Life-saving medical devices are vulnerable to attacks that could leave them under the control of a hacker, according to security alerts from both the Department of Homeland Security (DHS) and the US Food & Drug Administration (FDA).
The FDA’s March 21 security alert warned caregivers and patients who use Medtronic cardiac implantable cardioverter defibrillators (ICDs) or cardiac resynchronization therapy defibrillators (CRT-Ds) to treat patients with heart failure or rhythm problems that a critical security vulnerability in the devices exists because they do not use encryption, authentication or authorization.
“The FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer.”
If the vulnerabilities were exploited, criminals could use radio communications to take control of the medical devices while the devices are inside a person. According to Medical Advisory ICSMA-19-080-01, an attacker would need to have an RF device, such as a monitor, programmer, or software-defined radio, that is “capable of transmitting or receiving Conexus telemetry communication…[and in] adjacent short-range access to the affected products.” Additionally, the RF functionality would need to be active.
“Medical device manufacturers who aren’t engaging in real security or, in this case, even basic security practices, should probably have their FDA approvals revoked,” said HackerOne's head of IT Aaron Zander.
“Unlike a kids' toy or a car where a recall is as simple as sending something back in the mail or driving it back to the dealership, an embedded device, one literally embedded in you, isn’t meant to come out and be replaced regularly. The surgery to replace this with a ‘better’ or ‘safer’ version in itself is dangerous and comes with life-threatening repercussions. On top of that, not everyone had a choice on which type of device they would receive. People didn’t spend months hunting for the ‘perfect pacemaker with all the features,’” Zander said.
“It’s what the hospital and their doctors thought was right at the moment the patient needed it. Not every piece of hardware can be upgraded to have its software handle more secure communications, and we’re seeing the side effects. The fact that there are more stringent controls on the software that doctors use to send each other instant messages than there are on the software that goes into a pacemaker shows that the medical device field needs to advance in terms of both regulation and security. The repercussions of not acting now are deadly.”