Cybersecurity firm WhiteScope says it has identified cybersecurity vulnerabilities in the device ecosystems for pacemakers and implantable cardioverter-defibrillators (ICDs) across four major vendors.
In recent years, the US Food and Drug Administration (FDA) has advanced efforts to improve medical device cybersecurity, and has held three public workshops and issued two final guidances detailing device makers' pre- and postmarket cybersecurity responsibilities.
However, recent high-profile cyber-attacks and reports of device vulnerabilities have highlighted the need for increased vigilance for medical device cybersecurity.
Implantable Cardiac Device Cybersecurity
WhiteScope says it obtained and tested pacemakers and ICDs, as well as home monitoring devices and physician programmers from four major device makers.
In addition to known vulnerabilities found in third-party software libraries used in the physician programmers, WhiteScope says it found several potential weak spots that were common across the ecosystems for the devices, including unencrypted firmware, hardcoded credentials and radio-frequency (RF) activation.
In a blog post, WhiteScope founder and prominent cybersecurity researcher Billy Rios points out the relative ease of acquiring medical devices through auction sites such as eBay, saying he was able to acquire implantable cardiac devices, home monitoring equipment and physician programmers at auction for prices ranging from $15 to $3,000.
While the report does not name the manufacturers or the devices tested, or the vulnerabilities and potential exploits identified, WhiteScope says it found thousands of vulnerabilities across the devices it tested.
"As a whole, the implantable cardiac device ecosystem inherits security features associated with the underlying system-of systems architecture. If adequate security controls are not implemented, weaknesses associated with architecture and implementation interdependencies have the potential to compromise ecosystem confidentiality, integrity, and/or availability," the report says.
In total, WhiteScope says it identified more than 8,000 known cybersecurity vulnerabilities in third-party software libraries used in the physician programmers used to program pacemakers and ICDs.
"Multiple instances incorporated outdated and vulnerable third-party [software] components. As a result, the potential may exist for an attacker to leverage publicly known exploits to compromise the subsystem," the report states.
Figure 1. Third-Party Libraries
Rios told Focus that his firm has reported some of the vulnerabilities to the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and has spoken with some of the manufacturers about the vulnerabilities. Rios also noted that he provided FDA with an advanced copy of the report, but did not disclose specific vulnerabilities to the agency.
Rios declined to comment on how easy or difficult it would be for a hacker to exploit the vulnerabilities, as the report does not disclose any specifics related to individual vulnerabilities or exploits.
"We wanted to keep the report focused on data, not exploits. For the vulnerabilities associated with specific vendor implementation, we provided proof of concept code to DHS. We don't want to reveal too much about those issues," he said.
Rios told Focus that his firm attempted to test the devices with up-to-date software.
"Some of the equipment has built in update mechanisms, so we're fairly certain it was on a recent version. For some devices, we downloaded the most recent version of the software from a support website. For some equipment however, the update story is pretty poor, so we can't be certain that we had the latest version," he said.
Rios also told Focus he's pleased with FDA's recent cybersecurity efforts, calling the agency's two final guidances on the subject "great starts," but said that both guidances, especially the postmarket one, could be improved.
"I think our research demonstrates that we still have a long ways to go," Rios said.
Rios also hinted that this report could serve as a litmus test for how postmarket cybersecurity issues are handled.
"Now that the manufacturers have been notified of their specific vulnerabilities, let's see if they adhere to the FDA guidelines … if they don't adhere to the guidelines, let's see what happens," Rios said.