Skip to main content

“Fatal” security bugs discovered in defibrillators and medical implants

A team of researchers found several potentially “fatal” security flaws in 10 different medical implants.

Researchers at the University of Birmingham in the U.K. and the University of Leuven in Belgium discovered vulnerabilities in the software and signals that communicate with implant devices. The software is used to update the devices or gather data readings on a patient.

Recommended Videos

By tinkering with the bugs, the researchers were able to change the settings on the devices and in some cases shut them down entirely as well as steal sensitive medical data about the patient.

The device manufacturer name has not been disclosed but researchers said the bugs have since been patched by the maker before the research paper was made public. The researchers only studied one manufacturer but added that its products are widely used by healthcare professionals.

The remote software for medical devices like pacemakers helps doctors manage a patient’s condition and make sure they are working properly. However, the researchers were able to reverse-engineer the software and the signal it sends to eavesdrop on the communications and alter its commands.

According to the paper, the reverse engineering was carried out using “inexpensive Commercial Off-The-Shelf (COTS) equipment”.

“We demonstrate that reverse-engineering is feasible by a weak adversary who has limited resources and capabilities without physical access to the devices,” they wrote. However, a hypothetical attacker, in most cases, would need to have their equipment within five meters of the actual devices to pull most of these attacks off, the research noted.

In one example, an attacker would be able to collect sensitive data readings about the patient and change the commands for a device like pacemakers to disable certain functions or deliver an unneeded shock to the person, which could be fatal.

In another attack, the researchers were able to keep an Implantable Cardioverter Defibrillator (ICD) turned on despite “standby mode” being selected. This would drain the battery much quicker than usual, putting the patient at risk.

It was even possible, the authors claimed, to conduct denial of service attacks using a flawed implanted defibrillator.

“It is clear that the consequences of all these attacks can be severe for patients,” wrote the authors.

Previous studies have suggested that it was possible to infiltrate the communications between medical equipment and their software. In October, hackers showed how it was possible to break into insulin pumps and alter the dosage. The findings led manufacturer Johnson & Johnson to issue a warning to patients.

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
SanDisk’s latest drive sets new benchmark for consumer NVMe SSDs
The SanDisk WD Black SN8100 PCIe Gen 5 SSD with and without heatsink variants

SanDisk has officially introduced the WD Black SN8100, its latest high-end PCIe Gen 5 NVMe SSD targeting PC enthusiasts, gamers, and professional users. With sequential read speeds of up to 14,900 MB/s and write speeds of 14,000 MB/s, the drive sets a new bar for consumer SSD performance, surpassing some of the best NVMe SSDs currently on the market, including the Crucial T705. 

The SN8100 uses a standard M.2 2280 form factor and is available in capacities of 1TB, 2TB, 4TB, and 8TB. It’s worth noting that the 1TB model offers lower write speeds, up to 11,000 MB/s, compared to the higher-capacity versions, which reach up to 14,000 MB/s. 

Read more
Pairing the RTX 5090 with a CPU from 2006? Nvidia said ‘hold my beer’
RTX 5090.

Nvidia's best graphics cards are often paired with expensive CPUs, but what if you want to try a completely mismatched, retro configuration? Well, that used to be impossible due to driver issues. But, for whatever reason, Nvidia has just removed the instruction that prevented you from doing so, opening the door to some fun, albeit nonsensical, CPU and GPU combinations.

The instruction in question is called POPCNT (Population Count), and this is a CPU instruction that also prevents Windows 11 from being installed on older hardware. Its job is counting how many bits are present in a binary number. However, as spotted by TheBobPony on X (Twitter), POPCNT will not be a problem for Nvidia's latest graphics cards anymore.

Read more
AMD’s upcoming CPU could offer bonkers gaming performance
A fake and real AMD Ryzen 7 9800X3D side by side.

AMD's Zen 5 architecture has been a popular choice for gamers due to its outstanding performance and 3D V-Cache capacity, and now a leak suggests Zen 7 could double down on that through a new "3D Core." According to YouTuber Moore's Law is Dead, "[AMD] is moving toward a lot of official variants."

AMD reportedly plans to launch a single overall architecture, divided into different product categories, including the expected lineup: Classic Cores, Dense Cores, Efficiency Cores, and Low-Power Cores. The 3D Core is the latest addition, and it is said to "require full cache chiplets" that "seem to be leading to profound performance increases."

Read more