Hacking a pacemaker is not as complicated as it may seem

The technology of artificial stimulation of the heart muscle by electric current has been used in medicine for quite some time. Over time, pacemakers, and it is about them, are becoming more perfect. If earlier wired modules were used for the pacemaker, now they are mostly wireless, the interaction is via radio frequencies. But, as a rule, the more complex the system, the easier it is to disable it. This is not always the case, but in some cases this is exactly the situation. And it also applies to pacemakers. So, relatively recently, news began to appear on the Web that pacemakers, especially radio-controlled ones, were vulnerable to intruders.



Further, the doctors began to express concerns - because if this small device can be hacked, and even remotely, it means the possibility of killing or harming a person, also remotely. True, some experts have begun to say that it is quite difficult to hack a pacemaker, and the average person cannot access the control of such a module. In fact, there is nothing difficult for a technically savvy user who is familiar with electronics and radio business. Actually, even this is not required, you can simply buy a control module for a particular rhythm driver model on eBay and already present a danger to the pacemaker users of this particular model.



In the usual case, the cardiac pacemakers are placed next to the pectoral muscle, giving electrical signals to the heart. The main task of the pacemaker is to maintain or impose a heart rate on a patient whose heart beats insufficiently often, or there is an electrophysiological disconnection between the atria and the ventricles (atrioventricular block).







One of the problems is that the developers of such devices do not even try to introduce identification systems into their pacemakers. Experts say that any pacemaker control module of a certain manufacturer can work with any device produced by the same company, and in most cases there is no linking of a specific module to a specific pacemaker. So say the experts of WhitScope, an organization working in the field of cyber security. It turns out that patients with pacemakers are not protected from intruders. After all, if such a control module falls into the hands of a person who decides to harm a person with a pacemaker, then he is unlikely to be able to interfere.



But companies that supply this type of device to the market claim that their distribution is controlled. In fact, this is not entirely true , since on the same eBay a lot of “left-side” control modules are sold, which are hardly considered somewhere. Anyone can buy them, although this is a bit of a wrong product to which it should be opened up. Security vulnerabilities were discovered by WhiteScope researchers after buying a different type of device on eBay with prices ranging from $ 15 to $ 3000. In all, over 8,000 vulnerabilities were discovered in the control modules of heart rate drivers from four different manufacturers. In two cases, experts found patient data that was stored in devices in the clear. Patients, as we found out, were treated in one of the famous US hospitals.



The study authors argue that the developers of drivers of heart rate and control equipment should pay more attention to the safety of their devices, and, consequently, the safety of users of such devices. Their lives and health are in jeopardy due to the neglect of the simplest methods of protection. Moreover, the problem is not with one manufacturer; it has already been mentioned above that many divided heart pacemakers can be considered vulnerable.



The most interesting thing is that information security experts criticize the lack of protection in pacemakers is not the first time. Back in 2013, this issue was raised simultaneously by independent researchers and the Food and Drug Administration. Problems with the protection of not only pacemakers, but also other devices, including insulin pumps, heart rate monitors, anesthesia machines, etc. The fact is that such devices mostly contain stitched passwords. Malicious users who know these access passwords can exploit vulnerabilities for their own purposes.







So far, there is no evidence that someone conducted such attacks. But this does not mean that they will not be held in the future. Former US Vice President Dick Cheney said he considered the threat quite real. He was once implanted with a defibrillator to prevent heart attacks. Attacks on medical devices of this type will most likely not be possible to carry out remotely.



For the interaction of the control module and the same pacemaker, close proximity is necessary - and this is not about meters, but at best tens of centimeters. So large-scale attacks with the use of vulnerabilities in medical devices still look difficult to be implemented. But this does not mean that someone will not find a way to turn all this into reality. To prevent this from happening, manufacturers need to take care of the safety of their products.