Pacemakers patched against potentially lifethreatening hacks

Five months after the FDA and DHS launched probes into claims that its pacemakers and cardiac monitoring technology were vulnerable to potentially life-threatening hacks, St Jude Medical has issued security fixes.

Without the security update, the devices are vulnerable to tampering that could cause implanted pacemakers to pace at potentially dangerous rates or cause them to fail by rapidly draining their batteries.

Cyber-tampering with medical devices such as insulin pumps or pacemakers can seem far-fetched – the product of researchers’ theoretical scenarios and probably not very likely to happen in the real world.

But back in 2013, former US vice-president Dick Cheney made the threat feel a bit more tangible when he told CBS’s 60 Minutes programme that doctors had disabled his pacemaker’s wireless capabilities in order to thwart possible assassination attempts.

This week, the reality of security vulnerabilities in medical devices and the potential harm they entail was made more vivid still when St Jude finally released security updates for the implantable devices.

On Monday, St Jude announced the immediate release of security updates for its Merlin remote monitoring system, which is used with implantable pacemakers and defibrillator devices.

The fixes will reduce what’s already “extremely low cyber-security risks,” said St Jude.

The pacemaker company said it’s unaware of any security incidents related to, nor any attacks explicitly targeting, its devices. Granted, “all medical devices using remote monitoring are exposed to the risk of a potential cyber security attack,” it said.

It was a begrudging acknowledgement, making mention of “the increased public attention on highly unlikely medical device cyber risks”. The tone was hardly surprising, given that the company sued IoT security firm MedSec for defamation after it published what St Jude said was bogus information about bugs in its equipment.

Legal dispute or no, St Jude has in fact now patched those same bugs, MedSec said on Monday.

The bugs were confirmed in advisories released by both the US Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) on the same day that St Jude announced the security updates.

According to the advisories, the software update addresses some, but not all, known cyber-security problems in the heart devices.

The impartial nature of the fix was backed up by cryptographic expert Matthew Green, an assistant professor at John Hopkins University, who described the pacemaker vulnerability scenario as the fuel of nightmares.

He put out a series of tweets on the matter, including these messages:

The summary of the problem is that critical commands: shocks, device firmware updates etc. should only come from hospital programmer 5/

Unfortunately SJM didn’t use strong authentication. Result: any device that knows the protocol (including home devices) can send these 6/

And worse, they can send these (potentially dangerous) commands via RF from a distance. Leaving no trace. 7/

Specifically, the devices use 24-bit RSA authentication, he said: “No, that’s not a typo.” Beyond the weak authentication, St Jude also included a hard-coded 3-byte fixed override code, Green said.

I’m crying now.

Green added that the vulnerabilities are in the implantable devices themselves and the only fix is to update the firmware.

How, exactly, do you do that to a device implanted in somebody’s chest? The security advisories from St Jude, the DHS and the FDA don’t mention that, Green points out.

I don’t even know what that would entail. Maybe bringing patients into doctor’s offices. A logistical frigging nightmare. 12/

But this is the worst part, Green hypothesized: the “nightmare fuel” that “should be keeping SJM and the FDA up at night until they can rule it out”:

Compromising one box at a time is very time consuming and unlikely. But what if you could push harmful code to ALL OF THEM AT ONCE. 15/

Scary, eh? One respondent suggested that this could be a money machine in the wrong hands:

Nightmare fuel, indeed. Let’s just hope these attacks stay esoteric, far-fetched and as unlikely as St Jude is insisting.

Any other possibility could prove fatal.