Over 8,000 Security Flaws Found in Pacemakers

A new report shows how these implants can be hacked with a $300 eBay purchase.

Earlier this year IEN covered the security flaws and resulting financial scam that resonated from pacemakers and defibrillators manufactured by St. Jude Medical.

Well, the good news is that we’re not following up on an additional financial scam. The bad news is that those security concerns seem to have gotten worse.

A recent report from the security firm WhiteScope details more than 8,600 flaws in pacemaker systems across four leading manufacturers of implantable cardiac devices, physician programmers and home monitoring devices.

The basic weaknesses include a lack of simple data encryption, which left the file system and device itself exposed to potential hackers.

At the heart of the security flaws are pacemaker programmers, which use radio-frequency transmissions to monitor the function of implantable devices and set therapy parameters. The problem is that these programmers do not authenticate to specific devices. So any pacemaker programmer can reprogram any pacemaker from the same manufacturer.

Some models don’t even require a physician authentication – so anyone who can get within range of the individual and their device could alter the pacemaker’s settings.

Is anyone else having Homeland flashbacks?

And as if that wasn’t scary enough, WhiteScope researchers were able to obtain programmers for the four largest pacemaker manufacturers on eBay for anywhere between $500 to $3,000.

The system used in diagnosis and programming the cardiac implants, which uses removable hard drives, was also found to be lacking in security. This is where hackers could access patient information, including healthcare records and social security numbers.

The researchers, thankfully, didn’t specify which manufacturers were tested, but did contact regulatory authorities so the manufacturers can hopefully address these flaws … soon.

More