Slashdot Mirror
Implantable Cardiac Devices Could Be Vulnerable To Hackers, FDA Warns (vice.com)
The U.S. Food and Drug Administration warned on Monday that pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients' lives at risk, as hackers could remotely access the devices and change the heart rate, administer shocks, or quickly deplete the battery. Thankfully, St. Jude released a new software patch on the same day as the FDA warning to address these vulnerabilities. Motherboard reports: St. Jude Medical's implantable cardiac devices are put under the skin, in the upper chest area, and have insulated wires that go into the heart to help it beat properly, if it's too slow or too fast. They work together with the Merlin@home Transmitter, located in the patient's house, which sends the patient's data to their physician using the Merlin.net Patient Care Network. Hackers could have exploited the transmitter, the manufacturer confirmed. "[It] could (...) be used to modify programming commands to the implanted device," the FDA safety communication reads. In an emailed response to Motherboard, a St. Jude Medical representative noted that the company "has taken numerous measures to protect the security and safety of our devices," including the new patch, and the creation of a "cyber security medical advisory board." The company plans to implement additional updates in 2017, the email said. This warning comes a few days after Abbott Laboratories acquired St. Jude Medical, and four months after a group of experts at Miami-based cybersecurity company MedSec Holding published a paper explaining several vulnerabilities they found in St. Jude Medical's pacemakers and defibrillators. They made the announcement at the end of August 2016, together with investment house Muddy Waters Capital.
Report a vulnerability to the US-CERT rather than try to make money off of it, douchebags.
Well over a decade ago RSA was working with a cardiac device manufacturer to prevent the device being vunerable to hackers.
Apparently the device had a Z80 variant in it so the RSA guys had to get hold of some old books to work out how to code for it.
Of course there are always cowboys taking shortcuts so that's probably why the FDA is warning some manufacturers that they should not be taking a stupid shortcut.
If the FDA weren't so strict about certifying every possible change to a medical device, this would be less of an issue. Because of all the hoops and red tape manufacturers have to go through anytime they make a change, the FDA rules/regulations provide a disincentive to make changes.
And, why is the FDA pointing a finger at device manufacturers, whey they themselves are responsible for device approval and should have identified these issues before giving that approval? Either they're responsible for ensuring that devices are safe, or they're not. They can't have it both ways.
Your government at work.
"National Security is the chief cause of national insecurity." - Celine's First Law
Are there *any* three-letter agencies save possibly the FDA, that doesn't salivate at the thought of making terminal use of all those vulnerabilities?
Let's add in more back doors, they'll say.
See it free! Die? It's the cost you pay for info which MUST BE FREE! It's got to be FREE!
Your pacemaker ran into a problem and needs to restart. We're just collecting some error info, and then we'll restart for you. (0% complete)
If you'd like to know more, ask St. Peter about this error: IRQL_NOT_LESS_OR_EQUAL_UR_DEAD_LOL
= " I opt for a Tomb"
So, just like every internet accessible medical device ever.
Your link about internet accessible devices does not appear to be accessible from the internet. I'm getting DNS_PROBE_FINISHED_NXDOMAIN
Make America great again with showers of gold!
Wait, you can just upgrade this freaking thing? How is that itself not a HUGE vulnerability? Are they at least going to reprogram it and lock the bits that allow it's firmware to ever be upgraded again? Does it check for signatures of new patches?
1) Interactions with medical implants need to supply their own source of power (e.g. via RF).
2) Unpower interactions may only occur if the medical implant detects a medical event.
If your medical implant violates either of these rules then it is improperly designed.
Anons need not reply. Questions end with a question mark.
Karen Sandler, Executive Director of the Software Freedom Conservancy, has an enlarged heart (hypertrophic cardiomyopathy) and is at risk of suddenly dying (due to a medical condition called "sudden death"). She has no symptoms. She has given a talk about this many times at tech conferences, you should be able to find a copy of her talk online quite easily. She calls herself a "cyborg lawyer running on proprietary software" because she needs to wear a pacemaker/defibrillator device on her heart which keeps her heart beating within a predetermined acceptable range (not too slow, not too fast) by shocking her heart until it beats at an acceptable rhythm. Sandler said she's been shocked before and it's like being kicked in the chest and it takes the wind out of her for a while, requiring her to take some time for recovery.
She knew of software freedom and figured on these weaknesses in these devices, some of which can be controlled remotely at some distance, because all of them run on proprietary software. She tried to get the source code, even offering to sign a non-disclosure agreement to do so, and nobody would share the code with her. She said she was the only one to ask her doctors about what ran on the device. She therefore chose an older model which requires the "programmer" device which sends a signal to the pacemaker/defibrillator be quite close to her body so that she'd probably know if someone were doing things to her device. The lack of software freedom and full user control (ownership) of the device is quite obviously a health risk and possibly lethal. Don't let anyone tell you a lack of software freedom isn't serious.
An interesting thing happened during her pregnancy, which she explained in an update to her talk: She learned that a pregnant woman's heart sometimes naturally races. For most women of childbearing age this isn't a problem as they're unlikely to need a pacemaker/defibrillator, so their heart can occasionally race without serious consequences. For Sandler this racing triggers the device to shock her back into an "acceptable" heart rhythm. It appears that the pacemaker/defibrillator device makers didn't test this device on women young enough to be of childbearing age but they're apparently happy to sell the devices for implanting into users of any age. This lack of testing in combination with the lack of software freedom means the device manufacturers aren't doing due diligence and they're preventing younger women, such as Sandler, from looking out for their own interests—avoiding "sudden death". One can only imagine what horrible multiply lethal outcome could predictably result for a pregnant woman with the same condition Sandler has whose heart races when she was driving while receiving a shock from her non-free pacemaker/defibrillator device. Don't let anyone tell you a lack of software freedom isn't serious.
Digital Citizen
Slashdot users will be very pleased that IoT vulnerabilities can be used to kill people. Of course, it will be frowned upon to point out that most IoT devices run Linux, which, therefore is probably the most vulnerable operating system. Any smart person would want a reliable and secure OS like Windows running on devices that are necessary to keep them alive.
If you are going to try and be a troll at least be creative with it not a bad microsoft trollbot.
I know I can't think of any internet connected system that doesn't have potential vulnerabilities. Why would anyone think medical devices were some sort of magical exception ?
http://www.sigidwiki.com/wiki/ECG_Telemetry
Back in 2007, Vice President Dick Cheney had his pacemaker's wireless functionality disabled.
Ah, the good old days when the veep shooting his friend in the face with a shotgun and refusing to apologize was considered a scandal.
True story.
Like any device - record the telemetry, then replay. Software updates - record and replay.
Childs play really. Did this with garage door openers and remote entry cars.
Poor hashing choices mean the odds of defeat are much higher.
A pissed off undertaker who cannot recycle these devices (usually reused for pets) will give it to a hacker to work upon - because they are supposed to be removed before cremation.- along with teeth with fillings..
My god the nigmonkey is trying to think!
that if your going to opt into eating pasta and bread and sugar and smoking and drinking than you should go for a DRUG ELUDED STENT as opposed to a heart VALVE Or some other kind of pumpy thing that needs electricity and moving parts
ON the other hand.
if you stop consuming anything WHITE and instead eat a carrot beet an apple we won't have to crack open your rib cage.
PS. MANY OF YOU READING THINK I AM JOKING. I ALMOST DIED FROM MY HEART ATTACK, I AM JUST GIVING ADVICE BITCH!!
Anyone who manages to get Linux running on a pacemaker deserves a lot of credit. These devices consume an order of magnitude or two less power than the smallest systems to run Linux.
I am TheRaven on Soylent News
To apply the patch, you have to twist the patient's nipples in opposite directions to the beat of the music that plays when Darth Vader enters a scene.
Freedom to fear. Freedom from thought. Freedom to kill.
I guess the War on Terror really is about freedom!
Not unlike documentation, once the miracle gizmo has made it past the FDA (I.e., gone into production), going back to fix kludges and clean up dirty code slides wa-a-ay down the list of priorities.
And this is why capitalism is evil. It doesn't care about you, it just wants your money. It doesn't care how much environmental damage is done, for example. Therefore, it rewards a company for forever abandoning projects half-finished, at the point at which someone will pay for them. Then we are buried beneath an avalance of ill-conceived garbage.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
"One can imagine how X could be a problem therefore X is a problem" is a fallacy. I can imagine that unicorns exist. That doesn't mean (unfortunately) that they exist.
A high ranking intelligence official, speaking on condition of anonymity, cited details of a classified government report which confirms without a doubt that hackers working on behalf of the Russian government, and personally supervised by Vladimir Putin, are conspiring to hack pacemakers in elderly Democrat-leaning USA voters to interfere with the 2018 elections.
Some remarks from someone who programmed those implantable cardioverters/defibrillators:
One of the reasons why no manufacturer would be voluntaringly share the code, is that the whole field ist unbelievably thick covered with patents. So giving out the source code would make it easier for an adversary to get hints of possible patent violation. The whole situation is sometimes very complicated with several patents from several manufacturer covering the same feature set at differing abstraction levels.
And even if something is not covered by patents, you may want to keep it a company secret. So, I assume, unless you show up at the company door with a court warrant, they won't give you the code. The manufacturer has only a lot to lose and nothing to gain from handing out the code.
Otherwise I sincerely doubt that open source would help in the situation of Miss Sandler. It's already massively complicated for the actual engineers to keep track of the literally thousands of parameters any modern cardiac implant features. Most of them interact with a lot of others and depending on the medical condition any given combination of parameters may be good or lethally wrong. In my humble opinion it is close to impossible for a layperson (not at the same time: expert in cardiac medical conditions and expert to the specific medical device and well versed in general programming) to catch the complication that Miss Sandler experienced during pregnancy and then do something sensibly about it. From the short description in the parent post, her complication would be easily correctable with a suitable setting to the device parameters, without changing any line in the code of the device. In that case it would be an overlook of her physician to adapt her parameters to her special condition.
On a related note: Most physicians are either "lazy", not well enough informed or simply very satisfied with the default settings and automatisms, since from experience more than 80% of all devices from my manufacturer never had the default settings changed. How do they know? After end of life (of the device or patient) most of the devices are returned to the manufacturer for recycling.
Pacemaker and implanted device procedures aren't that dumb. They're actually pretty well thought out. All implanted pacemaker devices require near-proximity access(1-2 centimeters) to access, the communication is completely encrypted between the programmer unit and the device being implanted. Once it's implanted it can ONLY be "tuned, modified" with your cardiac surgeon present, and in an operating theater environment. Changing anything in the device is treated exactly the same as a "new surgery." They expect that any change could potentially brick the device... so they have to be ready to go in. And, no the "manufacturer" does not retain any ownership of the device once it has been implanted. The laws upheld by the Supreme Court state anything implanted in a persons body becomes the property of the person. Period. That's just the law. The answer to the "nightmare scenario" as envisioned by techies, there is no universal "standard diagnostic port" in case you're wheeled into an emergency room and the doctors need to "access your device to save your life!" No. They can't. There's no expectation that they would, could, or should. That's not the medical procedure. If your pacemaker is malfunctioning and causing a threat to your life, then it *is* the problem, and they would remove it. They don't try to "fix" it... or reboot it, or read the diagnostic logs... not while you're dying on the table. They just remove it and stabilize you without one and get you prepped for a new one.
Everything except telemetry should require some kind of hardware level permission (analogous to write protect switch), not software. Telemetry should be end to end encrypted.
John_Chalisque
I don't see anything in your post that makes me believe that if Karen Sandler had access to the code she could make improvements to the device for her particular situation.
First, as another poster has noted, modern implantable devices are extensively configurable, and yet most of them go in with the default settings, because the cardiologist/surgeon don't know enough about each device to tweak the settings. So it is quite conceivable that it could be already be configured to deal properly with a pregnant woman's racing heartbeat.
Second, all of these devices walk a hazard/benefit tightrope. You are dealing with devices that can kill the patient if they fail. The patient might die due to the ordinary surgical complication risk that is always present. The device might function but not actually help them because of their particular physiology. So the validation of the device talks a lot about risk and reward, and the testing will focus on the population most likely to benefit. It is likely that pregnant women form a miniscule market for this device, so they may be considered an off label use - something that was not studied and about which nothing is known.
Think of pharmaceutical ads, and how often you hear the phrase "women who are pregnant or thinking of becoming pregnant should consult their doctor". That tells you right there that either pregnant women weren't studied, or that they have additional risk factors because of the pregnancy.
To think that access to the sourcecode by an interested layperson could make the software meaningfully better is a stretch. Perhaps getting access to the programming manual for the device would help, but that doesn't require access to the source code.
should we start CVE's for biomedical equipment?
Correction: once the gizmo has been certified, there is a strong financial disincentive to change anything whatsoever because even the smallest change forces them to start the expensive certification process over again. It basically only happens when a bug is found that is certain to kill every patient using the device.
You don't want kludges in your pacemaker. There's a time and place for them, but that's not it.
"First they came for the slanderers and i said nothing."
Al, is that you?
My goodness! This vulnerability would give ransomware a whole new meaning! Can you imagine an attacker demanding all of your savings or else he stops your heart?
This is exactly like from game Hacknet! One mission was to hack medical device manufacturer system, find a patient's pacer IP and kill him. He wanted a euthanasia, but wasn't allowed to get one legally, so the player had to overload the pacer.
I want to use this means to let the world know that all hope is not lost Getting pregnant after having tubes clamped and burned, I know IVF and Reversal could help but it way too cost, i couldn't afford it either and i so desire to add another baby to my family been trying for 5 years, not until i came across Priest Babaka, who cast a pregnancy/Fertility spell for me and i got pregnant.l hope that women out there who are going through the same fears and worries l went through in GETTING PREGNANT , will find your contact as i drop it here on this site, and solution will come to them as they contact you. Thank you and God bless you to reach him email via: babaka.wolf@gmail.com
Secure Software is hard to write, and many times, everyone is in a rush to get things out the door, no matter how many frigging holes/problems the software/hardware has. This isn't a new problem, if you google "Therac-25", that's a perfectly good example of improper software checks killing cancer patients (the older model units used hardware interlocks to prevent overexposure of radiation)...
Go figure, huh
So the threat of death is enough for you to argue the status quo standing behind proprietors and denying the user full control of a device they obtained (in Sandler's case wear inside their body) but not enough for you to let the user control. We still don't think that's the case for more common devices that are involved in lot of harm such as cars. In light of what's actually already happened to Sandler, your response is remarkably sycophantic to power. Automakers would probably be interested to talk to you in light of the ongoing embarrassment they face in Dieselgate.
Interested people already modify the source code to the software running on various devices, it's a matter of which people get to inspect, share, and modify. For all you know, in Sandler's case she could take said code to someone who is sufficiently skilled. In any event, to whom the user takes the source code is nobody's business but theirs and not a justification for the failures that have already occurred or foreseeable problems to others.
Digital Citizen
So the threat of death is enough for you to argue the status quo standing behind proprietors and denying the user full control of a device they obtained (in Sandler's case wear inside their body) but not enough for you to let the user control. We still don't think that's the case for more common devices that are involved in lot of harm such as cars. In light of what's actually already happened to Sandler, your response is remarkably sycophantic to power.
I think you are mixing arguments. I was making the utilitarian case that the remedy proposed (software freedom) was unlikely to be an effective remedy in this case. I said nothing pro or con about software freedom.
If you want to argue conceptually for software freedom, then Karen Sandler's case is nothing but an anecdote, and we can rehash the usual pro/anti FSF and GPL arguments all day long. Personally I don't view proprietary software as evil or even morally suspect, and I am fairly sure you disagree with that view.
Not quite - you see, the manufacturer is going to create a newer, better version of their product (to preserve patent and copyright protections and maximize profits^H^H^H^H^H^H^Hbenefits to the public), so the code cleanup will probably find its way into the 2.0 version of their wonder widget/frammis/dololly.