Last week Billy Rios and Jonathan Butts published a research on the security of pacemakers. In all they identified over 8000 vulnerabilities in third-party components within the subsystems of 4 major vendors’ physician programming and home monitoring devices.
These vulnerabilities exist primarily because vendors are able to cut development time by using commonly available libraries. While the libraries may be considered secure when initially deployed, over time new vulnerabilities are discovered. Unfortunately the patches for these vulnerabilities are not uniformly applied.
This is a common problem with embedded devices, internet-of-things things, and industrial control systems. The use of public libraries makes sense to get a product to market, but many vendors don’t account for the update and patch process.
Additionally, as I’ve written about before, many vendors still use hardcoded or backdoor passwords. The researches have been able to verify hardcoded credentials in three of the four devices tested.
We have to demand better from the vendors selling critical information technology, whether it is an industrial control system or medical equipment. Simple vulnerabilities like insecure libraries, the inability to patch, and hardcoded credentials must be addressed by vendors.