Medical implants and hospital systems are still infosec dumpster-fires

Medical devices have long been the locus of information security's scariest failures: from the testing and life-support equipment in hospitals to the implants that go in your body: these systems are often designed to harvest titanic amounts of data about you, data you're not allowed to see that's processed by code you're not allowed to audit, with potential felony prosecutions for security researchers who report defects in these systems (only partially mitigated by a limited exemption that expires next year). What's more, it can get much worse.

A pair of new studies from independent security researchers show that things are as bad or worse as they've ever been in the domain of implants and hospital systems.

Whitescope's whitepaper on pacemaker security analyzes 7 different pacemaker programming devices from four different manufacturers (devices that can reprogram a pacemaker remotely, generally by using radio signals) and finds that they are collectively undefended against 8,000 know vulnerabilities, and do not have even simple authentication between pacemakers and pacemaker programmers, meaning that there's no way your implanted pacemaker can tell whether it is connected to a legit device or an attacker's hacking tool.

Whitescope was only able to publish this paper because of a limited, expiring exemption to the Digital Millennium Copyright Act that the Electronic Frontier Foundation won last year (but the exemption doesn't extend to allowing them to publish some code samples and other sorts of normal security-audit data that would help other security researchers extend their work).


The other study, from the Ponemon Institute, bears the reassuring and self-explanatory title Medical Device Security: An Industry Under Attack and Unprepared to Defend.

Some highlights: "budget increases to improve the security of medical devices would occur only after a serious hacking incident occurred"; " organizations do not encrypt traffic among IoT devices"; "testing of medical devices rarely occurs" and "device makers and users do not disclose privacy and security risks of their medical
devices."


Understanding Pacemaker Systems Cybersecurity
[Whitescope IO]

Medical Device Security: An Industry
Under Attack and Unprepared to Defend
[Ponemon Institute]


'Thousands' of known bugs found in pacemaker code [BBC]

(via /.)