Highlights:
- A paper capturing a comparison of pacemaker systems can be found here
- While potential vulnerabilities were discovered in all pacemaker systems, the specifics of those issues will not be discussed in this post. All potential vulnerabilities discovered in this study have been/will be reported to DHS ICS-CERT.
- We examined seven different pacemaker programmers from four different manufacturers. Most of our efforts were focused on 4 programmers that had RF capabilities.
- We discovered over 8,000 known vulnerabilities in third party libraries across four different pacemaker programmer from four different manufacturers. This highlights an industry wide issue associated with software security updates.
- Pacemaker programmers do not authenticate to pacemaker devices. Any pacemaker programmer can reprogram any pacemaker from the same manufacturer. This shows one of the areas where patient care influenced cybersecurity posture.
- Pacemaker programmers do not require physicians to authenticate to the programmer. Another area where patient care influenced cybersecurity posture.
- All pacemaker systems had unencrypted filesystems on removeable media, making initial analysis relatively straightforward.
Part I – Introductions and Pacemaker Programmers:
In October of 2016 exceptions to the DMCA related to medical device cybersecurity research went into effect. The EFF and several notable infosec
organizations championed amendments to the DMCA to allow for more open exchange
of Medical Device cyber security research.
We’d like to thank those
organizations that championed the changes to the DMCA.
This post is provided in spirit
of those DMCA exceptions. Specifically,
this post (and follow-on posts) provide insight into technical details as to
how pacemaker systems work and some of the cybersecurity challenges
manufacturers face when implementing these systems. When this document references “pacemaker
systems”, we are referring to pacemakers, Implantable Cardioverter
Defibrillators (ICD), Pulse Generators, and Cardiac Rhythm Management (CRM). Surprisingly, the architecture and even
technical implementation of pacemaker systems across manufacturers is very
similar. We suspect that some of this
similarity is due to the technical restraints associated with implanted
technologies. Other similarities,
however, indicate that there is some cross-pollination between pacemaker
manufacturers. Given the similarities
between systems, we hope that pacemaker manufacturers work together to share
innovative cyber security designs and compete on user experience and health
benefits as opposed to competing on cybersecurity.
Discussions associated with the
cybersecurity of pacemaker systems can be an emotionally charged topic. Our approach is to keep this discussion
focused on technical data (“more research, less drama”), but we hope this data
is used to spur civilized discussions about how we can improve implantable medical
device cybersecurity. When possible,
technical data is presented in a vendor neutral manner. A document describing our research has been provided to the NH-ISAC, you can find that document here. In the
spirit of coordinated disclosure, any potential vulnerabilities discovered during this
project was/will be reported through DHS ICS-CERT. Specific vulnerabilities, weaknesses associated with specific vendors, and exploits will
not be discussed in these blogposts.
As shown in previous research
efforts, cybersecurity researchers can obtaining a variety of medical devices,
including “big iron” medical devices.
Imaging Device in Billy's Garage |
Pacemaker Programmers on Ebay |
Pacemaker systems are
“system-of-systems”. Looking at all four
manufacturers, there are essentially four components to modern pacemaker system
deployments: the pacemaker devices, pacemaker programmers, home monitoring systems,
and the supporting/update infrastructure. All components are vital to the safe functioning of the pacemaker system. The figure below shows how these components interact with each
other.
Pacemaker System Ecosystem |
As seen in other medical device
verticals (https://ics-cert.us-cert.gov/advisories/ICSMA-16-089-01), keeping
devices fully patched and updated continues to be a challenge. Despite efforts from the FDA to streamline
routine cybersecurity updates, all programmers we examined had outdated
software with known vulnerabilities. Across
the 4 programmers built by 4 different vendors, we discovered over 8,000
vulnerabilities associated with outdated libraries and software in pacemaker
programmers.
Outdated Third Party Components |
We believe that this
statistic shows that the pacemaker ecosystem has some serious challenges when
it comes to keeping systems up-to-date.
No one vendor really stood out as having a better/worse update story
when compared to their competitors. In
two instances, we were able to confirm that patient data was stored unencrypted
on the programmer. In one instance, we
discovered actual unencrypted patient data (SSNs, names, phone numbers, medical
data…etc) on a pacemaker programmer. The
patient data belonged to a well-known hospital on the east coast and has been
reported to the appropriate agency.
These types of issues highlight the need for strong device disposal
policies from hospitals.
How do Pacemaker Programmers Work?
Of all the components in
pacemaker systems, pacemaker programmers provide the most insight into how
pacemaker systems actually work. In
total, we examined seven different pacemaker programmers from four different
manufacturers. Six pacemaker programmer
utilized unencrypted IDE hard drives.
One pacemaker programmer utilized an unencrypted PCMICA flash drive. We saw a variety of operating systems such as
the familiar Windows XP, Real Time Operating Systems (RTOS) like MonteVista,
old operating systems like DOS, we even encountered one programmer using OS2!
All of the programmers we
examined booted directly into the programming software without first requiring
any type of login or password. Pacemaker
programmers do not authenticate to pacemaker devices. Any pacemaker programmer can program any
pacemaker from that specific vendor.
This is true for all programmers we examined. Proximity is the primary criteria for pacemaker programming. This is an area where is appears that patient care has influenced the cybersecurity posture of the pacemaker programmer. While older pacemaker programmers only utilize
a close proximity “telemetry wand”, newer programmers from all vendors utilize
longer range RF communications in addition to the close proximity telemetry
wand. Our research focused on
programmers that supported the use RF communications. By intended design, all the pacemaker
programmers we examined first required the use of a telemetry wand in order to
communicate with the pacemaker. This is
the intended design; situations where devices can communicate with a pacemaker
without first requiring a telemetry wand is more complicated and will be
addressed in a later post. In all
implementations we observed, the telemetry wand would retrieve a token from the
pacemaker device itself. In some cases,
the token is the device serial number/ID.
In one case, the token value retrieved from the pacemaker device was a
static AES key. This token value is then
used to derive a session value/key and communications is passed from the telemetry
wand to longer range, higher bandwidth radio signal. The method/algorithms used to derive the session token/key values is different amongst different manufacturers.
These session token generation
algorithms are stored within the programmer logic and software. Once a proper session is established, the
programmer can perform a variety of functions over radio, including the
alteration of therapy. This is by-design
and is the case for all pacemaker programmers we examined. Obviously, compromise of a pacemaker
programmer is a serious matter. The
by-design capabilities of pacemaker programmers is significant and compromise
of a pacemaker programmer would result in situations where alteration of
therapy is possible.
The software implementation of
pacemaker programmers shows an area where cross-pollination between vendors has
likely already occurred. All of the modern
programmers we examined use a core application to initialize the programmer
hardware and interfaces. Communications
to pacemakers is done through “apps”.
Each pacemaker device model has its own app on the programmer. The app contains the specific commands supported
by that specific pacemaker. The
pacemaker app also contains the telemetry structure used to retrieve data,
program, and reprogram the pacemaker device.
Most of the implementations we observed allowed programmers to both update
pacemaker therapy settings and pacemaker firmware. We did not observe any cryptographically
signed pacemaker firmware. Given pacemaker firmware are not cryptographically signed, it would be possible update the pacemaker device with a custom firmware. Once
interaction with a pacemaker is complete, the pacemaker app passes control back
to the main application and the main application will await an another inductive
telemetry wand action.
Steps for RF Programming |
(1) Pacemaker
programmer system starts the main application (no password required)
(2) A
close proximity telemetry wand is used to interrogate a pacemaker
(3) The
pacemaker device provides a token and identifying information
(4) The
pacemaker token and identifying data is received by the main application
(5) The
main application launches the pacemaker app for the identified pacemaker
(6) The
pacemaker programmer switches to RF communications
Pacemaker programmers represent a
significant part of the pacemaker ecosystem.
From a security research perspective, access to programmers can be
extremely helpful in understanding how pacemaker systems work. In the next part, we’ll talk about the home
monitoring systems and how they work.