Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Penetrate Top Medical Device Makers

Posted by samzenpus on from the lets-have-a-look dept.

An anonymous reader writes "Hackers have penetrated the computer networks of the country's top medical device makers, The Chronicle has learned. The attacks struck Medtronic, the world's largest medical device maker, Boston Scientific and St. Jude Medical sometime during the first half of 2013 and might have lasted as long as several months, according to a source close to the companies."

42 of 76 comments (clear)

  1. Response by DoofusOfDeath · · Score: 1, Insightful

    When I hear about stuff like this, I'm ashamed of the savage thoughts and desires I feel towards the perpetrators.

    1. Re: Response by DoofusOfDeath · · Score: 5, Funny

      When I hear about stuff like this, I'm ashamed of the savage thoughts and desires I feel towards the perpetrators.

      Do you want to lick them?

      No, I want to make them use Slashdot Beta.

    2. Re: Response by amalcolm · · Score: 1, Troll

      You sir are a twat. And a troll.

      --
      Time for bed, said Zebedee - boing
    3. Re: Response by Anonymous Coward · · Score: 1

      You sir are a twat. And a troll.

      The blacks who marched for civil rights would be completely ashamed at the thug gangstas populating every city today. How could there be a more complete rejection of what they stood for?

  2. Take what they can get by cold+fjord · · Score: 4, Interesting

    I imagine they'll take what they can get: IP, personal data, or just more computers to control.

    If it really is China as suggested in the article that could make sense. China's population is going to be aging, and medical devices would be handy for either internal use or for another technology to develop and market.

    This is interesting (FTA): "The medical device makers were not aware of the intrusions until federal authorities contacted them, and they have formed task forces to investigate the breach, he said."

    Who do you suppose noticed the breaches, and how?

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    1. Re:Take what they can get by ebno-10db · · Score: 3, Funny

      Many of these device companies have network access/business agreements with healthcare providers around the nation.

      Hence the real reason that the federal government is concerned. They're afraid that the intruders will use that network access to reduce outstanding medical bills to reasonable levels.

    2. Re:Take what they can get by Anonymous Coward · · Score: 1

      Someone got bored hijacking your secure email at the NSA and decided to go trolling for medical device companies?

    3. Re:Take what they can get by Anonymous Coward · · Score: 1

      I worked for Siemens Medical on their Centaur XP device - based on stock Solaris 10, never patched, no real security enabled; their earlier model, still in the field, was based on Solaris 2.6, also not patched - and it was trivial to hack and exploit that machine. Brought it up with management more than once. Silence. As it is, I expect to see articles any day mentioning Siemens' shock and dismay that their flagship medical diagnostic device has been hacked. I just hope no one dies from it.

      -- green led

    4. Re:Take what they can get by tomhath · · Score: 1

      Could've been one of the many agencies they communicate with noticed probes coming from their systems- NIH, FDA, CMS, CDC, etc. But it was more likely an agency that's responsible for stopping espionage by other governments.

    5. Re:Take what they can get by Hal_Porter · · Score: 3, Funny

      Who do you suppose noticed the breaches, and how?

      If the machine next to your hospital bed displays a laughing skull and starts playing mod tunes whilst demanding you pay by credit card to an account in Russia to avoid being "pwned by l33tgr0up" that is likely not a good sign.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    6. Re:Take what they can get by Darinbob · · Score: 1

      China pirates a lot of devices. Russia too. Not necessarily state sanctioned but there is a huge market for cloned medical devices.

  3. New Level of Ransomware by Akratist · · Score: 3, Interesting

    Someone probably already wrote a sci-fi story along these lines, but I can easily see someone with an artificial heart, pacemaker, or some other medical device getting a phone call threatening to shut their thing off unless they make an extortion payment. While I think most of these are air gapped at the moment, it's inevitable that they will become more interconnected, especially as a means of delivering diagnostic information (aka "heartbeats", heh), at which point it will be possible to run exploits against them. Even if a person's devices aren't experiencing a legit attack, I can also see plenty of people being scared into coughing up dough because they won't know any better.

    1. Re:New Level of Ransomware by citizenklaw · · Score: 2

      Go watch the Almost Human episode "Arrythmia". Now.

      --
      the future is but past forgotten
    2. Re: New Level of Ransomware by peragrin · · Score: 1

      Better go watch repo men.

      That is true ransom ware.

      --
      i thought once I was found, but it was only a dream.
    3. Re:New Level of Ransomware by Ambassador+Kosh · · Score: 2

      What is already happening is these devices are getting hard coded safety envelopes. You would be able to give them commands within that envelope but that would be it. It is not a problem but the medical device companies though they would have to deal with but they seem to be working on the problem pretty efficiently. So you could tell the heart to speed up a little or slow down a little but there would be hard coded controls so that you could not make it stop, run too fast, run too slow, run for very long at an altered setting etc. Insulin pumps etc are doing the same thing.

      This is a problem that is taking care of itself fairly quickly. There will not be many vulnerable devices and those will be replaced fairly quickly.

      --
      Computer modeling for biotech drug manufacturing is HARD! :)
    4. Re: New Level of Ransomware by tysonedwards · · Score: 1

      However, in the case of pacemakers it is very possible to cause a bingeminy, trigeminy, or other form of sinus arrhythmia that untreated could ultimately lead to damage of the heart muscle, even for a device operating within its safety limits. Even just by oscillating the gain on the sensing leads could trigger automated defibrillation on devices with the capability (less common).

      --
      Thirty four characters live here.
    5. Re:New Level of Ransomware by swb · · Score: 1

      Similar to "Repo Men".

      http://www.imdb.com/title/tt10...

    6. Re:New Level of Ransomware by Tablizer · · Score: 2

      There was concern shortly after 9/11 that terrorist hackers could shut down Dick Cheney's pacemaker using a proximate signal. He's rumored to have had surgery to turn off the remote command feature.

      http://abcnews.go.com/Health/d...

      --
      Table-ized A.I.
    7. Re:New Level of Ransomware by interkin3tic · · Score: 1

      I suspect that hospitals would be loathe to put in artificial parts which someone else could remotely service or diagnose, even without any chance of what you suggest.

      Doesn't mean it's impossible of course, just that it seems right at this moment like a remote concern.

    8. Re: New Level of Ransomware by Ambassador+Kosh · · Score: 1

      Wouldn't one of the limits be on the oscillations allowed? Even when designing process controllers for industry for chemical reactors there are limits like that. There should be no input to these devices you can give which would endanger the patient.

      --
      Computer modeling for biotech drug manufacturing is HARD! :)
    9. Re:New Level of Ransomware by innocent_white_lamb · · Score: 1

      My wife's (Medtronic) pacemaker can be checked, logs read, and reprogrammed by hanging a device that's about the size and shape of a computer mouse on her chest. That device is connected to a computer that the cardiac technician sits in front of to do his thing.

      As far as I'm aware, the entire pacemaker is controlled by the technician's computer. There is no phyiscal penetration required at all.

      --
      If you're a zombie and you know it, bite your friend!
  4. This is what you get.... by Lumpy · · Score: 5, Insightful

    When you think of IT as that annoying office of geeks you have to tolerate in the company.

    They are your first line of defense, when they ask for something you GIVE IT TO THEM.

    --
    Do not look at laser with remaining good eye.
    1. Re:This is what you get.... by Anonymous Coward · · Score: 1

      This is what you get when IT ACTS like annoying whining office jerks because they only explain things in completely condescending 100% tech speak ways to non techies, i.e. management.

      Management is your first source of funds. When they need it explained in their terms, EXPLAIN IT TO THEM.

    2. Re:This is what you get.... by Bite+The+Pillow · · Score: 2

      Do you buy Oracle hardware and licenses because its what the DBA knows, or are your requirements satisfied by something less expensive?
      Do you need the Rsa connection so admins can remote in, or is that something that should be airgapped?

      My point is that you have to either know or trust, and trust is expensive. So hire well and pay generously. Just throwing money at the problem doesn't mean it will be solved well, or at all. As such, it is too simplistic to be taken as advice.

    3. Re:This is what you get.... by Jawnn · · Score: 2

      This is what you get when IT ACTS like annoying whining office jerks because they only explain things in completely condescending 100% tech speak ways to non techies, i.e. management.

      Management is your first source of funds. When they need it explained in their terms, EXPLAIN IT TO THEM.

      Nooo.... This is what you get when people who don't understand IT, and who can't be bothered to listen to any explanations, describe their experience when IT tries to explain why it is important to [insert security best practice here]. Yes, there are dickheads in IT too, who are condescending, etc., but that can hardly explain the constantly uphill battle that IT fights when trying to justify this expense or that policy.

    4. Re:This is what you get.... by Darinbob · · Score: 1

      It's scary that they're the line of defense, when they can't even find out what the problem is with the computer on the desk or figure out why the network slowed down, and everyone in the staff who does work is in the twenties and all managers are in the forties, and mentioning any topic not included in a Microsoft certification course causes blank stares.

      I have definitely been places where the R&D team know more about security than the IT team, which is ok when creating the security on the devices themselves, but leaves you open to having the designs stolen.

    5. Re:This is what you get.... by Lumpy · · Score: 1

      only if your IT is staffed with "geek squad" level of MCSE bottom barrel people.

      Most competent IT departments hate that Sharepoint crap with a passion, it goes hand in hand with how worthless Exchange is.

      --
      Do not look at laser with remaining good eye.
    6. Re:This is what you get.... by Lumpy · · Score: 1

      This is a fault of management.

      --
      Do not look at laser with remaining good eye.
  5. Internet of Things by JCHerbsleb · · Score: 3, Informative

    Welcome to the Internet of Things. Now, IT Security is not simply a venue to stop embarrassment (website defacements), disruption (DDoS), and exposure (SQLi), but potentially a life and death issue. Disruption of a pacemaker, insulin pump, etc. can have a very real impact. Perhaps a modern day "Pinto" incident will change the view of IT Security from an expense item to a necessary partner.

    1. Re:Internet of Things by eam · · Score: 1

      I haven't re-read the article to see if I've missed something, but it seemed more about corporate espionage than causing heart attacks. Seems like the perpetrators were looking for a quick and easy path to the top of the medical device manufacturing food chain.

      Would be morally wrong to set up a honeypot loaded with subtly but fatally flawed designs such that the manufacturer stealing said designs would be destroyed by the resulting lawsuits from their customers and/or victims?

    2. Re:Internet of Things by Darinbob · · Score: 1

      The hacking here is to the corporate computers, not hacking into the devices themselves. Now granted those devices may not be secure in some cases, but that is a different story. The danger is in stealing designs. However if the devices rely on security through obscurity then stealing the designs can allow compromising the devices also. Worse, if someone is dumb enough to store signing certificates on a corporate computer.

  6. have been to hospitals with receptionists with web by Anonymous Coward · · Score: 1

    with web/Internet access on the same computer they used for admission and they were using Microsoft's Internet Explorer. Same thing for a CPA and her entire office while handling taxes for corps and individuals. So it should be no surprise to hear medical companies have been hacked into. Security is something others with important information do.

  7. Important information omitted: by Anonymous Coward · · Score: 1, Funny

    Did they get the IP address and password to Dick Cheney's implants? That's what we all want to know.

    1. Re:Important information omitted: by Tablizer · · Score: 1

      The password is deficitsdontmatter

      --
      Table-ized A.I.
  8. INFOSEC in medicine is a joke by hsmith · · Score: 1

    Medical devices are huge threats. "Hey lets slap WiFi on this heart rate monitor and give it to a hospital" - how about an insulin pump?

    Recall the story of using bluetooth to kill someone with a pacemaker?

    Simple fact is people have no idea what they are doing security wise and are designing this stuff to be web enabled.

  9. Re:have been to hospitals with receptionists with by DarwinSurvivor · · Score: 1

    When I was in the hospital last year I noticed that the heart monitor (with built in defib) had bluetooth. I don't think I want something hooked up to me that has both A) the ability to deliver massive amounts of electricity to my chest and B) bluetooth.

  10. Wireless programming is common in implanted electr by Anonymous Coward · · Score: 1

    Pacemakers and defibrillators can be reprogrammed wirelessly by physicians. The more sophisticated ones (usually defibrillators) often have a patient unit, which can be kept at home, and can query the device and send telemetry back to the physician over the internet. This can reduce the need to travel to the hospital for routine examinations.

    In general, there is no real authentication performed between the wireless programmer and the implanted device, other than a check of the serial number. The channel is rarely encrypted, so that anyone who can procure a programmer could use it in (possibly with some form of power amplifier/antenna combo) to reprogram a device from a distance.

    There are limits to what can be programmed, and there are hardware limiters in the circuits which will inhibit outputs that are out of range, even in the event that software limits fail. However, pacemaker/drug prescriptions do need a degree of care, and the hardware limits generally won't be sufficient to prevent harm from an incorrect prescription.

    It's a challenging attack, but certainly not infeasible.

  11. Dick Cheney's heart is secured. by Valdrax · · Score: 1

    Oddly enough, for the very fear of this, Dick Cheney had wifi access to his pacemaker disabled.
    His heart is closed to attackers. Just like it is to empathy and humanity.

    --
    If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  12. Colonoscopy by NapalmV · · Score: 1

    And soon some medical devices will be penetrating the hackers.

  13. Re:the medical device tax by NapalmV · · Score: 1

    I can take the Beta, but a direct feed from Fox News is a little bit to much....

  14. Re:have been to hospitals with receptionists with by Darinbob · · Score: 1

    What, you don't think the doctor should be using wireless stethoscopes?

  15. Re:have been to hospitals with receptionists with by DarwinSurvivor · · Score: 1

    No problem, as long as they don't also give it the ability to send massive amounts of electricity into my heart.