Cyber-security has been known to make some people's hearts flutter figuratively, but it's not supposed to happen literally. Now university researchers have discovered security holes in implantable medical devices that could enable an attacker to kill a person by delivering a fatal shock remotely.
Scientists from the Catholic University of Leuven said that such medical devices use proprietary protocols with no or limited security to wirelessly communicate with a device programmer.
This means that hackers could be up to five metres away from a patient and command the device to switch off – or even deliver a fatal shock. Hackers could also read any medical data from the device, such as treatments and health status.
“All these attacks can be performed without needing to be in close proximity to the patient,” said the researchers.
The researchers managed to access the devices using only off-the-shelf equipment, meaning that such an attack is not unfeasible. It shows just how dependent we have become on the internet of things.
Such devices, or pacemakers as they are more commonly known, use wireless communication to set or collect data in base stations installed in a patient's home or device programmers. These base stations and device programmers can also be used to reprogram devices if medically necessary.
“While these advances bring substantial clinical benefits to patients, new security and privacy threats also emerge, specially due to the wireless communication between these devices. Adversaries may eavesdrop on the wireless channel to learn sensitive patient information, or even worse, send malicious messages to the ICD [Implantable Cardioverter Defibrillators].
“The consequences of these attacks can be fatal for patients as these messages can contain commands to deliver a shock or to disable a therapy,” said the researchers.
The paper outlined how such attacks were possible by reverse-engineering the protocols used in wireless communication between the device and its base station and programmer. The researchers warned that implantable medical device manufacturers often rely on hiding the protocol specifications to provide security, an all too common problem with IoT devices.
“Proprietary protocols typically offer very limited or no security guarantees and have been broken via different reverse-engineering techniques,” she said.
The researchers offered several ways that would mitigate the problems they described.
“Our first countermeasure consists of adding a ‘shutdown' command in all external devices so that they continuously jam the wireless channel while the ICD is in ‘standby' mode. A more efficient solution is to jam the wireless channel only if an adversary is detected. This is also known as reactive jamming,” said the researchers.
Other measures outlined were adding a shutdown command in the devices as well as implementing a key agreement protocol which uses the device's internal clock to obtain a key every three months over a secure channel.
“In this way, if a device programmer is lost, stolen or tampered with, this can be reported to the device manufacturer and then this device will no longer receive key updates, rendering it useless,” the researchers said.
Mark Noctor, vice president of EMEA for Arxan Technologies, told SCMagazineUK.com that as a minimum, all medical device manufacturers and developers need to thoroughly test the applications to ensure they are effectively protected against cyber-attacks and exploits.
“Crucially, this has to be done before they come onto the market. Best practice during development include application hardening technology and runtime application self-protection measures inserted into the binary of the application,” he said.
Javvad Malik, security advocate at AlienVault, told SC that there is an element of shared responsibility that healthcare organisations need to accept with regard to connected devices.
“Even if a manufacturer implements adequate security controls, the healthcare organisation will likely still need to ensure it remains secure in their environment,” he said.