doctors use RF signals to adjust pacemakers so that instead of slicing a individual open, they can change the pacemakers parameters which in turn avoids unnecessary surgery. A study on safety weaknesses of pacemakers (highlights) or full Report (PDF) has found that pacemakers from the main makers consist of safety vulnerabilities that make it possible for the devices to be adjusted by any individual with a programmer and proximity. Of course, it shouldn’t be possible for any individual other than medical professionals to acquire a pacemaker programmer. The authors gotten their examples on eBay.
They discovered over 8,000 known vulnerabilities in third-party libraries across four different pacemaker programmers from four manufacturers. This highlights an industry-wide problem when it pertains to security. None of the pacemaker programmers required passwords, and none of the pacemakers authenticated with the programmers. Some home pacemaker monitoring systems even included USB connections in which opens up the possibilities of introducing malware through an infected pendrive.
The programmers’ firmware update procedures were also flawed, with hard-coded credentials being very common. This allows an attacker to setup their own authentication server and publish their own firmware to the home monitoring kit. due to the nature of the hack, the researchers are not disclosing to the public which makers or devices are at fault and have redacted some information until these medical device companies can get their house in buy and fix these problems.
This post only scratches the surface for an thorough look read the full report. Let’s just hope that these medical companies take action as soon as possible and resolve these issue’s as soon as possible. This is not the first time pacemakers have been shown to be flawed.