'Fatal' Flaws Found in Medical Implant Software (bbc.com)

← Back to Stories (view on slashdot.org)

'Fatal' Flaws Found in Medical Implant Software (bbc.com)

Posted by msmash on Thursday December 1, 2016 @12:35PM from the security-woes dept.

Security researchers have warned of flaws in medical implants in what they say could have fatal consequences. The flaws were found in the radio-based communications used to update implants, including pacemakers, and read data from them. From a BBC report:By exploiting the flaws, the researchers were able to adjust settings and even switch off gadgets. The attacks were also able to steal confidential data about patients and their health history. A software patch has been created to help thwart any real-world attacks. The flaws were found by an international team of security researchers based at the University of Leuven in Belgium and the University of Birmingham.

38 comments

Min score:

Reason:

Sort:

Dick Chaney disabled his wireless pacemaker by Anonymous Coward · 2016-12-01 12:37 · Score: 1

Back in 2007, Dick Chaney's cardiologist disabled his pacemaker - article also talks about the Homeland episode where this happened.
LOL that most anything is controllable these days
1. Re: Dick Chaney disabled his wireless pacemaker by Anonymous Coward · 2016-12-01 12:55 · Score: 0
  
  democrazy and capitalism made killing and hacking a mainstream, only probmem is political correctness.
  If you plan on killing something - do it to an H1B occupant, save your civilization
Only fatal if it kills someone by Anonymous Coward · 2016-12-01 12:40 · Score: 2, Interesting

and it hasn't done that yet. The medical profession kills a million a year who would otherwise not have died if they'd have stayed away from a hospital.
1. Re: Only fatal if it kills someone by Anonymous Coward · 2016-12-01 12:49 · Score: 1, Funny
  
  obama care made killing so much easier
2. Re:Only fatal if it kills someone by bobbied · 2016-12-01 13:04 · Score: 2
  
  and it hasn't done that yet. The medical profession kills a million a year who would otherwise not have died if they'd have stayed away from a hospital.
  And they save hundreds of millions from death too... Not to mention the increased quality of life that comes with proper medical care.... But hey, let's not quibble about the little stuff..
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
3. Re:Only fatal if it kills someone by Bing+Tsher+E · 2016-12-01 13:06 · Score: 1
  
  Also, in most instances if you get close enough for the telemetry to cause the device to kill the person it is implanted in, you could have used a handgun. Or a knife, for that matter.
4. Re:Only fatal if it kills someone by TWX · 2016-12-01 13:12 · Score: 3, Interesting
  
  Isn't this one of those false-equivalency things?
  
  The point is that the software to run these medical devices is designed with model where everyone is good and no one wants to do anything nefarious. We've learned with basically every system that has ever existed that people will attempt to manipulate it if they can. That no one has done it yet just means that no one has bothered getting around to doing it yet.
  
  Someone else in this discussion pointed out that Dick Cheney has a pacemaker and that it might have been accidentally shut off by his doctor at one point. If enemies of the United States figured out that he had this particular pacemaker then they could have looked for ways to intentionally make changes to it, either shutting it off or else attempting to change it to where it causes harm instead of helping. If it's wireless then those town halls, fundraising dinners, or any of a large number of other events where Cheney would routinely come into contact with the public would have offered an opportunity to attempt this, and it's very unlikely that medical professionals would have immediately leaped to the conclusion that the pacemaker was malfunctioning.
  
  Carry this further. A lot of older people have pacemakers. Those who stand to inherit might want to tamper with said pacemaker in order to inherit.
  
  The applications for this exploit already exist. I'm sure there are more than I've described. Right now this vulnerability remains unexploited (as far as we're aware) only through obscurity.
  
  --
  Do not look into laser with remaining eye.
5. Re:Only fatal if it kills someone by JoeMerchant · 2016-12-01 13:38 · Score: 1
  
  The medical profession also kills millions a year via medical mistakes, mostly unrelated to software.
  They help more than they hurt, by a wide margin, but it's like investing in the stock market: past performance is no guarantee of future returns, positive returns are NOT guaranteed.
6. Re:Only fatal if it kills someone by JoeMerchant · 2016-12-01 13:40 · Score: 1
  
  Most implant telemetry is very limited range - it's far easier to kill someone by any number of more common methods, and probably easier to get away with it via the more common methods, too.
7. Re:Only fatal if it kills someone by Gonarat · 2016-12-01 13:55 · Score: 1
  
  It depends. If the device uses bluetooth, then the proprietary commands could be reversed engineered and an app be put together. Imagine sitting next to someone while changing settings on their pacemaker. You get up and leave, and five minutes later the person dies. The chances of someone putting 2 and 2 together are slim, and even if they remembered you, you're just another guy on his smartphone. If the device uses a proprietary communications protocol on another part of the radio spectrum, then a transciever box would be needed to access the medical device. Such a box can be built, but it would be more noticable and would require someone with specialized knowledge. Then, common methods would be cheaper and easier to use.
  
  --
  Beware of Sleestak
8. Re:Only fatal if it kills someone by demonlapin · 2016-12-01 14:23 · Score: 1
  
  Generally speaking, devices like pacemakers run on very low power. The only way to interrogate or change their settings is to set the probe directly over the device. I'm not saying they have good security, but you're not going to do it without their noticing.
9. Re:Only fatal if it kills someone by sjames · 2016-12-01 15:09 · Score: 2
  
  Sure, but the cops are a lot more likely to believe the guy just dropped dead as you walked past if witnesses aren't saying they saw you shoot or stab him.
10. Re:Only fatal if it kills someone by JoeMerchant · 2016-12-01 17:24 · Score: 1
  
  Implants don't use bluetooth - though some of their external accessories do.
11. Re:Only fatal if it kills someone by JoeMerchant · 2016-12-01 17:25 · Score: 1
  
  The old school ones communicated via air-core transformers, like wireless toothbrush chargers. There is a newer generation of higher frequency communications, but its still very range limited - it's quite hard to transmit out of a meat-bag.
12. Re:Only fatal if it kills someone by Anonymous Coward · 2016-12-02 00:08 · Score: 0
  
  "Could have fatal consequences" does not mean the same thing as "fatal", it means "potentially fatal". Something can be potentially fatal before someone actually dies, even if nobody ends up dying from it.
  And about your medical claims, may I suggest you read something like this? It's rather long, but toward the end you will find this:
  
  But it’s even more than that. As I mentioned above, According to the CDC, of the 2.6 million deaths that occur every year in the U.S., 715,000 occur in hospitals, which means that, if Makary’s estimates are correct, 35% of all hospital deaths are due to medical errors. But it’s worse than that. Remember that the upper estimate used by Makary and Daniels is 400,000 inpatient deaths due to medical error. That’s 56%—yes, 56%—of all inpatient deaths? Seriously? It’s just not anywhere near plausible that one-third to over one-half of all inpatient deaths in the US are due to medical error.
  On its face, such a claim is very hard to believe, especially if you consider that, of those who died in a hospital, 75% were age 65 and over, and 27% were age 85 and over. That’s a lot of people prone to dying because they are old and ill, regardless of how good their care was. Add to that the fact that between 2000 and 2010, hospital deaths decreased 8% even though the number of hospitalizations increased 11%, and Makary’s numbers become less and less credible.
  0.715 million people per year die in hospital, but not all those deaths are medical errors, people tend to end up in hospitals when they have serious health problems. Not being able to save a life is not automatically a medical error.
13. Re:Only fatal if it kills someone by Anonymous Coward · 2016-12-02 03:54 · Score: 0
  
  Of course a criminal looking to murder someone may not care about increasing the transmission power of his system above the legal limit. I think this crime would be quite minor compared to murdering someone.
14. Re:Only fatal if it kills someone by Anonymous Coward · 2016-12-02 07:19 · Score: 0
  
  The term fatal flaw is an acceptable phrase for glitches and vulnerabilities that make a product useless.
  The headline's uncanny use of that phrase for a life-saving medical device is an unfortunate pun.
  In reality, fatal flaws can be applied to anything, (chess games, financial techniques, and conversational approaches), it's the 'thing' that 'ruins' an intended purpose.
Oh noes!!! by NoNonAlphaCharsHere · 2016-12-01 12:48 · Score: 1

So you're saying the firmware embedded in the devices to allow the operational parameters to be changed allows the operational parameters to be changed?
1. Re:Oh noes!!! by JoeMerchant · 2016-12-01 13:42 · Score: 2
  
  No, what they're really saying is that the firmware is updateable, which means that a determined attacker could push an update to a victim while they sleep with any kind of malicious functionality they choose Muahahahaha. But, seriously, why bother?
Asking for a friend by ThatsNotPudding · 2016-12-01 13:00 · Score: 1

Anyone have a map to Wyoming?
1. Re:Asking for a friend by bobbied · 2016-12-01 13:06 · Score: 1
  
  Anyone have a map to Wyoming?
  Well.. (humming).. I know "the way to Santa Fe" if that helps, Wyoming is just north north east from there...
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
How can you tell if your device has been hacked? by mmell · 2016-12-01 14:06 · Score: 2

The "Blue Scream of Death" would be the first hint.
Remember when microwaves by ArhcAngel · 2016-12-01 14:11 · Score: 1

Early pacemakers were "programmed" by magnetic pulses from a wire coiled wand. They could get reset to default by getting too close to any magnetic signal.

--
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Close Proximity needed by Anonymous Coward · 2016-12-01 14:55 · Score: 0

You need to be in close proximity to the person with the implanted device. Poisoning the person is probably more simple and effective. I see both having equal difficulty in catching the assailant.
1. Re: Close Proximity needed by Anonymous Coward · 2016-12-01 16:35 · Score: 0
  
  Similar claims here:
  http://medsec.com/stj_expert_witness_report.pdf
  estimate that with modification of the RF hardware of the device programming tool you could establish communication from ~300ft.
  Starting on page 15.
  We just need more neon everywhere along with endless rainy nights and our transformation into cyberpunk dystopia will be complete.
2. Re: Close Proximity needed by Anonymous Coward · 2016-12-01 16:48 · Score: 0
  
  My mistake, less than that. ~300 ft seems to be only to connect with and 'wake up' the device for programming. The actual programming / attack / bidirectional comms would happen on a different freq which would closer proximity. But still enough that it could be done without someone being aware.
Go figure by Anonymous Coward · 2016-12-01 15:03 · Score: 0

Go figure - outsource development to Pajeets that shit out in the road and you end up with crappy software.
1. Re: Go figure by Anonymous Coward · 2016-12-02 00:01 · Score: 0
  
  Ayup- In much of the world people are too lazy to dig a long drop toilet, yet they want a 'Western' standard of living while they are too stupid to realize they wont get ahead without doing the basics first.
Medsec & Muddy Waters vs. St Jude pacemakers by Anonymous Coward · 2016-12-01 16:26 · Score: 2, Interesting

Medsec partners with short-sellling specialists Muddy Waters LLC. Go public with claims of serious vulns in St Jude pacemakers, implanted defibrilators and remote programming tool. St-Jude takes them to court.
Interesting situation ethically with the short selling & with respect to the whole responsible disclosure vs public disclosure debate
https://www.bloomberg.com/news/articles/2016-10-24/muddy-waters-fights-st-jude-lawsuit-over-pacemaker-reports
Technic details of vulns here (with redactions):
http://medsec.com/stj_expert_witness_report.pdf
Flaws? That's one way of putting it... by bradley13 · 2016-12-01 19:06 · Score: 3, Interesting

"The team reverse-engineered the proprietary wireless signalling systems used by the implants which revealed flaws in the way data was broadcast."
From this sentence alone, it is entirely obvious: The signals are not encrypted; there is no security to hack. These aren't flaws at all - they are design decisions. The manufacturers have some command protocol that they developed and use; while this may not be publicly documented, it is hardly secret: monitor the signals used, and you can figure it out. This doesn't take a "security researcher", all it takes is a kid with the right radio kit.
People then rush to ask: Why do these devices not secure their signals? It may be that they never thought about it. However, the answer may also be that they want an open interface. Consider: you have a pacemaker and suddenly have a heart problem, and you are taken to the nearest hospital. With a secure interface, how does that hospital get the private key required to talk to your pacemaker? Which is the lesser risk to the patient's health: leaving the interface open, or securing it?

--
Enjoy life! This is not a dress rehearsal.
1. Re:Flaws? That's one way of putting it... by rlumpy · 2016-12-01 22:05 · Score: 1
  
  My new Biotronik pacemaker appears to have security protocols installed. A programming session is started by pairing the programmer and the pacemaker with a wand that requires 10cm proximity (this provides the security key). The RF communications can then take place up to 3meters away utilizing a proprietary communication protocol. They claim that the communication is "security protected by state-of-the-art measures," according to the technical manual.
2. Re:Flaws? That's one way of putting it... by Ihlosi · 2016-12-01 23:16 · Score: 1
  
  A programming session is started by pairing the programmer and the pacemaker with a wand that requires 10cm proximity (this provides the security key).
  How is the distance verified? Is it merely a matter of signal strength, or do they actually measure response times and signal trip times?
  If signal strength is the only criterion, all an attacker needs is a powerful transmitter and a sensitive receiver.
3. Re:Flaws? That's one way of putting it... by Ihlosi · 2016-12-01 23:19 · Score: 1
  
  Indeed. How many locks do you want to see on an emergency exit or a fire extinguisher?
  Another thing to consider is battery life. Changing the pacemaker requires cutting holes in the patient, which poses a small, but (over a large number of procedures) real risk (anesthesia, infection, etc).
4. Re:Flaws? That's one way of putting it... by Drethon · 2016-12-02 00:50 · Score: 1
  
  "The team reverse-engineered the proprietary wireless signalling systems used by the implants which revealed flaws in the way data was broadcast."
  From this sentence alone, it is entirely obvious: The signals are not encrypted; there is no security to hack. These aren't flaws at all - they are design decisions. The manufacturers have some command protocol that they developed and use; while this may not be publicly documented, it is hardly secret: monitor the signals used, and you can figure it out. This doesn't take a "security researcher", all it takes is a kid with the right radio kit.
  People then rush to ask: Why do these devices not secure their signals? It may be that they never thought about it. However, the answer may also be that they want an open interface. Consider: you have a pacemaker and suddenly have a heart problem, and you are taken to the nearest hospital. With a secure interface, how does that hospital get the private key required to talk to your pacemaker? Which is the lesser risk to the patient's health: leaving the interface open, or securing it?
  Not to mention the decision on risk is not decided by the manufacturer but by the FDA (I think that is the right group, I know much of the general details having worked in the field but never worked directly with certification). I believe they tend to focus more on immediate risk to the patient and a secure interface seems like a more immediate and dire risk to the patent in a time of crisis, as you mention, as compared to the lower likelihood of someone trying to hack that specific device.
5. Re:Flaws? That's one way of putting it... by Anonymous Coward · 2016-12-02 01:08 · Score: 0
  
  The distance is verified by physics. It uses inductive coupling. This provides inherently low distance. That can't be overcome with better antenna or better signal strength. The signal strength decreases with r^4 as opposed to r^2 with electromagnetic coupling.
More of a critical fault, really. by bheerssen · 2016-12-02 01:28 · Score: 1

If the compromised devices still function, even in a reduced capacity, is it really a fatal flaw?

--
(Score: -1, Stupid)
Fatal Flaws are correct by Anonymous Coward · 2016-12-02 06:44 · Score: 0

I spent my career in the medical device industry, and can tell you that there is NOT ONE DEVICE made in the u.s that can prevent a 12-year old from getting all device data, and even the ability to control or disable the device.
The lab information systems (software) that connect medical devices are just as bad.
There are no 'whistleblowers' in the medical industry because you are told from day 1 that if you do not go with the program you are fired.
You would not believe the vowel-movements that medical C-level execs make about patient data and security. They are not centered in reality, and believe that nothing will ever happen to them.
Reminds me of Therac-25 by Anonymous Coward · 2016-12-02 07:06 · Score: 0

I guess everyone forgot about the first case of this (where software killed patients):
https://en.wikipedia.org/wiki/Therac-25
The Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited (AECL) in 1982 after the Therac-6 and Therac-20 units (the earlier units had been produced in partnership with CGR of France).
It was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation.[1]:425 Because of concurrent programming errors, it sometimes gave its patients radiation doses that were hundreds of times greater than normal, resulting in death or serious injury.[2] These accidents highlighted the dangers of software control of safety-critical systems, and they have become a standard case study in health informatics and software engineering. Additionally the overconfidence of the engineers[1]:428 and lack of proper due diligence to resolve reported software bugs, is highlighted as an extreme case where the engineer's overconfidence in his or her initial work and failure to believe the end users' claims caused drastic repercussions.