Uncovering vulnerabilities in pacemakers

Results from five years of The Pacemaker Hacking Project

Written by PhD Marie Elisabeth Gaup Moe, Senior Security Consultant, mnemonic

 

TL;DR

Back in 2015 I started The Pacemaker Hacking Project as a little hobby in my spare time. I had been living with a pacemaker implanted in my chest for four years and all this time I had a nagging thought in the back of my mind. Could the Internet connectivity of my implant open up an attack surface for hackers? After five years, I am happy to report that a milestone has been reached. A part of my team’s research, which was previously under embargo due to a coordinated vulnerability disclosure process, has finally been published in an official cybersecurity advisory with the following CVEs:

  • CVE-2019-18246: Improper Authentication
  • CVE-2019-18248: Cleartext Transmission of Sensitive Information
  • CVE-2019-18252: Improper Authentication
  • CVE-2019-18254: Missing Encryption of Sensitive Data 
  • CVE-2019-18256: Storing Passwords in a Recoverable Format 

Pacemakers join the connected world

It is estimated that there may be up to one million pacemakers implanted globally every year, and it represents a $5 Billion USD industry. There are quite a few manufacturers, and the technology continues to evolve to improve battery life, implant size, the ability to not be impacted by things like MRI scans, and remote monitoring and configuration capabilities.

My pacemaker is connected wirelessly through a device called the Home Monitoring Unit (HMU). It comes in different variants that can look a bit like an old-fashioned mobile phone, a home router, or in the case of the most recent model, a smart phone.

The HMU enables data from the pacemaker to be remotely sent to doctors and hospitals. Without this capability, heart rhythm data, diagnostics and configurations would need to be read manually, requiring frequent visits to a hospital or clinic. With remote monitoring, things like abnormal heart rhythms and even issues with the pacemaker itself can be discovered faster, and without the frequent hospital visits. This also helps improve peace of mind when having a piece of technology implanted in your body, knowing that it is functioning correctly at all times.

But with connectivity comes vulnerability, and as a security researcher I was very curious about the security of the device itself, and the wireless communication protocols that transmitted my patient data.

Since the manufacturer of the device was not transparent about their cybersecurity practices, and the communication protocols were all proprietary and not based on any open standards, I decided that the only way to figure this out was to start a hacking project.

 

The Pacemaker Hacking Project

I purchased used home monitoring units on eBay and assembled a small team of volunteers. After being accepted to speak at some high profiled conferences the project gained attention and I secured a small amount of funding from my employer at the time, the independent research institute SINTEF, to also work on it as part of my day job.

It took some time to get the project rolling due to all of my other work engagements, including a 20% position at the Norwegian University of Science and Technology (NTNU) where I teach students about incident response, forensics and ethical hacking. In order to get more activity in the project I offered to be a supervisor for students to work on The Pacemaker Hacking Project as part of their thesis in fulfillment of their Master’s degree. So far six students collaborating in pairs of two have completed their Master theses, and their work has greatly contributed to the results of the project:

Our research showed that the credentials the HMU uses for logging on to the backend infrastructure are sent in cleartext. Also, the HMU does not perform mutual authentication, which means that it is possible to connect to it using a fake cellular base station and perform a Man-in-the-Middle attack. The HMU switches to an encrypted channel before sending patient data, but the encryption keys are stored in recoverable format. This means that an attacker with physical access to the HMU can get access to the credentials and use these for network authentication and decryption of data in transit.

Since I did not want to put patients at risk by publishing our research the findings were shared with the manufacturer BIOTRONIK in a coordinated vulnerability disclosure process. The disclosure process involved several parties, including the German national cyber security authority (BSI) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the US as coordinators. The regulatory bodies Federal Institute for Drugs and Medical Devices in Germany (BfArM) and the U.S. Food and Drug Administration (FDA) were also included in the information sharing. After numerous conference calls and a process lasting over a year our research has resulted in the published advisory with the following CVEs:

  • CVE-2019-18246: Improper Authentication
  • CVE-2019-18248: Cleartext Transmission of Sensitive Information
  • CVE-2019-18252: Improper Authentication
  • CVE-2019-18254: Missing Encryption of Sensitive Data 
  • CVE-2019-18256: Storing Passwords in a Recoverable Format 

A technical walk through of the findings can be found on Guillaume’s blog.

These research findings were shared with BIOTRONIK in the form of a vulnerability report. BIOTRONIK cooperated according to a Coordinated Vulnerability Disclosure process and appropriately analysed and validated our report. They then shared their responses to each reported vulnerability, and we discussed each point in detail. During these discussions, BIOTRONIK provided sufficient information to confirm that patient harm arising from the vulnerabilities is very unlikely. BIOTRONIK recommends that healthcare providers and patients continue to use the investigated devices as intended and follow device labelling.

BIOTRONIK has also released a statement about our findings where they stress that even though it is possible to exploit these vulnerabilities to launch a Man-in-the-middle attack on the HMU, their design makes it impossible to transmit commands to the implants remotely, which obviates the potential of reprogramming the patient's device and doing direct harm to the patient.

This means that after five years I can finally rest assured that my pacemaker implant is not at immediate risk from hackers. However, as a cryptographer I am not very happy about seeing that my patient data is encrypted with recoverable keys, and that DES is still being used as an algorithm in the proprietary communication protocols. I am however very pleased that BIOTRONIK is taking our vulnerability reports seriously, and that they value our contributions to help securing patients from harm.

 

 

If you want to know more about The Pacemaker Hacker Project, you can have a listen to this episode of the mnemonic security podcast and my TEDx Talk.

 

TAGS