The flaws have been found in 10 different types of medical implant, according to a paper published by a group of researchers. The team warned that implants transmit sensitive data using protocols “with no or limited security,” allowing cybercriminals in the vicinity to intercept the communications, steal patient data and send operating commands to the implant.
The BBC reports that the researchers successfully adjusted the settings of the implants by exploiting the software issues. In some instances, they could turn off the device altogether, preventing it from carrying out its role inside the body. The lack of security could have severe medical consequences for people using the implants. The problems discovered could prove to be fatal.
All the implants affected were made by a single company. They are currently in widespread use by patients. While most implants operate without any intervention, some newer ones create short-range wireless networks around themselves that allow doctors to connect to the implant to retrieve data. The two-way connection can also be used to trigger components of the implant’s functionality.
The research team recognised the medical benefits that the next-generation implants can offer. However, it warned that the devices need better security if they’re to avoid putting patients at risk of having their implant turned off by a cyberattacker.
“While these advances bring substantial clinical benefits to patients, new security and privacy threats also emerge, specially due to the wireless communication between these devices,” wrote the group in its paper.
“Adversaries may eavesdrop the wireless channel to learn sensitive patient information, or even worse, send malicious messages to the [implant]. The consequences of these attacks can be fatal for patients as these messages can contain commands to deliver a shock or to disable a therapy.”
To use the exploit, an attacker would need to be relatively close to the patient. No physical contact is required though and the wireless signals can travel several metres out of the body.
The team also demonstrated techniques allowing the implant’s wireless activation mechanisms to be circumvented. These usually prevent the connection being established until a separate wireless network has enabled it. The activation network has a very short range that effectively requires physical contact with the patient to use.
The discovery raises further concerns around the safety of the Internet of Things. Flaws in everything from webcams to kettles have been highlighted recently. This isn’t the first time concerns have been raised about the wireless networks created by medical devices and it’s unlikely to be the last.
The researchers called for “urgent” improvements in the security of implants to prevent patients being injured. The manufacturer of the affected devices has been notified and is working to deploy a firmware update to patch the issues.
