Understanding and Exploiting Implanted Medical Devices

Conference:  BlackHat USA 2018



The presentation discusses cybersecurity vulnerabilities in medical devices and the importance of proper disclosure to ensure patient safety.
  • The researchers found vulnerabilities in major manufacturers of implantable medical devices and reported them to the vendors.
  • Proper disclosure is important to ensure patient safety and allow physicians to make informed decisions.
  • The focus should be on patient safety rather than just information assurance principles.
  • The benefits of implanted devices outweigh the risks of cybersecurity vulnerabilities.
  • An anecdote is provided about a difficult vendor to work with during the disclosure process.
The researchers had difficulty working with one manufacturer during the disclosure process, despite having worked with many vendors in the past. This highlights the importance of cooperation and transparency between researchers and manufacturers to ensure patient safety.


There has been significant attention recently surrounding the risks associated with cyber vulnerabilities in critical medical devices. Understandably, people are concerned that an attacker may exploit a vulnerability to modify the delivery of patient therapy, such as altering the dosage of medicine, delivering insulin therapy, or administering a shock via a pacemaker. These concerns raise several questions, such as: How do these devices work? What does the typical attack surface for implanted medical device look like? What do exploits against these systems look like? How do manufacturers respond to potentially life-threatening security issues? This presentation will address all these questions. This presentation is the culmination of an 18-month independent case study in implanted medical devices. The presenters will provide detailed technical findings on remote exploitation of a pacemaker systems, pacemaker infrastructure, and a neurostimulator system. Exploitation of these vulnerabilities allow for the disruption of therapy as well as the ability to execute shocks to a patient. The researchers followed coordinated disclosure policies in an attempt to help mitigate the security concerns. What followed was an 18-month roller coaster of unresponsiveness, technical inefficiencies and misleading reactions. The researchers will walk the audience through the details of disclosure and discuss the responses from the manufacturer and coordination associated with DHS ICS-CERT and the FDA. How did the manufacturer initially respond? What tactics did the manufacturer use to attempt to dismiss the independent researchers? Was the response by the manufacturer adequate from a patient responsibility standpoint? Has the actual technical vulnerability even been addressed?