manufacturers are playing catch up dealing with legacy security flaws. The dilemma for the individuals with these devices is real - we need our medical staff to have immediate access to the device. The flip side of this coin is that we also need to protect these sensitive devices from outside access. This is one big catch-22. If we increase security, do we shift the paradigm to reduce access and availability? My concern, as someone that sits in the middle of this, is what happens when the first device is compromised and the patient dies? This could have a profound impact on the future of patients not wanting these devices.
These devices have been shown to be prone to attacks, which could have significant effects on any patient. Recent research, published by Whitescope IO Blog, showed that there were major system-system vulnerabilities with medical devices and the units they communicate with. In simple terms, a pacemaker is a programmable computer with an antenna. There has been a rise in the attacks from ransomware authors, which have left the public more vulnerable than ever. The fact that these devices do not have signed firmware opens them to the risk of being reloaded with custom firmware that can hold a pacemaker ransom. Worse yet is that these devices only require for the telemetry wand (the device which is used to interact with the pacemaker) to send the initial message to open long distance communication channels. The Internet of Things might as well be relabeled as the ‘Internet of Healthcare’ - there is a magnitude of medical equipment now being wirelessly connected (with little to no security measures built-in). Both healthcare and security professionals has to have the conversation about the flaws and how we can in unity make them better and less vulnerable.
These devices come with legacy problems and lack of security. The focus should shift from being a convenient life-saving device to being a secure life-saving device. The research that has been done by multiple researchers have shown that these devices fail basic appsec. An example of this is that once authentication has been successfully done by mimicking the telemetry wand authentication mechanism, an attacker is able to flood the pacemaker - there are no defences against replay attacks. This type of attack also keeps the pacemaker from entering sleep mode to conserve battery power and has the potential to drain the device battery quicker. For anyone who has a device, this is a devastating consequence. Not only can your device potentially be drained - it can be caused to malfunction. As someone who lives with the vulnerability it scares me and makes me concerned. To date, none of the manufacturers have alluded to any devices being compromised whilst implanted in a person (however there has been numerous recalls on St Jude devices).
Imagine a scenario where someone intercepts communications from a distance using radio-frequency antennas, thereby capturing all the data sent from the medical programmer to your device. These devices are vulnerable to Man-in-the-Middle attacks with a live session. Research published at the 2008 IEEE Symposium on Security and Privacy showed that they were able to rather easily reconfigure a device to fail to defibrillate the patient and beat inconsistently. Granted, I am not on the top of some assassination list (as far as I know), but I do not believe that makes my concern less valid.
Another big concern is when medical professionals encourage patients to use home systems connected to the IoT. This will enable these devices to be able to be accessed across the globe and configured. In my opinion - as both a security researcher and a patient - this creates a scary scenario. The home system does not offer secure protection to ensure that your heart will not be pwned. We all know being connected to the IoT means risking compromise. Patients should not be in the business of connecting the machine that keeps them alive to the IoT. This is the equivalent of placing your most valuable possession on the pavement in the hope that no one steals it.
We trust pacemaker manufacturers. We entrust one of our most valuable life functions to them, without having much choice in the matter. However, the code that runs these devices remains proprietary and cannot be collaborated on or tested. In the open source community, big strides have been made to make code development more secure. Perhaps following a similar approach than the open source community progress can be made to better these devices.
We should not be in the business of sacrificing security for convenience or power. As a patient, I would rather sleep knowing my device has been hardened and have the inconvenience of replacing it more regularly than the converse. I feel that we, as the security community, should be addressing and assisting medical manufacturers with the security vulnerabilities in the devices that literally keep people alive. There should be more effort placed on addressing the security vulnerabilities. The simple fact is we are not dealing with just ones and zeroes. This is for some a life or death situation. With the malfunctioning of these devices the patient who has this implanted in them run the risk of dying. Power and convenience should not trump safe and secure. Together as a community the difference can be made to better these necessary devices and make them safer to use.
The question is not: “what kind of person would hack a pacemaker?”. The answer to that one is easy – it is the same kind of person that walks up to someone and stabs them. The world is full of bad people doing bad things. Now, we live in an age where we are adding each device to the Internet of Things because it is convenient. I cannot see why we should make it easier for someone to have unlawful access to my heart.
I agree this sounds like a scene from a sci-fi movie. This is, however, the struggle facing many individuals who require medical devices to survive. There has been big technological advancements and it would seem that even though these devices last longer and do more, they remain insecure and open to attack. Medical devices are becoming more sophisticated; however, the sad truth is that manufacturers are playing catch up dealing with legacy security flaws. The dilemma for the individuals with these devices is real - we need our medical staff to have immediate access to the device. The flip side of this coin is that we also need to protect these sensitive devices from outside access. This is one big catch-22. If we increase security, do we shift the paradigm to reduce access and availability? My concern, as someone that sits in the middle of this, is what happens when the first device is compromised and the patient dies? This could have a profound impact on the future of patients not wanting these devices.
These devices have been shown to be prone to attacks, which could have significant effects on any patient. Recent research, published by Whitescope IO Blog, showed that there were major system-system vulnerabilities with medical devices and the units they communicate with. In simple terms, a pacemaker is a programmable computer with an antenna. There has been a rise in the attacks from ransomware authors, which have left the public more vulnerable than ever. The fact that these devices do not have signed firmware opens them to the risk of being reloaded with custom firmware that can hold a pacemaker ransom. Worse yet is that these devices only require for the telemetry wand (the device which is used to interact with the pacemaker) to send the initial message to open long distance communication channels. The Internet of Things might as well be relabeled as the ‘Internet of Healthcare’ - there is a magnitude of medical equipment now being wirelessly connected (with little to no security measures built-in). Both healthcare and security professionals has to have the conversation about the flaws and how we can in unity make them better and less vulnerable.
These devices come with legacy problems and lack of security. The focus should shift from being a convenient life-saving device to being a secure life-saving device. The research that has been done by multiple researchers have shown that these devices fail basic appsec. An example of this is that once authentication has been successfully done by mimicking the telemetry wand authentication mechanism, an attacker is able to flood the pacemaker - there are no defences against replay attacks. This type of attack also keeps the pacemaker from entering sleep mode to conserve battery power and has the potential to drain the device battery quicker. For anyone who has a device, this is a devastating consequence. Not only can your device potentially be drained - it can be caused to malfunction. As someone who lives with the vulnerability it scares me and makes me concerned. To date, none of the manufacturers have alluded to any devices being compromised whilst implanted in a person (however there has been numerous recalls on St Jude devices).
Imagine a scenario where someone intercepts communications from a distance using radio-frequency antennas, thereby capturing all the data sent from the medical programmer to your device. These devices are vulnerable to Man-in-the-Middle attacks with a live session. Research published at the 2008 IEEE Symposium on Security and Privacy showed that they were able to rather easily reconfigure a device to fail to defibrillate the patient and beat inconsistently. Granted, I am not on the top of some assassination list (as far as I know), but I do not believe that makes my concern less valid.
Another big concern is when medical professionals encourage patients to use home systems connected to the IoT. This will enable these devices to be able to be accessed across the globe and configured. In my opinion - as both a security researcher and a patient - this creates a scary scenario. The home system does not offer secure protection to ensure that your heart will not be pwned. We all know being connected to the IoT means risking compromise. Patients should not be in the business of connecting the machine that keeps them alive to the IoT. This is the equivalent of placing your most valuable possession on the pavement in the hope that no one steals it.
We trust pacemaker manufacturers. We entrust one of our most valuable life functions to them, without having much choice in the matter. However, the code that runs these devices remains proprietary and cannot be collaborated on or tested. In the open source community, big strides have been made to make code development more secure. Perhaps following a similar approach than the open source community progress can be made to better these devices.
We should not be in the business of sacrificing security for convenience or power. As a patient, I would rather sleep knowing my device has been hardened and have the inconvenience of replacing it more regularly than the converse. I feel that we, as the security community, should be addressing and assisting medical manufacturers with the security vulnerabilities in the devices that literally keep people alive. There should be more effort placed on addressing the security vulnerabilities. The simple fact is we are not dealing with just ones and zeroes. This is for some a life or death situation. With the malfunctioning of these devices the patient who has this implanted in them run the risk of dying. Power and convenience should not trump safe and secure. Together as a community the difference can be made to better these necessary devices and make them safer to use.
Sources
http://blog.whitescope.io/2017/05/understanding-pacemaker-systems.html
https://www.scientificamerican.com/article/heart-stopper-med-device-hack/
https://spectrum.ieee.org/podcast/biomedical/devices/hacking-pacemakers
https://drive.google.com/file/d/0B_GspGER4QQTYkJfaVlBeGVCSW8/vie
https://www.scientificamerican.com/article/heart-stopper-med-device-hack/
https://spectrum.ieee.org/podcast/biomedical/devices/hacking-pacemakers
https://drive.google.com/file/d/0B_GspGER4QQTYkJfaVlBeGVCSW8/vie
Author
Veronica Schmitt is a veteran digital forensic scientist, malware researcher and Partner at DFIRLABS. Chat to her on Twitter here.