“If you want to keep living, Pay a ransom, or die.” Over 8,600 Vulnerabilities Found in Pacemakers
This could happen, as researchers have found thousands of vulnerabilities in Pacemakers that hackers could exploit.
Millions of people that rely on pacemakers to keep their hearts beating are at risk of software glitches and hackers, which could eventually take their lives.
The small devices have been saving lives for decades, and have now been developed to send information about a patient’s heart to their doctor. The latest models can even be fixed remotely if something goes wrong.
But the U.S. government issued rules for addressing cyber vulnerabilities in these life-saving medical devices as well as insulin pumps and imaging systems.
‘Cybersecurity threats are real, ever-present and continuously changing,’ Suzanne Schwartz, a senior Food and Drug Administration official who helped draft the new rules, said in a blog post.
‘And as hackers become more sophisticated, these cybersecurity risks will evolve.’
US officials have been investigating flaws in pacemakers since last year when a batch ran out of battery three months before they were supposed to, leading to at least two deaths.
In a recent study, researchers from security firm White Scope analyzed seven pacemaker products from four different vendors and discovered that they use more than 300 third-party libraries, 174 of which are known to have over 8,600 vulnerabilities that hackers could exploit in pacemaker programmers. All of the programmers examined by the security firm had outdated software with known vulnerabilities, many of which run Windows XP.
Researchers discovered that the Pacemaker devices do not authenticate these programmers, which means anyone who gets their hands on an external monitoring device could potentially harm heart patients with an implanted pacemaker that could harm or kill them.
There are millions of people who rely on these brilliant technologies to stay alive. But as we put more electronic devices into our bodies, we must address the serious security challenges that come with them. We are familiar with the threat that cyber-crime poses to the computers around us – however, we have not yet prepared for the threat it may pose to the computers inside of us.
In another incident last year a researcher hacked his insulin pump using an Arduino module that cost less than $20. Barnaby Jack, a security researcher at McAfee, in April demonstrated a system that could scan for and compromise insulin pumps that communicate wirelessly. With a push of a button on his laptop, he could have any pump within 300 feet dump its entire contents, without even needing to know the device identification numbers.
At a different conference, Jack showed how he’d reverse-engineered a pacemaker and could deliver an 830-volt shock to a person’s device from 50 feet away!! Government regulators have studied this issue and recommended that the FDA take these concerns into account when approving devices. This may be a helpful first step, but the government will not be able to keep up with the fast developments of cyber-crime. As the digital and physical world continue to meld, we are going to need an aggressive system of testing and updating these systems. The devices of yesterday were not created to protect against the threats of tomorrow.