- Implantable medical devices (IMDs), including pacemakers and Implantable Cardioverter Defibrillators (ICDs), were found to be vulnerable to denial-of-service (DoS) attacks, which could lead to patient safety issues, according to a recently published study.
Researchers hailed from several institutions in Europe, including KU Leuven and the University of Birmingham.
The researchers used a “reverse engineering and security analysis of the proprietary long range communication protocol between the device programmer and the latest generation of ICDs.”
“We show that for proprietary protocols on which we had no prior knowledge or documentation, reverse-engineering is possible by a weak adversary without even needing to have physical access to the devices,” the researchers explained. “Our second contribution consists of demonstrating several attacks that can compromise the ICD’s availability and the patient’s privacy.”
The study also discussed potential “short- and long-term measures to mitigate or solve the existing vulnerabilities in the latest generation of ICDs.”
For DoS attacks specifically, researchers stated that ICDs operate in four main modes: sleep, interrogation, reprogramming, and standby. An ICD should be set to sleep mode when a communication session with a programmer has finished or if there has been no reprogramming operation within two hours.
“However, we discovered that, after the ICD has been activated, it remains in ‘standby’ mode for five minutes, where it can be put in the ‘interrogation’ mode again if it receives a specific message,” the researchers wrote. “This message turns out to be identical for all ICDs and is sent over the long-range communication channel.”
Essentially, a third-party does not need to be within close proximity to a patient to activate that patient’s ICD. This implementation flaw could make devices vulnerable to DoS attacks, the study showed.
“The purpose of these attacks is to keep the ICD alive by continuously sending this message over the long-range communication, which could drastically reduce the ICD battery life,” the authors warned. “Yet, this also opens up the door for adversaries to perform other types of attacks more easily, as they can send this message to extend the five minute window as many times as needed to send malicious messages to the ICD without requiring being close to the patient.”
A short-term solution is using jamming as a defensive mechanism, the researchers suggested. In the long-term, “external devices could send a ‘shutdown’ message to the ICD so that the ICD can immediately switch to ‘sleep; mode after the communication ends.”
Earlier this year, St. Jude Medical Center disputed claims that some of its medical devices were vulnerable to cybersecurity attacks.
St. Jude even filed a lawsuit against Muddy Waters Consulting LLC, Muddy Waters Capital LLC, MedSec Holdings, Ltd., MedSec LLC, and three individual defendants who are principals in the firms. The lawsuit claimed that Muddy Waters and MedSec committed “false statements, false advertising, conspiracy and the related manipulation of the public markets in connection with St. Jude Medical’s implantable cardiac management devices.”
In August 2016, Muddy Waters released a report stating that certain St. Jude cardiac devices have cybersecurity vulnerabilities that are “more worrying than the medical device hacks that have been publicly discussed in the past.” The devices could also be attacked within a 50 foot radius, according to Muddy Waters.
"We believe this lawsuit is critical to the entire medical device ecosystem — from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St. Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme," said St. Jude President and CEO Michael T. Rousseau.