Two Different Studies Find Thousands of Bugs In Pacemakers, Insulin Pumps and Other Medical Devices

Two studies are warning of thousands of vulnerabilities found in pacemakers, insulin pumps and other medical devices. "One study solely on pacemakers found more than 8,000 known vulnerabilities in code inside the cardiac devices," reports BBC. "The other study of the broader device market found only 17% of manufacturers had taken steps to secure gadgets." From the report: The report on pacemakers looked at a range of implantable devices from four manufacturers as well as the "ecosystem" of other equipment used to monitor and manage them. Researcher Billy Rios and Dr Jonathan Butts from security company Whitescope said their study showed the "serious challenges" pacemaker manufacturers faced in trying to keep devices patched and free from bugs that attackers could exploit. They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems. Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic. Often, wrote Mr Rios, the small size and low computing power of internal devices made it hard to apply security standards that helped keep other devices safe. In a longer paper, the pair said device makers had work to do more to "protect against potential system compromises that may have implications to patient care." The separate study that quizzed manufacturers, hospitals and health organizations about the equipment they used when treating patients found that 80% said devices were hard to secure. Bugs in code, lack of knowledge about how to write secure code and time pressures made many devices vulnerable to attack, suggested the study.

This is a surprise how?

[Snotnose]

Companies used to building medical hardware have discovered microcontrollers and hired the cheapest programmer or two they could find to program it. Companies not used to software, hiring low skilled programmers, probably giving them unreasonable schedules and requirements. Color me shocked.

Love to hear from one of the programmers who programmed one of these things, hear what they have to say.

Overly complex

[Gravis+Zero]

Honestly, if you have 8000 bugs in your system then you haven't just done a bad job of securing your code, you have done a bad job of architecting your software and hardware. Bottom line, they should fire the people in charge of designing this shit and everyone in management who pushed these devices out before they were ready. Alternatively, start holding individuals inside corporations personally liable for things like criminal negligence and you'll find devices will get properly secured instead of being pushed out the door.