Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Just how much data medical devices such as pacemakers and others are emitting?

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

January 5, 2016

A computer security researcher has analyzed the various communication protocols used by her pacemaker and hopes that her findings will raise some awareness of just how much data medical devices and pacemakers are emitting in the wild.

To be sure, Marie Moe received her pacemaker in 2012 after she experienced a form of arrhythmia, and her heart began to gradually slow down.

Soon after, she sought out the manual for her closed-source device and enlisted the help of Cambridge University industrial control expert Eireann Leverett to find out more about the pacemaker that keeps her heart beating normally.

Once one of Norway's Computer Emergency Response Team, Moe found the device had two wireless interfaces-- some near-field communications (NFC) electronics used to exchange data with medical equipment during hospital check-ups, and another system for communicating with a bedside device.

Leverett was quick to point out that the bedside unit passes sensitive and critical medical data about herself from her pacemaker to remote servers, and finally to her doctor's workstation, via insecure communications channels from SMS and 3G and then to the standard internet.

Leverett fears those channels are not necessarily secure. Worse, those servers are often held in foreign countries which is a major headache for privacy issues among many others.

"Personally, I am not worried about being remotely assassinated (sic) but I am more worried about software bugs," Moe told the Chaos Communications Congress in Hamburg, Germany, at the end of December 2015.

"As a patient, I am expected to trust that my device is working correctly and that every security bug has been corrected by the pacemaker vendor, but I want to see more testing and research because we can't always trust vendors. I've learned that from several years of experience dealing with many vendors," she added.

Moe told the audience she bought a bedside hub to tinker with from eBay adding-- "It actually contained other patient information!" The box she bought is readily available online from several sources apart from eBay.

"For example, we had various pairing issues with the hub itself, and Marie couldn't be in the same room for certain types of testing," Leverett pointed out to the audience.

"As a precaution, we will not do experiments involving radio frequencies with me in the room," Moe told the audience this week.

Moe and Leverett say they found other sketchy devices during their research, some of them running Bluetooth technology (very insecure) and others spewing critical device information to Amazon cloud instances...

A developer at a health monitoring company posted to an Amazon AWS support forum, claiming that the "life of our patients is at stake." They said they were monitoring hundreds of cardiac patients at home, and could not see their electrocardiogram signals for the last 24 hours!

All manner of critical medical devices have been hacked, some from metres away using wireless technologies. Defibrillators have been turned off, insulin pumps forced to dump their contents, and thousands of hospital networks and critical devices and databases found wide open to hacking.

Worse, several doctors working at some hospitals were still using Windows XP, an operating system that Microsoft has stopped supporting in July 2014. That OS is known to have security holes that could be open to the hacking public.

"We don't want to overemphasize the point of fatal medical exploits. We simply want to show that hacking can save lives, and that hackers are a global resource to save lives," Leverett says. He calls himself a 'white hat' hacker.

Moe is one of a handful of security professionals who are prodding life-critical medical devices in an effort to audit and improve security postures.

Researcher Jay Radcliffe has further investigated his insulin pump, describing his efforts at Black Hat 2011 and free-software advocate Karen Sandler has explored her cardiac defibrillator.

Hugo Campus is continuing to tinker with his defibrillator in an effort to gain access to his medical data.

In 2015, these medical hackers successfully lobbied the U.S. Congress to allow exemptions to restrictive DMCA laws permitting hackers to explore medical devices, and hack vehicles, among others.

Various software flaws are not only security-related. Moe recounts one instance when her pacemaker had to be debugged after it was set to deliver the wrong number of beats, making her nearly collapse after climbing stairs at Covent Garden station. A whole slew of tests revealed that the pacemaker's software wasn't configured properly.

Source: Cambridge University.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer