The researchers warn medtech manufacturers that proprietary "security-by-obscurity" methods just won't do.

Nancy Crotti

An international research team says it has found that 10 different types of implantable medical devices, including the latest pacemakers and cardioverter defibrillators, are vulnerable to hacking.

The team from KU Leuven University, Belgium, and England's University of Birmingham used a "black-box" reverse-engineering approach and inexpensive off-the-shelf equipment to hack pacemakers from as far away as 16 ft, according to a report titled "On the (in)security of the Latest Generation Implantable Cardiac Defibrillators and How to Secure Them." They submitted the paper to the Annual Computer Security Applications Conference being held this week in Los Angeles.

They also recommended that medtech manufacturers "migrate from weak proprietary solutions to well-scrutinised security solutions and use them according to the guidelines." The popular method of reliance on hiding devices' protocol specifications to provide security, commonly known as "security-by-obscurity," is "a dangerous design approach that often conceals negligent designs," they wrote.

And they stressed that hackers using sophisticated equipment and directional antennas could greatly extend the distance from which they can carry out attacks. They also proposed short- and long-term countermeasures to mitigate or prevent existing vulnerabilities.

The researchers intercepted the messages sent from the device programmer to the implantable cardioverter defibrillator (ICD) while carrying out different operations, such as changing the therapy settings. Hackers could install beacons in strategic locations such as a train station or a hospital to infer the patients' movement patterns based on the signals their ICDs emit, they wrote.

They also discovered that the ICD remains in standby mode for five minutes after a reprogramming session ends, leaving it vulnerable to being put into a continuous "interrogation" mode, drastically reducing its battery life and making it vulnerable to other sorts of attacks. The researchers did not identify the manufacturer, but said they notified the company before publishing the report.

The hacking of implantable cardiac devices blew up as an issue in August, when activist investment firm Muddy Waters Capital and cybersecurity outfit MedSec, claimedthey had discovered serious cybersecurity flaws in St. Jude Medical's cardiac devices. St. Jude has denied the devices' alleged vulnerabilities and sued the accusers in federal court.

"This message turns out to be identical for all ICDs and is sent over the long-range communication channel," they write. "In other words, there is no need for being in close proximity with the patient to activate his ICD. This is an important implementation flaw that makes these devices vulnerable to denial-of-service attacks."

The report also describes ICDs' vulnerability to privacy, repetitive, and "spoofing" attacks, the latter allowing hackers to send arbitrary commands to the ICD.

The only short-term countermeasure would be to jam the wireless signal as a defensive mechanism, they wrote. Long-term countermeasures could include external devices that could could send a "shutdown"message to put the ICD immediately into "sleep" mode after the communication ends. They also designed and formally verified a semi-offline key agreement protocol between the device programmer and the ICD.

"Adversaries may eavesdrop the wireless channel to learn sensitive patient information, or even worse, send malicious messages to the ICD," the authors write. " The consequences of these attacks can be fatal for patients as these messages can contain commands to deliver a shock or to disable a therapy."

The best time to deal with security flaws is before shipping the product to customers, according to Tim Erlin, senior director of IT security and risk strategy at international cybersecurity company Tripwire.

"With implantable devices, it's especially important that as many security defects as possible be addressed before a patient takes delivery," Erlin said in a statement. "There will always be newly discovered attack techniques and motivated researchers. With a changing threat landscape, vendors of implantable devices must plan for updating their products throughout their functional life."

Nancy Crotti is a contributor to Qmed.

Like what you're reading? Subscribe to our daily e-newsletter.

[image courtesy of JSCREATIONZS/FREEDIGITALPHOTOS.NET]