When we think of the future, the images of flying cars, robotic house keepers and various other clichés from The Jetsons might come to mind. In the present, we certainly are entering a new age of robotics and artificial intelligence and finally a form of virtual reality that isn’t comically fake. Smart phones revolutionized communication and information sharing. The automotive industry is benefiting from smart technology as are a wide range of smart home product manufacturers. We’ve seen smart technology have its fair share of information security flaws, and the auto industry is dealing with the difficulties that internet-enabled technology can present. The difference between smart phones and IoT devices and smart car technology is that smart car technology can put the user in physical danger. The same is true with the medical world. No field has had a bigger impact on the benefits of technology to mankind than the medical field. So, it’s absolutely critical that the technology is designed with the ultimate security vulnerability in mind that isn’t present in the majority of consumer electronics; death.
Most people are familiar with the pacemaker, a piece of medical equipment designed to help regulate a human’s heartbeat when a person’s heart isn’t able to do so on its own, either due to causes by birth, disease or other medical complications. The development of the technology goes as far back as 1889 to the British Medical Journal describing John Alexander MacWilliam’s experiments. The technology has evolved many times since then and the current state of pacemakers is truly something to marvel at. It’s no surprise that certain technologies were implemented over the years to add both functionality and convenience for both medical professionals and patients. Convenience comes at a cost though, and wireless is notorious for having security complications.
How pacemakers are exposed
2017 could arguably be labeled as “The Year of Ransomware” in the tech world, and sadly the pacemaker is no exception to this unfortunate plague on software and businesses. The FDA recently was forced to recall an estimated near 500,000 St. Jude Medical implantable cardiac pacemakers due to vulnerabilities in the RF-enabled functionality of the device. The vulnerabilities numbering around 8,600 included but were not limited to, the unencrypted patient information being stored on the device including names, phone numbers, medical information and social security numbers. Access to the devices controls required no form of authentication, meaning an unauthorized attacker could change settings on the device, such as the patient’s heart rate, or use malicious code to deplete the battery at a rapid rate, leaving the patient in a potentially fatal situation. I prefaced the severity of these vulnerabilities by talking about Ransomware for a reason.
Having your smart fridge be vulnerable to hackers allows for them to monitor your home network, and steal information. At worse, it’s damage to your identity and credit, though they may find damning files in which to black mail you with, but ultimately these are problems that can be fixed with money or with the help of law enforcement. But when you have vulnerabilities that can effectively end your life, the stakes are raised to the maximum bid and your options become instantly limited. It would be insulting to manufacturers to say they don’t consider this factor, but I have to question the gravity of the consideration. As of this writing, patients are encouraged to go into their physician’s office to receive a firmware upgrade on their device. It’s not confirmed how many of the vulnerabilities this upgrade patches, St. Jude (Now known as Abbott) published a post on their page for patients that can be found here.
For a more detailed look into pacemaker programming, I recommend reading this post by Billy Rios and Dr. Jonathan Butts as it goes into greater detail about the current architecture of pacemaker systems. Perhaps the almighty power of open source software can provide a sufficient solution one day. Until then, people’s lives are literally in the hands of the developers of these systems. And let’s not forget, HIPAA fines are no joke.