When hacking saves lives: Hacking medical devices and implants

Of all the IoT devices out there, none are more crucial to users than the medical devices that help them simplify the management of certain medical conditions or, in the most extreme cases, actually keep living.

It’s no wonder then that security researchers that depend on these devices are eager to analyze them.

One of these researchers is Marie Moe, current research scientist at independent research organisation SINTEF and former member of Norway’s CERT. Several years ago, she had problems with her heart beat, and she was fitted with a pacemaker that keeps that beat as it should be.

Naturally, she was eager to check for herself whether the device is open to attacks and security bugs. Admittedly, she is not worried about potential attacks, but software bugs and potential malfunctions make her uneasy.

An early incident that almost made her physically collapse due to a misconfiguration of software also spurred her research, as the misconfiguration happened because of a software bug that resulted in the actual pacemaker settings not being displayed correctly to the technician trying to configure the device.

Also, after downloading the technical manual for her pacemaker she discovered that it had two wireless interfaces, one of which she wasn’t informed about when the device was inserted into her body.

The first one is used for the pacemaker to deliver data to medical equipment at the hospital when she goes for check-ups, and can be used by doctors or pacemaker technicians to adjust the device’s settings.

The second one (admittedly, switched off in her case because unneeded) opens the possibility for remote monitoring of the situation – the pacemaker relays data to an access point located in the patient’s house, and relays that data to vendor servers, where doctors can access it via a web interface.

Unfortunately, what she also found out is that this data is sent via insecure methods of communications such as email, SMS, GSM. Also, she noted the problem of private medical data beign sent to servers that might be anywhere in the world, and pointed out that, effectively, patients’ privacy is likely breached.

The pacemaker does not have to be connected to the Internet of medical things and send out data, but this has advantages for patients that, for example, have to go for a check-up often, or live in a more remote area, as they don’t have to come to the hospital in order for the doctor to check if everything is going well.

Still, she argues, users need to know about everything and be able to make an informed decision. Also, they need to be able to trust their doctors, and at the moment doctors and other technical personnel know very little or nothing about the security of this technology.

They should also be able to trust the vendors – something that they still can’t do.

Moe and ISC hacker Eireann Leverett, senior risk researcher at The Centre for Risk Studies at Cambridge University, also decided to test some devices they were able to buy on eBay: an access station and the programmmer devices. For obvious reasons, they didn’t want to test Moe’s own implanted pacemaker.

On them they discovered medical information about previous users, and noted that correct device decomissioning is a problem. They also found out that it’s possible to patch pacemakers via the programmers.

During their talk at the 32nd Chaos Communication Congress in Hamburg, Germany, Moe and Leverett avoided bombastic demonstrations of vulnerabilities and hype, but repeatedly shared examples why security research of medical devices is important.

“Hacking can save lives,” they noted, and encouraged the audience to get into it.

As an added incentive, they also pointed out two recent victories in medical device research:

• The October 2015 decision by the US Librarian of Congress to make it legal for security researchers to reverse engineer medical implants and devices without infringing copyright (which goes in effect on October 2016) and
• US FDA’s decision to urge hospitals to stop using a computerized pump made for delivering infusion therapy that has been found vulnerable to attack.

The latter decision was made before anyone dying due to the vulnerabilities, which is a huge improvement on how the authorities react to medical security research, Leverett pointed out.