Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Penetrate Top Medical Device Makers

Posted by samzenpus on from the lets-have-a-look dept.

An anonymous reader writes "Hackers have penetrated the computer networks of the country's top medical device makers, The Chronicle has learned. The attacks struck Medtronic, the world's largest medical device maker, Boston Scientific and St. Jude Medical sometime during the first half of 2013 and might have lasted as long as several months, according to a source close to the companies."

76 comments

  1. Response by DoofusOfDeath · · Score: 1, Insightful

    When I hear about stuff like this, I'm ashamed of the savage thoughts and desires I feel towards the perpetrators.

    1. Re: Response by DoofusOfDeath · · Score: 5, Funny

      When I hear about stuff like this, I'm ashamed of the savage thoughts and desires I feel towards the perpetrators.

      Do you want to lick them?

      No, I want to make them use Slashdot Beta.

    2. Re: Response by Anonymous Coward · · Score: 0

      When I hear about stuff like this, I'm ashamed of the savage thoughts and desires I feel towards the perpetrators.

      Do you want to lick them?

      No, I want to make them use Slashdot Beta.

      Doesn't that come under "cruel and unusual punishments"?

    3. Re:Response by Anonymous Coward · · Score: 0

      Better to go after the people using/producing the vulnerable machines.

      They obviously need to have better support.

    4. Re: Response by amalcolm · · Score: 1, Troll

      You sir are a twat. And a troll.

      --
      Time for bed, said Zebedee - boing
    5. Re:Response by Anonymous Coward · · Score: 0

      Me too. I think the managers and legislators who insist on making these devices be vulnerable, should be removed from their positions. It is in no user's interest for them to work like this, and no priority should be higher than users' interests.

    6. Re: Response by Anonymous Coward · · Score: 1

      You sir are a twat. And a troll.

      The blacks who marched for civil rights would be completely ashamed at the thug gangstas populating every city today. How could there be a more complete rejection of what they stood for?

    7. Re: Response by Anonymous Coward · · Score: 0

      That doesn't change the fact that your ethnocentric stupidity is best summed up by twat and troll, OP was correct.

    8. Re: Response by Anonymous Coward · · Score: 0

      Well played sir!

  2. Take what they can get by cold+fjord · · Score: 4, Interesting

    I imagine they'll take what they can get: IP, personal data, or just more computers to control.

    If it really is China as suggested in the article that could make sense. China's population is going to be aging, and medical devices would be handy for either internal use or for another technology to develop and market.

    This is interesting (FTA): "The medical device makers were not aware of the intrusions until federal authorities contacted them, and they have formed task forces to investigate the breach, he said."

    Who do you suppose noticed the breaches, and how?

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    1. Re:Take what they can get by Anonymous Coward · · Score: 0

      Many of these device companies have network access/business agreements with healthcare providers around the nation.

    2. Re:Take what they can get by ebno-10db · · Score: 3, Funny

      Many of these device companies have network access/business agreements with healthcare providers around the nation.

      Hence the real reason that the federal government is concerned. They're afraid that the intruders will use that network access to reduce outstanding medical bills to reasonable levels.

    3. Re:Take what they can get by Anonymous Coward · · Score: 1

      Someone got bored hijacking your secure email at the NSA and decided to go trolling for medical device companies?

    4. Re:Take what they can get by Anonymous Coward · · Score: 1

      I worked for Siemens Medical on their Centaur XP device - based on stock Solaris 10, never patched, no real security enabled; their earlier model, still in the field, was based on Solaris 2.6, also not patched - and it was trivial to hack and exploit that machine. Brought it up with management more than once. Silence. As it is, I expect to see articles any day mentioning Siemens' shock and dismay that their flagship medical diagnostic device has been hacked. I just hope no one dies from it.

      -- green led

    5. Re:Take what they can get by tomhath · · Score: 1

      Could've been one of the many agencies they communicate with noticed probes coming from their systems- NIH, FDA, CMS, CDC, etc. But it was more likely an agency that's responsible for stopping espionage by other governments.

    6. Re:Take what they can get by Hal_Porter · · Score: 3, Funny

      Who do you suppose noticed the breaches, and how?

      If the machine next to your hospital bed displays a laughing skull and starts playing mod tunes whilst demanding you pay by credit card to an account in Russia to avoid being "pwned by l33tgr0up" that is likely not a good sign.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    7. Re:Take what they can get by Anonymous Coward · · Score: 0

      Brought it up with management more than once. Silence.

      I know several people who have worked for Siemens. I'm surprised you were able to bring this up more than once.

    8. Re:Take what they can get by Darinbob · · Score: 1

      China pirates a lot of devices. Russia too. Not necessarily state sanctioned but there is a huge market for cloned medical devices.

    9. Re:Take what they can get by Anonymous Coward · · Score: 0

      Is it possible that they may have been searching for devices that carry fissionable material for making a dirty bomb? That is what I would be investigating the hackers for if I were king.

      Don't mess with St Jude.

  3. New Level of Ransomware by Akratist · · Score: 3, Interesting

    Someone probably already wrote a sci-fi story along these lines, but I can easily see someone with an artificial heart, pacemaker, or some other medical device getting a phone call threatening to shut their thing off unless they make an extortion payment. While I think most of these are air gapped at the moment, it's inevitable that they will become more interconnected, especially as a means of delivering diagnostic information (aka "heartbeats", heh), at which point it will be possible to run exploits against them. Even if a person's devices aren't experiencing a legit attack, I can also see plenty of people being scared into coughing up dough because they won't know any better.

    1. Re:New Level of Ransomware by citizenklaw · · Score: 2

      Go watch the Almost Human episode "Arrythmia". Now.

      --
      the future is but past forgotten
    2. Re: New Level of Ransomware by peragrin · · Score: 1

      Better go watch repo men.

      That is true ransom ware.

      --
      i thought once I was found, but it was only a dream.
    3. Re:New Level of Ransomware by Ambassador+Kosh · · Score: 2

      What is already happening is these devices are getting hard coded safety envelopes. You would be able to give them commands within that envelope but that would be it. It is not a problem but the medical device companies though they would have to deal with but they seem to be working on the problem pretty efficiently. So you could tell the heart to speed up a little or slow down a little but there would be hard coded controls so that you could not make it stop, run too fast, run too slow, run for very long at an altered setting etc. Insulin pumps etc are doing the same thing.

      This is a problem that is taking care of itself fairly quickly. There will not be many vulnerable devices and those will be replaced fairly quickly.

      --
      Computer modeling for biotech drug manufacturing is HARD! :)
    4. Re:New Level of Ransomware by Anonymous Coward · · Score: 0

      These devices (medtronic insulin pumps at least) do communicate wirelessly. Plug the dongle into the your USB and presto! Your (anyones) pump is on the internet.

    5. Re: New Level of Ransomware by tysonedwards · · Score: 1

      However, in the case of pacemakers it is very possible to cause a bingeminy, trigeminy, or other form of sinus arrhythmia that untreated could ultimately lead to damage of the heart muscle, even for a device operating within its safety limits. Even just by oscillating the gain on the sensing leads could trigger automated defibrillation on devices with the capability (less common).

      --
      Thirty four characters live here.
    6. Re:New Level of Ransomware by swb · · Score: 1

      Similar to "Repo Men".

      http://www.imdb.com/title/tt10...

    7. Re:New Level of Ransomware by Tablizer · · Score: 2

      There was concern shortly after 9/11 that terrorist hackers could shut down Dick Cheney's pacemaker using a proximate signal. He's rumored to have had surgery to turn off the remote command feature.

      http://abcnews.go.com/Health/d...

      --
      Table-ized A.I.
    8. Re:New Level of Ransomware by interkin3tic · · Score: 1

      I suspect that hospitals would be loathe to put in artificial parts which someone else could remotely service or diagnose, even without any chance of what you suggest.

      Doesn't mean it's impossible of course, just that it seems right at this moment like a remote concern.

    9. Re: New Level of Ransomware by Ambassador+Kosh · · Score: 1

      Wouldn't one of the limits be on the oscillations allowed? Even when designing process controllers for industry for chemical reactors there are limits like that. There should be no input to these devices you can give which would endanger the patient.

      --
      Computer modeling for biotech drug manufacturing is HARD! :)
    10. Re:New Level of Ransomware by Anonymous Coward · · Score: 0

      Until the NSA, CIA, TSA or BoA pays them to install a few backdoors and "accidentally a few old people" on TV the next time people start pointing out they're as useless as they are worthless porkbarrels.

    11. Re: New Level of Ransomware by Anonymous Coward · · Score: 0

      What keeps one person alive can easily kill another. The hardware has to have these capabilities, so it's simply a matter of breaking through any locks, if any, on the programming.

    12. Re:New Level of Ransomware by innocent_white_lamb · · Score: 1

      My wife's (Medtronic) pacemaker can be checked, logs read, and reprogrammed by hanging a device that's about the size and shape of a computer mouse on her chest. That device is connected to a computer that the cardiac technician sits in front of to do his thing.

      As far as I'm aware, the entire pacemaker is controlled by the technician's computer. There is no phyiscal penetration required at all.

      --
      If you're a zombie and you know it, bite your friend!
  4. This is what you get.... by Lumpy · · Score: 5, Insightful

    When you think of IT as that annoying office of geeks you have to tolerate in the company.

    They are your first line of defense, when they ask for something you GIVE IT TO THEM.

    --
    Do not look at laser with remaining good eye.
    1. Re:This is what you get.... by Anonymous Coward · · Score: 1

      This is what you get when IT ACTS like annoying whining office jerks because they only explain things in completely condescending 100% tech speak ways to non techies, i.e. management.

      Management is your first source of funds. When they need it explained in their terms, EXPLAIN IT TO THEM.

    2. Re:This is what you get.... by Bite+The+Pillow · · Score: 2

      Do you buy Oracle hardware and licenses because its what the DBA knows, or are your requirements satisfied by something less expensive?
      Do you need the Rsa connection so admins can remote in, or is that something that should be airgapped?

      My point is that you have to either know or trust, and trust is expensive. So hire well and pay generously. Just throwing money at the problem doesn't mean it will be solved well, or at all. As such, it is too simplistic to be taken as advice.

    3. Re:This is what you get.... by Anonymous Coward · · Score: 0

      When people listen to statements like the above* and the thoughtless posturing that it proposes, it makes the life of the malicious individual/group easier by ways of Social Engineering. Everyone should be a bit more thoughtful and cautious, myself included. I can't imagine any one of us claiming that we couldn't improve our security measures. Especially, for those of us who are on "the front lines of defense." Just some food for thought.

      *
      "When you think of IT as that annoying office of geeks you have to tolerate in the company.

      They are your first line of defense, when they ask for something you GIVE IT TO THEM."

      ~Muri

    4. Re:This is what you get.... by Jawnn · · Score: 2

      This is what you get when IT ACTS like annoying whining office jerks because they only explain things in completely condescending 100% tech speak ways to non techies, i.e. management.

      Management is your first source of funds. When they need it explained in their terms, EXPLAIN IT TO THEM.

      Nooo.... This is what you get when people who don't understand IT, and who can't be bothered to listen to any explanations, describe their experience when IT tries to explain why it is important to [insert security best practice here]. Yes, there are dickheads in IT too, who are condescending, etc., but that can hardly explain the constantly uphill battle that IT fights when trying to justify this expense or that policy.

    5. Re:This is what you get.... by Anonymous Coward · · Score: 0

      BS. The real source of funds is the paying customers. Management is a cost center.

    6. Re:This is what you get.... by Darinbob · · Score: 1

      It's scary that they're the line of defense, when they can't even find out what the problem is with the computer on the desk or figure out why the network slowed down, and everyone in the staff who does work is in the twenties and all managers are in the forties, and mentioning any topic not included in a Microsoft certification course causes blank stares.

      I have definitely been places where the R&D team know more about security than the IT team, which is ok when creating the security on the devices themselves, but leaves you open to having the designs stolen.

    7. Re:This is what you get.... by Anonymous Coward · · Score: 0

      But if the solution isn't SharePoint then IT will probably reject it.

    8. Re:This is what you get.... by Anonymous Coward · · Score: 0

      management is also your first source for uneducated morons who think they actually know what they are doing.

    9. Re:This is what you get.... by Lumpy · · Score: 1

      only if your IT is staffed with "geek squad" level of MCSE bottom barrel people.

      Most competent IT departments hate that Sharepoint crap with a passion, it goes hand in hand with how worthless Exchange is.

      --
      Do not look at laser with remaining good eye.
    10. Re:This is what you get.... by Lumpy · · Score: 1

      This is a fault of management.

      --
      Do not look at laser with remaining good eye.
  5. Penetrate... hehehe... by Anonymous Coward · · Score: 0

    Device... hehehe....

  6. The interesting thing about that is... by Anonymous Coward · · Score: 0

    The interesting thing about this is that when using Beta, the default view is to show everything. So, if you are using Beta, these trollish anti-beta things are perfectly visible, while if you are on Classic they just get filtered out with the rest of the trolls. So, if you really like Classic and hate Beta, the best thing you can do is try to post an anti-beta, pro-classic threat to leave the site as first post instead of Frosty Piss or whatever. That way, if any advertisers to who Dice is trying to market its new shiny actually check out the site, they will see the user dissatisfaction with the design immediately. Then, in subsequent threads we can go on having our usual geeky conversations in Classic.

  7. Internet of Things by JCHerbsleb · · Score: 3, Informative

    Welcome to the Internet of Things. Now, IT Security is not simply a venue to stop embarrassment (website defacements), disruption (DDoS), and exposure (SQLi), but potentially a life and death issue. Disruption of a pacemaker, insulin pump, etc. can have a very real impact. Perhaps a modern day "Pinto" incident will change the view of IT Security from an expense item to a necessary partner.

    1. Re:Internet of Things by eam · · Score: 1

      I haven't re-read the article to see if I've missed something, but it seemed more about corporate espionage than causing heart attacks. Seems like the perpetrators were looking for a quick and easy path to the top of the medical device manufacturing food chain.

      Would be morally wrong to set up a honeypot loaded with subtly but fatally flawed designs such that the manufacturer stealing said designs would be destroyed by the resulting lawsuits from their customers and/or victims?

    2. Re:Internet of Things by Anonymous Coward · · Score: 0

      And the NSA's employees will have the keys to the kingdom.

    3. Re:Internet of Things by Darinbob · · Score: 1

      The hacking here is to the corporate computers, not hacking into the devices themselves. Now granted those devices may not be secure in some cases, but that is a different story. The danger is in stealing designs. However if the devices rely on security through obscurity then stealing the designs can allow compromising the devices also. Worse, if someone is dumb enough to store signing certificates on a corporate computer.

  8. have been to hospitals with receptionists with web by Anonymous Coward · · Score: 1

    with web/Internet access on the same computer they used for admission and they were using Microsoft's Internet Explorer. Same thing for a CPA and her entire office while handling taxes for corps and individuals. So it should be no surprise to hear medical companies have been hacked into. Security is something others with important information do.

  9. Important information omitted: by Anonymous Coward · · Score: 1, Funny

    Did they get the IP address and password to Dick Cheney's implants? That's what we all want to know.

    1. Re:Important information omitted: by Tablizer · · Score: 1

      The password is deficitsdontmatter

      --
      Table-ized A.I.
    2. Re:Important information omitted: by cold+fjord · · Score: 0

      It doesn't matter. It is "well known" that Dick Cheney has no heart, much like Hillary Clinton has no soul.

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  10. Unofficial Repo man .... by Anonymous Coward · · Score: 0

    Please deposit $50,000 in order to avoid us terminating your pacemaker!

  11. INFOSEC in medicine is a joke by hsmith · · Score: 1

    Medical devices are huge threats. "Hey lets slap WiFi on this heart rate monitor and give it to a hospital" - how about an insulin pump?

    Recall the story of using bluetooth to kill someone with a pacemaker?

    Simple fact is people have no idea what they are doing security wise and are designing this stuff to be web enabled.

  12. The Explant After Market by Anonymous Coward · · Score: 0

    If you lived in a country that could only obtain/afford explants i.e. 'slighty used' medical devices, wouldn't you consider hacking a device manufacturer?

    This is one space where the morality of all participants is easily questioned.

  13. Re:have been to hospitals with receptionists with by DarwinSurvivor · · Score: 1

    When I was in the hospital last year I noticed that the heart monitor (with built in defib) had bluetooth. I don't think I want something hooked up to me that has both A) the ability to deliver massive amounts of electricity to my chest and B) bluetooth.

  14. the medical device tax by Anonymous Coward · · Score: 0

    "The medical device makers were not aware of the intrusions until federal authorities contacted them"

    Clearly it's time to repeal the remaining part of the medical device tax.
    Because it's always time to repeal the last bit left of the medical device tax.
    What possible benefit comes to medical device makers for paying taxes, anyhow?

    1. Re:the medical device tax by NapalmV · · Score: 1

      I can take the Beta, but a direct feed from Fox News is a little bit to much....

  15. IP theft yes, medical records no by Anonymous Coward · · Score: 0

    Having worked in R&D for a medical device manufacturer for many years I can honestly say that any patient data on the manufacturers network would be anonymous study data. So attackers could get significant amounts of intellectual property from such a breach, but to get access to patient data they would have to design an attack based on that IP and then target health care provider networks. Given how easily medical devices can be reverse engineered it seems like a waste of time to perpetrate a two-pronged attack to obtain patient data.

  16. Wireless programming is common in implanted electr by Anonymous Coward · · Score: 1

    Pacemakers and defibrillators can be reprogrammed wirelessly by physicians. The more sophisticated ones (usually defibrillators) often have a patient unit, which can be kept at home, and can query the device and send telemetry back to the physician over the internet. This can reduce the need to travel to the hospital for routine examinations.

    In general, there is no real authentication performed between the wireless programmer and the implanted device, other than a check of the serial number. The channel is rarely encrypted, so that anyone who can procure a programmer could use it in (possibly with some form of power amplifier/antenna combo) to reprogram a device from a distance.

    There are limits to what can be programmed, and there are hardware limiters in the circuits which will inhibit outputs that are out of range, even in the event that software limits fail. However, pacemaker/drug prescriptions do need a degree of care, and the hardware limits generally won't be sufficient to prevent harm from an incorrect prescription.

    It's a challenging attack, but certainly not infeasible.

  17. Which Country? by Anonymous Coward · · Score: 0

    We don't all live in a country that assumes no where else exists.

  18. Dick Cheney's heart is secured. by Valdrax · · Score: 1

    Oddly enough, for the very fear of this, Dick Cheney had wifi access to his pacemaker disabled.
    His heart is closed to attackers. Just like it is to empathy and humanity.

    --
    If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  19. DERP INFORMATIVE by Anonymous Coward · · Score: 0

    yes, im soooo scared, how about we give up more liberties so we aren't more scared about this?

    im soooo scared, life or death, ooooo im scareddd

  20. Noooooooooo by Anonymous Coward · · Score: 0

    Kill first!

  21. Colonoscopy by NapalmV · · Score: 1

    And soon some medical devices will be penetrating the hackers.

  22. Re:have been to hospitals with receptionists with by Darinbob · · Score: 1

    What, you don't think the doctor should be using wireless stethoscopes?

  23. Re:have been to hospitals with receptionists with by DarwinSurvivor · · Score: 1

    No problem, as long as they don't also give it the ability to send massive amounts of electricity into my heart.

  24. Lumpy how'd "eating your words" taste? by Anonymous Coward · · Score: 0

    ROTFLMAO @ "Chumpy" -> http://yro.slashdot.org/commen...

    (You sure "talk a good game" -> http://games.slashdot.org/comm... but you can't even produce a MERE SCRIPT!, windbag...)

    You aren't even on the level of a "script kiddie", & full of HOT AIR!

    You certainly won't reply there in that 2nd link I posted either, as that would remove your downmods to my posts like this one you can't validly disprove or justify your downmod on -> http://games.slashdot.org/comm...

    Oh, I suspect that IS the case here (simply logging out of a registered account & trolling by ac is a common troll trick around here OR using alternate registered 'luser' accounts sockpuppets to do the job will also, & Lumpy is LOADED with those & trolling - which doesn't matter: He PROVES he's all talk, no action (or skills, OR brains, lol))

    (You're all TALK, & NO action "CHUMPY!)

    * :)

    (You know it, I know it, & so does anyone reading AND laughing their asses off @ you now... lol!)

    APK

    P.S.=> Answer the question in the subject-line Lumpy - since you had to "eat your wrods" in the 1st link above flavored with your FOOT IN YOUR MOUTH + the "bitter taste of SELF-defeat", lol...

    ... apk

  25. Lumpy how'd "eating your words" taste? by Anonymous Coward · · Score: 0

    ROTFLMAO @ "Chumpy" -> http://yro.slashdot.org/commen...

    (You sure "talk a good game" -> http://games.slashdot.org/comm... but you can't even produce a MERE SCRIPT!, windbag...)

    You aren't even on the level of a "script kiddie", & full of HOT AIR!

    You certainly won't reply there in that 2nd link I posted either, as that would remove your downmods to my posts like this one you can't validly disprove or justify your downmod on -> http://games.slashdot.org/comm...

    Oh, I suspect that IS the case here (simply logging out of a registered account & trolling by ac is a common troll trick around here OR using alternate registered 'luser' accounts sockpuppets to do the job will also, & Lumpy is LOADED with those & trolling - which doesn't matter: He PROVES he's all talk, no action (or skills, OR brains, lol))

    (You're all TALK, & NO action "CHUMPY!)

    * :)

    (You know it, I know it, & so does anyone reading AND laughing their asses off @ you now... lol!)

    APK

    P.S.=> Answer the question in the subject-line Lumpy - since you had to "eat your wrods" in the 1st link above flavored with your FOOT IN YOUR MOUTH + the "bitter taste of SELF-defeat", lol...

    ... apk

  26. Lumpy how'd "eating your words" taste? by Anonymous Coward · · Score: 0

    Don't talk moron: ROTFLMAO @ "Chumpy" -> http://yro.slashdot.org/commen...

    (You sure "talk a good game" -> http://games.slashdot.org/comm... but you can't even produce a MERE SCRIPT!, windbag...)

    You aren't even on the level of a "script kiddie", & full of HOT AIR!

    You certainly won't reply there in that 2nd link I posted either, as that would remove your downmods to my posts like this one you can't validly disprove or justify your downmod on -> http://games.slashdot.org/comm...

    Oh, I suspect that IS the case here (simply logging out of a registered account & trolling by ac is a common troll trick around here OR using alternate registered 'luser' accounts sockpuppets to do the job will also, & Lumpy is LOADED with those & trolling - which doesn't matter: He PROVES he's all talk, no action (or skills, OR brains, lol))

    (You're all TALK, & NO action "CHUMPY!)

    * :)

    (You know it, I know it, & so does anyone reading AND laughing their asses off @ you now... lol!)

    APK

    P.S.=> Answer the question in the subject-line Lumpy - since you had to "eat your wrods" in the 1st link above flavored with your FOOT IN YOUR MOUTH + the "bitter taste of SELF-defeat", lol...

    ... apk