Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two Different Studies Find Thousands of Bugs In Pacemakers, Insulin Pumps and Other Medical Devices

Posted by BeauHD on from the take-a-deep-breath dept.

Two studies are warning of thousands of vulnerabilities found in pacemakers, insulin pumps and other medical devices. "One study solely on pacemakers found more than 8,000 known vulnerabilities in code inside the cardiac devices," reports BBC. "The other study of the broader device market found only 17% of manufacturers had taken steps to secure gadgets." From the report: The report on pacemakers looked at a range of implantable devices from four manufacturers as well as the "ecosystem" of other equipment used to monitor and manage them. Researcher Billy Rios and Dr Jonathan Butts from security company Whitescope said their study showed the "serious challenges" pacemaker manufacturers faced in trying to keep devices patched and free from bugs that attackers could exploit. They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems. Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic. Often, wrote Mr Rios, the small size and low computing power of internal devices made it hard to apply security standards that helped keep other devices safe. In a longer paper, the pair said device makers had work to do more to "protect against potential system compromises that may have implications to patient care." The separate study that quizzed manufacturers, hospitals and health organizations about the equipment they used when treating patients found that 80% said devices were hard to secure. Bugs in code, lack of knowledge about how to write secure code and time pressures made many devices vulnerable to attack, suggested the study.

47 comments

  1. This is a surprise how? by Snotnose · · Score: 4, Insightful

    Companies used to building medical hardware have discovered microcontrollers and hired the cheapest programmer or two they could find to program it. Companies not used to software, hiring low skilled programmers, probably giving them unreasonable schedules and requirements. Color me shocked.

    Love to hear from one of the programmers who programmed one of these things, hear what they have to say.

    1. Re:This is a surprise how? by Anonymous Coward · · Score: 0

      No, it's more like the same engineer(s) that designed and built the hardware find writing software "really fun" and decided they should have no problem writing the software too.

      Fucking engineers. They all love to program and they all suck at it. I have made my living the last 15 years cleaning up their buggy, insecure, poorly designed, shit code.

    2. Re:This is a surprise how? by Anonymous Coward · · Score: 5, Informative

      I used to program pacemakers. You are wrong that these are the cheapest programmers they could find, and in general about your assumptions as to how the industry works.

      The medical industry doesn't work that way, at least for life-critical, highest-risk medical devices like pacemakers and implantable defibrillators. If a company operated as you describe, the FDA would shut it down very quickly. The pacemaker company I worked for hired highly skilled people, and used an internal software and hardware development process that makes the other software companies that I have worked for look like a bunch of amateurs by comparison. ISO 9001 compliance and FDA certification is no joke. There were detailed reviews at every level of the software development process: proposal reviews, system design reviews, detailed design reviews, code standards, code reviews, detailed regression tests, near-100% branch coverage (not just statement coverage) by regression tests, static analysis tools, simulation, animal testing, and so forth. It is quite focusing to realize that a coding mistake on your part may very well lead to someone's death.

      Also, the industry is incredibly conservative, since every change, no matter how trivial, has to be justified to the FDA as to why it won't make a device unsafe. At the time I left, about 15 years ago, they were still using a DOS clone in their pacemaker programmers (basically a device that allows a doctor to download a set of configuration parameters into a pacemaker using something that looks like a mouse placed on the patient's chest) because Windows was too poorly understood as to its runtime characteristics (especially with regards to reliable real-time behavior, memory allocation, and interrupt behavior), and too poorly controllable to be trusted, especially as we couldn't get source code for it. (Note: something like Linux has most of the same problems. We were looking into the possibility of using QNX in the future, which looked more promising.) Still, while in that industry, I rarely worked with technology that was less that 10 years old, because it was assumed that in 10 years time, most of the bugs in the technology would have been known and documented, and understood as to their impact. This applied to hardware, operating systems, and development tools. Having tools be reliable (or at least unreliable in well-understood ways) was considered more important than having them be cutting-edge.

      However, that elaborate software process was geared towards patient safety in the face of ordinary threats such as misconfiguring by physicians, low battery brownout scenarios, bits being twiddled by cosmic rays (Yes, really! We took precautions for this!), stray magnetic or electrical fields, unexpected patient heart behavior patterns, and so forth. Many, many precautions ("risk mitigations") were taken for events such as these. Deliberate hacking by outsiders was not really a concern on anyone's mind, particularly since to do so would have required close physical contact (due to one of the aforementioned risk mitigations, which I am not going to go into the details of), and so the data transmission protocols were geared towards detecting errors due to mistransmission or data corruption, rather than ones due to deliberately constructed valid-but-evil data.

      Still, the close physical contact requirement would make it fairly difficult for someone to hack one of these devices in most practical scenarios. I don't see it as much of a threat. If someone is close enough to download a bad configuration into a pacemaker, they are close enough to do much more simple and direct harm to that person, which would be vastly easier to do. I can imagine very convoluted scenarios in which someone could try to perform murder-by-pacemaker, but realistically, there would usually be much more simple and reliable ways that wouldn't require stealthily breaking into a company to steal their specifications, or reverse-engineering their hardware and software. It's just too much effort for even a nation-state

    3. Re:This is a surprise how? by Anonymous Coward · · Score: 1

      I used to program pacemakers. You are wrong that these are the cheapest programmers they could find, and in general about your assumptions as to how the industry works.

      The medical industry doesn't work that way, at least for life-critical, highest-risk medical devices like pacemakers and implantable defibrillators. If a company operated as you describe, the FDA would shut it down very quickly. The pacemaker company I worked for hired highly skilled people, and used an internal software and hardware development process that makes the other software companies that I have worked for look like a bunch of amateurs by comparison. ISO 9001 compliance and FDA certification is no joke. There were detailed reviews at every level of the software development process: proposal reviews, system design reviews, detailed design reviews, code standards, code reviews, detailed regression tests, near-100% branch coverage (not just statement coverage) by regression tests, static analysis tools, simulation, animal testing, and so forth. It is quite focusing to realize that a coding mistake on your part may very well lead to someone's death.

      Also, the industry is incredibly conservative, since every change, no matter how trivial, has to be justified to the FDA as to why it won't make a device unsafe. At the time I left, about 15 years ago, they were still using a DOS clone in their pacemaker programmers (basically a device that allows a doctor to download a set of configuration parameters into a pacemaker using something that looks like a mouse placed on the patient's chest) because Windows was too poorly understood as to its runtime characteristics (especially with regards to reliable real-time behavior, memory allocation, and interrupt behavior), and too poorly controllable to be trusted, especially as we couldn't get source code for it. (Note: something like Linux has most of the same problems. We were looking into the possibility of using QNX in the future, which looked more promising.) Still, while in that industry, I rarely worked with technology that was less that 10 years old, because it was assumed that in 10 years time, most of the bugs in the technology would have been known and documented, and understood as to their impact. This applied to hardware, operating systems, and development tools. Having tools be reliable (or at least unreliable in well-understood ways) was considered more important than having them be cutting-edge.

      However, that elaborate software process was geared towards patient safety in the face of ordinary threats such as misconfiguring by physicians, low battery brownout scenarios, bits being twiddled by cosmic rays (Yes, really! We took precautions for this!), stray magnetic or electrical fields, unexpected patient heart behavior patterns, and so forth. Many, many precautions ("risk mitigations") were taken for events such as these. Deliberate hacking by outsiders was not really a concern on anyone's mind, particularly since to do so would have required close physical contact (due to one of the aforementioned risk mitigations, which I am not going to go into the details of), and so the data transmission protocols were geared towards detecting errors due to mistransmission or data corruption, rather than ones due to deliberately constructed valid-but-evil data.

      Still, the close physical contact requirement would make it fairly difficult for someone to hack one of these devices in most practical scenarios. I don't see it as much of a threat. If someone is close enough to download a bad configuration into a pacemaker, they are close enough to do much more simple and direct harm to that person, which would be vastly easier to do. I can imagine very convoluted scenarios in which someone could try to perform murder-by-pacemaker, but realistically, there would usually be much more simple and reliable ways that wouldn't require stealthily breaking into a company to steal their specifications, or reverse-engineering their hardware and software. It's just too much effort for even a nation-state

    4. Re:This is a surprise how? by phantomfive · · Score: 1

      I don't even see how it's possible to hack a pacemaker. How do you even connect to it? I doubt those things connect over wifi, the battery would get drained too fast.

      --
      "First they came for the slanderers and i said nothing."
    5. Re: This is a surprise how? by occamboy · · Score: 3, Informative

      Sorry to quibble... but medical devices are normally developed using a process that conforms to ISO 13485, not 9001. Pretty similar, though.

    6. Re: This is a surprise how? by Anonymous Coward · · Score: 0

      With language like that I'm surprised you have enough time away from your beer and trailer to know what a computer is.

    7. Re:This is a surprise how? by Ihlosi · · Score: 1
      I don't even see how it's possible to hack a pacemaker

      That's an issue with your creativity

      How do you even connect to it?

      The same way the doctor connects to it for things like status queries, configuration changes, etc.

      And you're right, not wifi.

    8. Re:This is a surprise how? by Ihlosi · · Score: 2
      Companies used to building medical hardware have discovered microcontrollers and hired the cheapest programmer or two they could find to program it.

      This isn't how it works.

      Firstly, they discovered microcontrollers about thirty years ago, so that's not really new.

      Secondly, they just make the same mistake many other companies do - they want one person that does hardware and firmware development (check some job postings), because that saves money (haha). Which is bad. Someone who's excellent at analog and digital HW design will have no time to fiddle with firmware. Good HW people are too valuable to let them waste their time trying to put together firmware, digital signal processing, etc.

      I mean, in a hospital, you wouldn't want the same person doing anesthesia and surgery during an operation, would you?

    9. Re:This is a surprise how? by Ihlosi · · Score: 1
      No, it's more like the same engineer(s) that designed and built the hardware find writing software "really fun" and decided they should have no problem writing the software too.

      They don't find software/firmware fun. But companies want universal geniuses that do medical device HW design (not an easy task) and, well, write the FW as well, because they don't want to pay additional people to do it.

    10. Re:This is a surprise how? by bagofbeans · · Score: 1

      The really small implants surely use an ASIC with embedded microcontroller, rather than an off the shelf discrete microcontroller and all the other stuff in the ASIC. In which case, the power consumption excuse for not running encryption (it needs too much processing horsepower) doesn't cut the mustard. Intel designed instructions to speed AES processing (AES-NI) https://en.wikipedia.org/wiki/AES_instruction_set/. It's a design time, design cost issue, and sheer arseholiness for companies to claim that it can't be done when that's not true.

    11. Re:This is a surprise how? by Ihlosi · · Score: 1
      In which case, the power consumption excuse for not running encryption (it needs too much processing horsepower) doesn't cut the mustard.

      Using encryption uses more power than not using encryption. And the more power the device uses, the more often you need to cut holes in the patient to replace it. Most patients don't like that part. And encryption doesn't just use power through CPU usage, it also requires more RAM and possibly flash than no encryption, and both memories also draw power.

      Also, consider the fact that you may have a large base of older "physician programmers" and "home monitoring devices" out there that don't support encryption. Doctors and patients would have to buy newer versions of these things to support your new encryption-ready pacemakers, for quite a chunk of money. Neither group likes that.

  2. TRUMP by Anonymous Coward · · Score: 0

    going dowwwwnnnnnn!

    1. Re:TRUMP by Cmdln+Daco · · Score: 1

      Please keep your sexual fantasies to yourself. We're not interested in hearing about them.

  3. is there a Darwin Award here? by turkeydance · · Score: 1

    killing off the less fit?

    1. Re:is there a Darwin Award here? by Anonymous Coward · · Score: 0

      Natural selection by insulin pump hacking?

      I don't believe Darwin anticipated it.

  4. Overly complex by Gravis+Zero · · Score: 3, Insightful

    Honestly, if you have 8000 bugs in your system then you haven't just done a bad job of securing your code, you have done a bad job of architecting your software and hardware. Bottom line, they should fire the people in charge of designing this shit and everyone in management who pushed these devices out before they were ready. Alternatively, start holding individuals inside corporations personally liable for things like criminal negligence and you'll find devices will get properly secured instead of being pushed out the door.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Overly complex by Anonymous Coward · · Score: 0

      Even cells have an access control. Maybe something could be done about it, like using a light or ultra sound based locks. Low power requirement might imply hardware implementation of software functionality instead of the other way around.

    2. Re:Overly complex by Ihlosi · · Score: 4, Informative
      Honestly, if you have 8000 bugs in your system then you haven't just done a bad job of securing your code,

      May I suggest you read the paper first before heading off on a rant?

      Basically all of the 8000 vulnerabilities (not bugs) are due to third-party libraries used in one of the components examined, which include "home monitoring devices" and "physician programmers", both systems that probably run Linux/Windows and hence inherit a lot of vulnerabilities from there.

    3. Re:Overly complex by Anonymous Coward · · Score: 0

      Honestly, if you have 8000 bugs in your system then you haven't just done a bad job of securing your code, you have done a bad job of architecting your software and hardware. Bottom line, they should fire the people in charge of designing this shit and everyone in management who pushed these devices out before they were ready. Alternatively, start holding individuals inside corporations personally liable for things like criminal negligence and you'll find devices will get properly secured instead of being pushed out the door.

      Hold management accountable for setting unreasonable deadlines and not allowing developers to fix known bugs due to release dates set in stone.

  5. The eeee-vil free market at work by Applehu+Akbar · · Score: 2

    If the FDA had to approve all these devices, even at the cost of making the price of everything exorbitant, their rigorous testing would ensure that the firmware wouldn't be riddled with all these bugs.

    Oh, wait --

    1. Re:The eeee-vil free market at work by Anonymous Coward · · Score: 0

      Nice troll, but the FDA is testing these devices for medical safety and efficacy, as well as trying to ensure that the companies that produce them follow a rigorous software development process to catch bugs early and fix them reliably. Security against hacking isn't the FDA's prime responsibility. And there are mitigations in place (see my post above starting with "I used to program pacemakers") which ensures that close physical proximity is required to communicate with a pacemaker, so the problem is already largely handled by that simple fact. Most hackers don't want to be well inside punching range when they do their dirty work. Most of the "bugs" described in this research would be quite difficult to exploit for that simple reason, and hence aren't as serious as TFA makes them sound.

    2. Re:The eeee-vil free market at work by phantomfive · · Score: 1

      Having worked on medical devices, I would suggest that FDA approval of software is basically useless. I've seen extremely crappy code pass their review.

      --
      "First they came for the slanderers and i said nothing."
    3. Re: The eeee-vil free market at work by occamboy · · Score: 1

      The FDA doesn't actually do testing. The device maker supplies evidence that development followed a process that includes testing, the types and amounts of testing being based on the risks posted by the device.

      A company can potentially lie, and claim they did testing that they didn't - but Goddess help you if FDA figures that out: you're in deep, deep trouble. And they can definitely figure it out during a regular inspection, or if people get injured by your product, etc.

    4. Re: The eeee-vil free market at work by Applehu+Akbar · · Score: 1

      Certainly, but the FDA is supposed to manage a testing process that assures, in a case like this, that ISIS wouldn't be able to pull a trick like setting off all the stimulating pacemakers (the kind that can actually reboot a failing heart) in Hollywood right in the middle of Academy Awards night.

  6. Should have stuck to the old designs by Anonymous Coward · · Score: 0

    Jay Minder knew how to design chip-sets light years ahead of his day and in his spare time he invented pacemaker technology. It worked back then and would still work today.

  7. Money, its all about making money! by bfmorgan · · Score: 2

    Please understand that money is the reason that companies make this devices. When security concerns raise their ugly head, they get slapped down. Ego, we have devices that are open for exploitation. Security will also be ignored when $$$ are you objective. If customers stop buying these devices because they are insecure then, and only then will manufactures add the cost of security into the price of these devices.

    --
    I hope this caused some synapses to fire.
    1. Re:Money, its all about making money! by RuffMasterD · · Score: 1

      To exploit a pacemaker, you will have to reverse engineer the communication protocol and API for a particular brand and model of pacemaker, then ghetto-hack your own portable pacemaker programmer, then find a victim who happens to have that exact brand and model inside their chest, and then hold your device right up against their chest for more than an awkward amount of time while your device reconfigures the victims pacemaker. There are cheaper, faster, and far more effective ways to mess people up, but go right ahead and hack a pacemaker if it's so easy.

      --
      Human Rights, Article 12: Freedom from Interference with Privacy, Family, Home and Correspondence
  8. Whew by Anonymous Coward · · Score: 0

    For a couple seconds I thought of literal bugs, and the title was slightly more nightmare fuel-ish.

  9. Assassination Vector by Frosty+Piss · · Score: 1

    No question the CIA knows all about these bugs, this vector is an ideal assassination technique. Just think if they had this tech in the 60's and Fidel had had a pacemaker or other medical device like one of these. The bar for political assassinations for Western nations has risen (a little), but the Russians would be all over this as well.

    --
    If you want news from today, you have to come back tomorrow.
  10. And you think medical devices are expensive now? by Anonymous Coward · · Score: 0

    Considering how expensive medical devices are right now, I am going to say I prefer the current somewhat buggy software, over the higher cost it would take to fix the bugs.

  11. Re:And you think medical devices are expensive now by 0123456 · · Score: 1

    The cost of the software development is probably negligible compared to the cost of regulations.

  12. Most Important Question by Anonymous Coward · · Score: 0

    Which models and companies are in the 17% that can be secured, or even better, the 9% of device makers that review security annually? And why isn't security being monitored constantly? A lot can happen in a year.

  13. "Don't Fix it!" -NSA by Anonymous Coward · · Score: 0

    If one were to patch all of these vulnerabilities, it would undermine every effort we have placed into pushing for devices to become part of the Internet of Things.

    Leave hole enough alone.

  14. As it happens... by occamboy · · Score: 1

    I'm working with some other folks to start a company to develop, manufacture, and market open-source medical devices. We all have extensive experience in developing commercial medical devices - defibrillators, radiation therapy for tumors, etc - and we're convinced that getting more eyeballs to review software and hardware will substantially increase safety and reduce costs.

    Yes, we know how to work with the FDA and so forth.

    Stay tuned...

  15. Coming from Detroit by Anonymous Coward · · Score: 0

    Coming from the auto industry, I mean we're cowboys (compare to aviation and defense). But the medical guys. Jesus, they're hatchetjobs.

  16. Re:What OS do they run? by Anonymous Coward · · Score: 0

    Linux is the Kernel. The Kernel isn't the issue, it's all the crap written on top of it.

  17. I find the questions at the end of the study funny by Ihlosi · · Score: 3, Interesting
    Are debugging interfaces (e.g., JTAG and UART) present on home monitoring devices or physician programmers? Are the interfaces or functionality disabled prior to distribution?

    So how is the manufacturer supposed to diagnose devices that malfunctioned out in the field? If you lock the debugging interfaces, they can usually only be reactivated by completely clearing the devices flash memory - or even not at all.

    Are third-party libraries used in software development?

    What kind of question is that?

    Ok, I've seen code without any third party libraries. It was all assembly, only available in hardcopy, written for an 8051 and about 30 years old.

    Is the firmware image for the implantable cardiac device mapped into protected memory to prevent arbitrary writing to memory addresses?

    I would guess the implantable device doesn't use a microcontroller beefy enough to have an MPU. That would reduce battery lifetime.

  18. Re:And you think medical devices are expensive now by shmlco · · Score: 1

    Which in turn is probably negligible when compared to the 5,000% markup imposed by the medical device manufacturer...

    --
    Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
  19. Open source? by bagofbeans · · Score: 1

    You say open-source, but will your organisation commit explicitly and non-retractably that ALL the code and hardware (including any ASIC HDL) will be published in a way that any individual can duplicate any design independently without agreeing to any contract, such as NDA?

    In which case, how does your business model work?

    1. Re:Open source? by Anonymous Coward · · Score: 0

      That's the intent - we're trying to navigate through that, among other things. The idea is to be a social benefit corporation, and to balance profit with... well, social benefit. Our thinking right now is as follows: As others have written in this thread, our experience has been that the *engineering* in medical devices tends to be conservative - the larger challenge tends to be around maintaining appropriate design/development/manufacturing processes, dealing with regulatory bodies like FDA/EU, controlling upgrades/bug fixes in a way that doesn't permit unsafe situations, and so forth. We'd add value by doing all of that other stuff. But if we start gouging customers for that value, then someone else can pick it up and run with it at lower prices. Also, this will make it easier for poorer countries, where selling/marketing might not be sustainable for us, to adopt safe designs and manufacture internally.

  20. Re: What OS do they run? by Zero__Kelvin · · Score: 1

    I can guarantee you there isn't a single pacemaker in the world running Linux. I certainly hope you are not so phenomenally clueless as to not know that, and are simply so stupid you think that was a good troll.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  21. TDD DDD by Anonymous Coward · · Score: 0

    I hear that Test-Driven Development is better than Death-Driven Development (according to Robert C Martin, but he may be biased... Given that he's a living person, we should check with corporate persons too, so as not to discriminate against any group.)