Have you ever thought how safe are your pacemakers from the hands of hackers. Yes you heard it right, today here we are talking about the thousands of security flaws identified in Pacemakers that hackers could easily exploit which could cause for a life.
A pacemaker is a small electrical battery-operated device that's surgically placed in the chest or abdomen to help control abnormal heart rhythms. This device uses electrical pulses to prompt the heart to beat at a normal rate. Millions of people that rely on pacemakers to keep their hearts beating are at risk of software malfunctions and hackers, which could eventually take their lives.
In a recent study, researchers from security firm White Scope analysed seven pacemaker products from four different vendors and discovered that they use more than 300 third-party libraries, 174 of which are known to have over 8,600 vulnerabilities that hackers could exploit in pacemaker programmers.
The White Scope analysis covered implantable cardiac devices, home monitoring equipment, pacemaker programmers, and cloud-based systems to send patient's vital data over the Internet to doctors for examining. All of the programmers examined by the security firm had outdated software with known vulnerabilities, many of which run Windows XP.
What's more frightening?
Researchers discovered that the Pacemaker devices do not authenticate these programmers, which means anyone who gets their hands on an external monitoring device could potentially harm heart patients with an implanted pacemaker that could harm or kill them.
So, any working tool sold on eBay has the potential to harm patients with the implant.
"All manufacturers have devices that are available on auction websites," the researchers said. "Programmers can cost anywhere from $500-$3000, home monitoring equipment from $15-$300, and pacemaker devices $200-$3000."
Is that all? NO, there is more to know:
The list of security vulnerabilities the researchers discovered in devices made by four vendors includes hardcoded credentials, unsecured external USB connections, the failure to map the firmware to protected memory, lack of encrypted pacemaker firmware updates, and using universal authentication tokens for pairing with the implanted device.
- In few instances, researchers discovered unencrypted patients' data stored on the pacemaker programmers which included names, phone numbers, medical information and Social Security numbers (SSNs), leaving them wide open for hackers to steal.
- Another major issue identified was the lack of most basic authentication process i.e. the login & password. Over here this basic process is so vulnerable that allows the physicians to authenticate a programmer or cardiac implant devices without even entering a password. In short, anyone within range of the devices or systems can change the pacemaker's settings of a patient using a programmer from the same manufacturer.
It seems while cyber security firms are continually improving software and security systems to protect systems from hackers, medical devices such as insulin pumps or pacemakers are so very much vulnerable to life-threatening hacks.
No comments:
Post a Comment