A team of researchers found several potentially “fatal” security flaws in 10 different medical implants.
Researchers at the University of Birmingham in the U.K. and the University of Leuven in Belgium discovered vulnerabilities in the software and signals that communicate with implant devices. The software is used to update the devices or gather data readings on a patient.
By tinkering with the bugs, the researchers were able to change the settings on the devices and in some cases shut them down entirely as well as steal sensitive medical data about the patient.
The device manufacturer name has not been disclosed but researchers said the bugs have since been patched by the maker before the research paper was made public. The researchers only studied one manufacturer but added that its products are widely used by healthcare professionals.
The remote software for medical devices like pacemakers helps doctors manage a patient’s condition and make sure they are working properly. However, the researchers were able to reverse-engineer the software and the signal it sends to eavesdrop on the communications and alter its commands.
According to the paper, the reverse engineering was carried out using “inexpensive Commercial Off-The-Shelf (COTS) equipment”.
“We demonstrate that reverse-engineering is feasible by a weak adversary who has limited resources and capabilities without physical access to the devices,” they wrote. However, a hypothetical attacker, in most cases, would need to have their equipment within five meters of the actual devices to pull most of these attacks off, the research noted.
In one example, an attacker would be able to collect sensitive data readings about the patient and change the commands for a device like pacemakers to disable certain functions or deliver an unneeded shock to the person, which could be fatal.
In another attack, the researchers were able to keep an Implantable Cardioverter Defibrillator (ICD) turned on despite “standby mode” being selected. This would drain the battery much quicker than usual, putting the patient at risk.
It was even possible, the authors claimed, to conduct denial of service attacks using a flawed implanted defibrillator.
“It is clear that the consequences of all these attacks can be severe for patients,” wrote the authors.
Previous studies have suggested that it was possible to infiltrate the communications between medical equipment and their software. In October, hackers showed how it was possible to break into insulin pumps and alter the dosage. The findings led manufacturer Johnson & Johnson to issue a warning to patients.