Told you so. But pacemakers maybe not the worst of it

In the continuing saga of why the lack of security in biomed will eventually start killing people, we have yesterday the results of a security analysis of a pacemaker where they found apparently 8600 flaws — of which some are potentially deadly.  It’s an interesting report.  I urge you to read it.

Now, WhiteScope is of course in the business of doing firmware research and assessments — so it’s arguably good for them from a marketing standpoint if the results are panic-inducing — but if you read it for yourself, I think you’ll conclude it’s fair and unbiased.  Yes, there are some specific points that are debatable — for example, they call out lack of encryption in the home monitoring device as an issue, which is absolutely fair.  But that’s nuanced because architecturally it’d be hard to enable that (for telemetry at least) without also having the implantable device do it too, which in turn makes it complicated from a power (and therefore battery utilization) standpoint.

TLDR?  Pacemakers could be attacked, and ultimately kill somebody under the right circumstances.  Read the report.

I’ve been saying this for years.  I’m not going to say I told you so (because I’m too mature for that) so instead, I’ll let Sheldon Cooper do it for me:

Here’s the scary part though.  Biomed’s a big space.  Everybody wants to do research on implantable biomed – because: it’s super scary, it’s really hard to get right (mostly because of power considerations which one wonders why you don’t see the zero power defenses proposed in section V of You-Dub paper more often), and it makes for a compelling “story.”  Anyway, whatever, implantable’s sexy.  But there are more accessible biomed systems that are just as potentially life threatening that nobody seems to care about: radiosurgery, pharma systems, even some imaging systems.

If you don’t believe me that potential errors here are every bit as life threatening as an issue with an implantable device, allow me to call your attention to the FDA guidance on the topic which, according to the fact sheet, should be the document that outlines the premarket “nonbinding recommendations” for security.  It actually says that by the way: the header of every page after 2 is “Contains Nonbinding Recommendations” – sort of like a warning label lest anybody feel the burning need to look to FDA for specific guidance here.  Anyway, they recommend – in sort of a lackadaisical, languid, and of course “non-binding” sort of way – that IP-connected medical devices adhere to certain practices: authentication of users, refrain from hardcoded passwords, heck have passwords at all, etc.  The point being (before I get too fired up about that) that it’s really up to the manufacturer if how will enforce a security model for the device… usually on a COTS OS… usually IP-connected… usually on the same network where employee and patient traffic lives…

So by all means, let’s work on implantable.  But let’s also (for the love of all that’s holy) work on the rest of it too.