Security Testing of the Pacemaker Ecosystem
Abstract
In later years there has been an increased attention regarding the cyber-security in `smart' devices. With the rise of the Internet of Things it is becoming popular to connect every `smart' device to the internet, including devices that are responsible for life-critical functions. As such, we, as beings, are also connected to the internet. Over the past few years, there has been an increase in attention especially regarding cybersecurity risks in medical equipment, with companies being sued for performing what is the industry standard practice regarding non-medical devices, namely security testing. With the upcoming of new regulations both in the European Union and the United States, it is important that manufacturers of medical equipment can be trusted to comply with these demands.
In our thesis, we take a deeper look into the state of the security of medical implants with life-critical functions. More specifically, we take a look at the devices inside what is referred to as the pacemaker ecosystem, which includes a pacemaker, a pacemaker programmer and optionally a Home Monitoring Unit. Our thesis aims to contribute to the environment of which the pacemaker ecosystem is a part of, meaning both the development cycle of systems that interact with medical devices as well as the environment in which they are utilized. Furthermore, our results will be disclosed to the manufacturer of the equipment that has been tested through the appropriate channels to comply with the principles of Coordinated Vulnerability Disclosure.
Our research is part of a larger project on medical device security at SINTEF led by our supervisor. Our findings provide a thorough evaluation for this particular equipment and resources provided to us, and our results include a platform from which others can continue our work. Furthermore, we use our platform to uncover a large potential attack surface and disclose vulnerabilities which cause concern for patient safety and data privacy. Finally, we suggest countermeasures to the vulnerabilities we discovered, and discuss the potential impact these vulnerabilities could cause. These findings imply that the manufacturer does not comply with the new directives coming from the governing bodies, which regulate these devices in the market and will be mandatory to follow in the near future.