Are Legacy Medical Device Security Flaws Going Unfixed?Researcher Billy Rios Describes Alleged Medtronic Cardiac Device Woes
While many medical device makers appear to building better cybersecurity into their new products, some manufacturers are still avoiding fixing vulnerabilities in legacy devices that pose potential safety risks to patients, security researcher Billy Rios contends.
"As a whole, I think the industry is getting better [at addressing cybersecurity]. When we look at new devices ... it seems those are a lot better than the legacy devices," Rios, founder of WhiteScope, says in an interview with Information Security Media Group.
But in some cases, manufacturers are "putting a little too much stock in the next version of their products" while overlooking critical cyber issues in their legacy devices already in use, he claims.
Cardiac Device Flaws
Among the examples of legacy medical device cybersecurity problems going unfixed are several vulnerabilities that Rios says he and security researcher Jonathan Butts of QED Secure Solutions identified in the last two years in a number of products from manufacturer Medtronic.
That includes some of the company's Carelink 2090 pacemaker programmers and the backend network that provides software updates to the cardiac pacemaker devices that are actually implanted in patients, Rios says.
The two researchers have brought these vulnerabilities to the attention of Medtronic, as well as to federal agencies, including the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team and the Food and Drug Administration, Rios says.
Some of those vulnerabilities were eventually the subject of alerts from US-CERT and press releases from Medtronic, he notes. But fixes from Medtronic to address most of the vulnerabilities are still lacking, Rios claims.
"The most concerning [flaw] is some weakness in the software delivery and update mechanisms - the [pacemaker] programmers themselves," Rios says.
These programmers "reach out to a server ... on the internet to try to download some new software for the programmer itself. Those programmers have the capability to update the [patients'] therapy on the implantable devices themselves - like pacemakers," he says.
"If the physician were to use a compromised programmer, the programmer would have the ability to change the therapy on the pacemaker itself ... essentially put malware on the pacemaker," he claims. "There are a variety of weaknesses associated with [Medtronic] software update mechanism - and those issues haven't been patched."
Rios and Butts brought the problems to Medtronic's attention two years ago, Rios says. "Why it's taking so long for them to update, I'm not sure," he says. Medtronic has publicly acknowledged there is "low risk" to patients associated with these vulnerabilities, yet the flaws go unfixed, he adds.
"I know that when we were talking to some folks over at Medtronic about some of the security issues we had discovered, one of the answers they had was, 'Hey, we're building some of these security defenses into our next generation programmer.' We think that's great. However, if you're a physician delivering care to patients today [with existing product], that [improved] programmer doesn't exist. There are risks with devices that are in hospitals today being used by doctors ... and clinical staff," he says.
"If we know about vulnerabilities that can be used to hurt people, those should be fixed, even if the manufacturer believes there is a low risk of a particularly vulnerability being exploited."
In a statement provided to ISMG, Medtronic says, "Product safety and quality are top priorities for Medtronic, and we have a strong product security program that leverages internal and external security and medical device experts, rigorous development processes and current practices to enable security and usability. We are, and continue to be, committed to delivering safe and effective devices to address our patients' therapeutic conditions.
"It's important to note, however, that the likelihood of a breach of a patient's device is low, and we are not aware of any security breaches involving patients with our medical devices. All medical devices carry some associated risk, and, like the regulators, we continuously strive to balance the risks against the benefits our devices provide."
Medtronic also notes: "We value collaboration and transparency with industry partners and the regulatory community, and we support FDA guidance on these matters. Medtronic is committed to a robust, coordinated disclosure process and takes seriously all potential cybersecurity vulnerabilities in our products and systems, and we consistently seek to improve these processes, in terms of our technical evaluation, required remediation and speed of disclosure. We follow formal processes, as required by the FDA and other regulators, for evaluating and mitigating the risks associated with all cybersecurity vulnerabilities. In the past, WhiteScope has identified potential vulnerabilities which we have assessed independently and also issued related notifications. We are not aware of any additional vulnerabilities they have identified at this time."
The FDA's assessment of the potential vulnerabilities identified in Medtronic devices is ongoing, the FDA says in a statement provided to ISMG.
"The FDA values the important work of security researchers and we are engaged with security researchers, industry, academia and the medical community in ongoing efforts to ensure the safety and effectiveness of medical devices as they face potential cyber threats, at all stages in the device's lifecycle," the statement notes.
Information sharing is a key part of the DHS' important mission to create shared situational awareness of malicious cyber activity, DHS says in a statement to ISMG.
"The National Cybersecurity and Communications Integration Center is aware of the alleged vulnerability and is working with the FDA, researchers and the vendors on this issue. Since 2012, NCCIC has facilitated disclosure of approximately 50 vulnerabilities affecting medical devices," DHS says.
NCCIC is the process of finalizing a Memorandum of Agreement with the FDA on medical device security. As always, NCCIC's goal is to provide vulnerability assessment, vulnerability coordination, and incident response services to all critical infrastructure sectors and encourage responsible disclosure of any additional vulnerabilities found by other partners."
In the interview, Rios also discusses:
- How he suggests Medtronic could potentially use "code signing" to address the programmer-related weaknesses identified;
- Vulnerabilities in other medical devices from Medtronic as well as from other makers;
- Suggestions to patients and healthcare entities that use the products containing the alleged vulnerabilities.
Rios is the founder of information security research firm WhiteScope, based in Half Moon Bay, Calif. His previous roles included director of vulnerability research and threat intelligence for Qualys, global managing director of professional services for Cylance and "security ninja" for Google. He's also served as an officer in the U.S. Marines and worked as an information assurance analyst for the U.S. Defense Information Systems Agency.