Medical devices at risk from cyber attack

A pacemaker designed to send life-saving electrical pulses to your heart and provide your doctor with vital information about your health can also unfortunately be a target of a sinister cyber attack.

medical devises

Medical devices that use a wireless connection such as pacemakers, defibrillators, monitors and insulin
pumps, as well as automated drug distribution systems that are implanted in the bodies have all been considered to be at risk.

Gunter Ollmann, CTO for IOActive, says: “The medical industry is not a thought leader of information security – it is still largely playing catch up. When I look at implanted medical technology, it is pretty scary stuff.

“Many of these technologies have been around for over 20 years, but have always had connecting cables leading from outside the body. What has happened in the last five years is there has been the removal of those physical connections and a shift to wireless communication.

“The problem is you have very skilled and talented medical engineers developing these technologies. But they are now relying on software technologies being added onto their existing hardware and they do not have the 10 or 20 years of software experience to counter many of the security threats today.”

One of the problems Ollmann (inset, right) says he has encountered is “the lack of encryption for communications. It ties back to the protocols (and the view) that if the wireless is only a few centimetres away then perhaps we do not need to worry about the encryption or we do not need to make the encryption that good. Unfortunately that is where these things get caught out.

“These devices are capable of being updated remotely. Not just being able to send information back about their operations and the use of the device back to the doctor, but allow the doctor to tweak certain settings.

“This includes dosage amount as well as the ability to do updates of the actual software itself. It is just like patching and adding additional functionality improving the performance of the devices as you would expect to do for any hardware-based technology.”

Research that Ollmann has carried out has in the past has been focused on defibrillators, heart monitors and insulin pumps. He has found the process of applying patches designed to improve the performance of IT systems can be insecure.

“In a normal computing system, that may result in a denial of service where a service is hung or it needs rebooting,” Ollmann says. “That may be fine for your iPad, but it is not such a cool idea for an implanted device.”

According to Ollmann this is also the case for other medical devices with wireless connectivity, such as dialysis machines,
as well as heart and brain monitors which are connected wirelessly back to an EMT unit or the hospital networks so nurses can monitor multiple patients simultaneously.

He says: “We find the same classes of vulnerabilities again – such as the wireless being broken, the lack of encryption or poor encryption, the ability to update the software, and the actual vulnerabilities in the devices themselves.

“For the hospitals and general practitioners that may be monitoring the embedded devices, there is very little they can do to prevent these real threats. It is more about reducing the risk profile, so that the systems that they use for connecting and updating these devices cannot be tampered with or fall under the control of a remote user.”

But Ollmann reckons that, in reality, the threat of someone going out of the way to maliciously hack a medical device is small. He says: “It requires effort, a level of technical prowess and access to classes of technology.

“The bigger risk is researchers or hardware hackers experimenting with related technologies that happened to be in range of your device. Not targeting with malicious intent, just a situation of being in the wrong place at the wrong time.”

Ollmann is now working with medical manufacturers to assess many of their new or next-generation technologies.

He says: “In the last couple of years, because of the high visibility of these vulnerabilities, there has been a dramatic shift within organisations to better understand the nature of them and the capabilities of attackers. The bigger organisations are actively engaging companies to understand and review products before going out.”