Bluetooth Pairing on the Cardiac Monitor — Security Risks and Firmware Reality

I watched a paramedic pair a LifePak 15 to a tablet in a crowded ED hallway last year. She tapped the Bluetooth menu and confirmed the pairing code without looking at it. The whole thing took maybe eight seconds.

That is fast. It is also a pairing window that any Bluetooth-capable device in range could have used.

Cardiac monitors from LifePak and Zoll, plus Corpuls, all ship with Bluetooth for wireless data transmission. The feature saves time and reduces cable clutter. It also introduces a pairing attack surface that most agencies have not assessed, because the monitor is treated as a clinical tool and not as a network endpoint.

Medical Device Bluetooth Pairing Security Risks

Bluetooth pairing on a cardiac monitor works the same way it works on any other device. Two radios establish a shared secret, then encrypt the link between them. The security of that link depends on the pairing method and the firmware version running on both sides.

Legacy Pairing uses a fixed PIN, often 0000 or 1234. An attacker within radio range can observe the pairing process and derive the link key. Once they have the key, they can decrypt any data transmitted over that link. Secure Simple Pairing (SSP), introduced in Bluetooth 2.1, uses public-key cryptography and is resistant to passive eavesdropping. But SSP is only as good as the firmware that implements it. A monitor running an outdated Bluetooth stack may fall back to Legacy Pairing.

The research on this is not theoretical, and it should concern anyone who manages a monitor fleet. The FDA's cybersecurity guidance for medical devices states:

> Manufacturers should consider the cybersecurity risks associated with wireless communication protocols, including Bluetooth, and implement controls to protect the confidentiality, integrity, and availability of the device and the data it transmits.

That is the regulatory standard, and the question is whether the devices in your fleet meet it. In 2020, researchers demonstrated that several medical-grade Bluetooth implementations were vulnerable to MitM attacks because the devices advertised "NoInputNoOutput" IO capability, which means the pairing process cannot confirm a numeric comparison. The link establishes without any user verification. If your monitor uses that IO profile, an attacker with a software-defined radio in the waiting room can pair to it before the intended tablet does.

The crowded ED hallway makes this worse. Multiple monitors and tablets, plus gateways, are all advertising themselves at the same time. A clinician in a hurry may confirm a pairing request without verifying which device it came from. The monitor does not know the difference between the authorized tablet and an attacker's laptop. It just sees a Bluetooth device that wants to pair.

Securing LifePak and Zoll Cardiac Monitors

The three major vendors handle Bluetooth security differently, and the differences matter for your threat model.

LifePak monitors from Stryker use a bonding model that persists across sessions. Once paired, the monitor and tablet remember each other and reconnect automatically. This is convenient for shift changes but means the bond lasts indefinitely. If a tablet is lost or compromised, the monitor will still accept its connection until the bond is manually cleared. Stryker has improved the Bluetooth stack in recent firmware releases, but the bonding behavior is a design choice that trades security for speed.

Zoll monitors pair through the Zoll ePCR integration rather than through the monitor's own Bluetooth menu. The pairing process is managed by the tablet application, not the monitor itself. This puts the security boundary in the software layer, which is easier to patch than the monitor firmware. The tradeoff is that the pairing window stays open longer during shift setup, and a Zoll monitor in discovery mode will respond to any compatible tablet that sends a pairing request.

Corpuls monitors use a modular architecture where the Bluetooth radio is a separate component. The security posture depends on how the Corpuls Gateway is configured. If the gateway is configured with default credentials or an unpatched Bluetooth stack, the monitor's security is irrelevant.

The common thread across all three vendors is that the pairing process is designed for clinical convenience. The security assumptions are that the ED is a trusted environment. Those assumptions do not hold in a public hospital where the waiting room is thirty feet from the treatment bay.

Bluetooth Man in the Middle Attack on Medical Devices

A Bluetooth MitM attack against a cardiac monitor follows a predictable sequence. The attacker positions a device within radio range of the target monitor. They spoof the tablet's Bluetooth MAC address or simply wait for the monitor to enter pairing mode. When the clinician initiates pairing, the attacker's device intercepts the exchange and establishes encrypted links with both devices, then relays data between them.

The attacker does not need to be in the same room. Bluetooth Class 2 radios have a range of about ten meters, which covers most ED hallways and treatment bays. A laptop in the waiting room or a device in a parked car outside the ambulance bay is within range.

The data the attacker gets depends on what the monitor transmits, and the range of what is exposed is wider than most agencies realize. At minimum, they see the patient's vital signs, which are PHI under HIPAA. If the monitor transmits patient identifiers, they get name and date of birth, plus medical record number. If the monitor is configured to push 12-lead ECG waveforms, they get the full clinical data set.

The attack is not difficult to execute. Open-source tools like Bettercap and internalblue can perform Bluetooth MitM attacks against devices using Legacy Pairing or weak SSP configurations. The attacker does not need specialized hardware. A standard laptop with a Bluetooth adapter is sufficient.

How to Update Firmware on Cardiac Monitors

Firmware updates are the single most effective control for Bluetooth vulnerabilities, and they are the hardest to implement in a 24/7 EMS system.

The problem is not that vendors do not release patches. Stryker and Zoll, plus Corpuls, all publish firmware updates that address Bluetooth CVEs. The problem is that applying those updates requires taking the monitor out of service. In a system running at capacity, there is no spare monitor to rotate out. The update gets scheduled for the next annual maintenance visit.

Some agencies use a staggered update model. They update one monitor at a time during low-volume periods, test it for a shift, then rotate the next one in. This works if the agency has enough spare monitors.

The validation requirement adds another layer of difficulty. Because these are clinical devices, firmware updates must be tested to confirm they do not break life-saving functions. A Bluetooth patch that introduces a reboot loop is not acceptable. The vendor's release notes rarely cover edge cases.

The practical answer is to negotiate firmware update cadence in the procurement contract. Specify that the vendor must provide a firmware update schedule and a process for emergency patches. If the contract does not address this, the Bluetooth stack will stay on whatever version shipped with the monitor.

Preventing Unauthorized Bluetooth Pairing in Hospital Hallways

The controls that work are not complex, but they require changing how the agency thinks about the monitor.

Short pairing windows are the easiest fix. Configure the monitor to stay in pairing mode for a limited time, then disable discovery until the next pairing cycle. This reduces the window of opportunity for an attacker. Most monitors support this setting, but most agencies leave it at the default.

Asset inventory is the second control. Maintain a log of which tablets are paired to which monitors. If a monitor shows a paired device that is not in the inventory, that is a detection signal. Most agencies do not track Bluetooth pairings at all.

Network segmentation is the third control and it addresses the broader risk. If the monitor connects through a gateway, put the gateway on a separate VLAN with strict egress rules. The Bluetooth link is only one segment of the attack surface. If the gateway is isolated, a compromised Bluetooth link does not give the attacker access to the broader network.

I wrote about the broader problem of unmanaged endpoints in USB Drops at Fire Stations, and the same principle applies here. If you do not know what is on your network, you cannot defend it. A cardiac monitor is a network endpoint and should be treated like one.

Frequently Asked Questions

Can a hacker intercept patient data from a cardiac monitor via Bluetooth

Yes. If the monitor uses Legacy Pairing with a fixed PIN or a weak SSP configuration, an attacker within Bluetooth range can perform a MitM attack and read the transmitted data. The attacker does not need specialized hardware. A laptop with a Bluetooth adapter and open-source tools is sufficient.

Why are cardiac monitor firmware updates not done automatically

Automatic updates risk bricking a clinical device or introducing instability during patient care. Most agencies require manual validation before deploying firmware updates, and the process of taking a monitor out of service for an update is difficult in a system running at capacity. The result is that updates are often deferred to annual maintenance cycles.

What is the biggest Bluetooth pairing risk in a crowded ED

The biggest risk is that an attacker in the waiting room or hallway pairs to a monitor before the intended tablet does. The monitor does not distinguish between authorized and unauthorized devices during the pairing window. Once paired, the attacker can receive patient data or inject false readings.

How do LifePak and Zoll compare on Bluetooth security, plus Corpuls

LifePak uses a persistent bonding model that is convenient but means the bond lasts indefinitely. Zoll manages pairing through the ePCR software layer, which is easier to patch but leaves the pairing window open longer. Corpuls uses a modular gateway architecture that shifts the security boundary to the gateway configuration. None of the three are inherently secure out of the box. All require active configuration and firmware management.

What is the single most effective control for Bluetooth monitor security

Configure the monitor to disable discovery after a limited time, which reduces the attack surface to a narrow window and forces an attacker to be present and active during the exact moment of pairing. It is free, it does not require new hardware, and it works against all three vendors.

The monitor in the ED hallway is a clinical device first. But it is also a Bluetooth radio broadcasting patient data. The pairing window that takes eight seconds is also eight seconds of exposure.

-- Steven