Hackers could focus on pacemakers than credit cards

8 years ago - Published in Alternative investments, Finance

WhiteScope, an independent provider of cyber security services and training, has just released research that shows that pacemaker programmers, from four major manufacturers, have 8,000 bugs that leave them vulnerable to hacking. 

More importantly, the researchers said they've also discovered that pacemakers don't authenticate programmers, so any working tool listed on eBay has the potential to harm patients with the implant. “Any pacemaker programmer can reprogram any pacemaker from the same manufacturer. This shows one of the areas where patient care influenced cybersecurity posture.” wrote the researchers in their summary.

Manufacturers are supposed to control programmers' distribution, but the researchers themselves got their test devices from the auction website for as little as $500 to as much as $3,000. When the devices were connected to a monitoring system, no Login name or password was required and there was no way to authenticate if the monitoring system they were connecting their device to was authentic. Having no encryption of data means patient data such as name, address, social security number, physician's name and medical and drug information is available to the hacker.

Which means that anyone could log on and tamper with the programmer without the doctor knowing, which in turn might affect how the programmer might behave when it was next used on a pacemaker.

“For this project, we acquired pacemaker programmers, home monitors, and pacemaker devices made by four different manufacturers,” they blogged. “These devices are supposed to be ‘controlled’, as in they are supposed to be returned to the manufacturer after use by a hospital, but all manufacturers have devices that are available on auction websites.”

However, this is not the first time when cyber security experts have raised concerns regarding gross vulnerabilities in such medical devices. Back in 2013, the US Food and Drug Administration and the Industrial Control Systems Cyber Emergency Response Team both released various provisos about the security loopholes in various medical devices that included ventilators, monitors, drug infusion pumps, anesthesia and surgical devices. The potential hackers, if they were to breach standard passwords of these devices, could easily get the access and control to these devices and even could change the settings that can yet again bring severe consequences.