Take two software updates and see me in the morning: the case for software security evaluations of medical devices

Medical devices used for critical care are becoming increasingly reliant on software; however, little is understood about the security vulnerabilities facing medical devices and their software. To investigate this open question, we analyze the security of software that controls a modern Automated External Defibrillator (AED) used for treating cardiac arrhythmias. This report represents the first public embedded software security analysis of a medical device. We identify several software security vulnerabilities and discuss key insights and open challenges in improving software-controlled medical devices to be resistant to malware. We found the AED would accept counterfeit firmware updates. We did not locate any standard cryptographic controls. We conclude with recommendations and open challenges in securing medical devices.