38C3

Implantable Cardiac Devices - Security and Data Accessibility
2024-12-30 , Saal 1
Language: English

Cardiac Implantable Electronic Devices (CIED), such as cardiac pacemakers and defibrillators, are a fairly niche target for security researchers, in part due to a lack of manufacturer cooperation and device accessibility. This talk aims to provide insights into the challenges in device development and methods with which to research device security. Data accessibility to patients will be touched upon.


CIEDs may adversely affect patients implanted with such devices should their security be compromised. Although some efforts to secure these devices can be noted, it has quite often been lacking and may thus enable patient harm or data confidentiality compromise by malicious actors. Given the vast consequences of security vulnerabilities within this industry, the author aims to provide insight into the challenges associated with designing security architectures for such platforms, as well as possible methodology of researching these devices safely even when lacking manufacturer cooperation and access to device programmers.
Data collected by CIEDs and transmitted through remote monitoring is an additional concern for patients. Whilst research has shown that most manufacturers do respond in a timely and comprehensive fashion to GDPR requests, immediate data access is not yet possible and requires the patient to reach out to their doctors to obtain the requisite (event) data. A proposed solution is presented on how a patient communicator may be designed to allow patients interested in their autonomy to perform limited device interrogation in a safe and secure manner.

Computer Scientist
Electronics Engineer
Hardware Hacker
Security Researcher, primarily focused on embedded devices
Bug Bounty Hunter