Ransomware gets closer to heart

By Balamurugan Selvaraj Published on Jun 06, 2017 03:22 PM IST

Researchers have found over 8,000 vulnerabilities in pacemakers that are used on heart patients. They said if these flaws are not patched immediately, actors may exploit them and be capable of killing the patient, if the victim fails to fulfil the actor's request. Across the world, millions of heart patients relying on pacemakers to stabilise their heart beat. This research report has created fear among these patients.

Pacemaker is a small electrical battery-operated device, which is surgically implanted in the chest of a patient to control their heartbeat. This device uses low-energy electrical pulses to stimulate the heart to beat at a normal rate. After WannaCry havoc, cyber security firms are working hard to improve security in all aspects. Researchers from White Scope recently discovered the flaws in pacemaker.

After a critical analysis of over seven pacemaker products from four different vendors, 8,600 vulnerabilities were found. This could allow actors to create life-threatening problems. The list of security vulnerabilities in the devices includes hard-coded credentials, unsecured external USB connections, the failure to map the firmware to protected memory, lack of encrypted pacemaker firmware updates and using universal authentication tokens for pairing with the implanted device. In the analysis, they covered implantable cardiac devices, home monitoring equipment, pacemaker programmers, and cloud-based systems to send patient's vital data over the Internet to doctors for examining. They found that, programmers examined by the security firms had outdated versions of software, that runs on Windows XP with known vulnerabilities.


The flaw here is that the pacemaker doesn't have any authentication method to access the patient's data. Also, those devices do not authenticate the programmers, which means anyone who gets their hands on an external monitoring device could potentially harm a patient's heart with an implanted pacemaker. Another flaw here is with the distribution network. Researchers found that any working tool sold on eBay has potential to harm patients with the implant through distribution network controlled by the programmers.

Also, it is possible for an actor to steal and access unencrypted patients' data stored on the pacemaker programmers, which includes patient's personal credentials and medical information numbers. If those vulnerabilities went unpatched, the criminals may change the emergency number stored in pacemakers to kill the targeted patient.

According to the researchers, "Another issue discovered in the pacemaker systems is the lack of the most basic authentication process: login name and password, allowing the physicians to authenticate a programmer, or cardiac implant devices without even having to enter a password.This means anyone within the range of the devices or systems can change the pacemaker's settings of a patient using a programmer from the same manufacturer."

Though some doctors say, "In an emergency situation, how can a doctor or physician remember a username and password? So, it is quite unfair." But for the patients' security, the doctor has to remember it.

The researchers contacted the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and conveyed the flaws. So, the manufacturers of the tested devices can address the flaws.