Slashdot Mirror

← Back to Stories (view on slashdot.org)

Implantable Cardiac Devices Could Be Vulnerable To Hackers, FDA Warns (vice.com)

Posted by BeauHD on from the don't-skip-a-beat dept.

The U.S. Food and Drug Administration warned on Monday that pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients' lives at risk, as hackers could remotely access the devices and change the heart rate, administer shocks, or quickly deplete the battery. Thankfully, St. Jude released a new software patch on the same day as the FDA warning to address these vulnerabilities. Motherboard reports: St. Jude Medical's implantable cardiac devices are put under the skin, in the upper chest area, and have insulated wires that go into the heart to help it beat properly, if it's too slow or too fast. They work together with the Merlin@home Transmitter, located in the patient's house, which sends the patient's data to their physician using the Merlin.net Patient Care Network. Hackers could have exploited the transmitter, the manufacturer confirmed. "[It] could (...) be used to modify programming commands to the implanted device," the FDA safety communication reads. In an emailed response to Motherboard, a St. Jude Medical representative noted that the company "has taken numerous measures to protect the security and safety of our devices," including the new patch, and the creation of a "cyber security medical advisory board." The company plans to implement additional updates in 2017, the email said. This warning comes a few days after Abbott Laboratories acquired St. Jude Medical, and four months after a group of experts at Miami-based cybersecurity company MedSec Holding published a paper explaining several vulnerabilities they found in St. Jude Medical's pacemakers and defibrillators. They made the announcement at the end of August 2016, together with investment house Muddy Waters Capital.

38 of 60 comments (clear)

  1. More than decade old news by dbIII · · Score: 1

    Well over a decade ago RSA was working with a cardiac device manufacturer to prevent the device being vunerable to hackers.
    Apparently the device had a Z80 variant in it so the RSA guys had to get hold of some old books to work out how to code for it.

    Of course there are always cowboys taking shortcuts so that's probably why the FDA is warning some manufacturers that they should not be taking a stupid shortcut.

    1. Re:More than decade old news by rmdingler · · Score: 2

      So, just like every internet accessible medical device ever.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

  2. The FDA is part of the problem. by msauve · · Score: 1, Insightful

    If the FDA weren't so strict about certifying every possible change to a medical device, this would be less of an issue. Because of all the hoops and red tape manufacturers have to go through anytime they make a change, the FDA rules/regulations provide a disincentive to make changes.

    And, why is the FDA pointing a finger at device manufacturers, whey they themselves are responsible for device approval and should have identified these issues before giving that approval? Either they're responsible for ensuring that devices are safe, or they're not. They can't have it both ways.

    Your government at work.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:The FDA is part of the problem. by geekmux · · Score: 3, Insightful

      ...And, why is the FDA pointing a finger at device manufacturers, whey they themselves are responsible for device approval and should have identified these issues before giving that approval?

      Because the FDA does not maintain an elite army of Cyberhackers. That's why.

      Either they're responsible for ensuring that devices are safe, or they're not. They can't have it both ways. Your government at work.

      Divisions of the government that do maintain Cybersecurity divisions have been hacked, as well as the corporate sector. Even the most accelerated plan to approve changes may not be fast enough to keep up with potential threats and discovered vulnerabilities.

      Perhaps the ultimate answer is to not tie every fucking thing to the damn cloud.

      I know, I know. Fuck the inherent risks, because whoring out our digital lives is worth it every time.

    2. Re:The FDA is part of the problem. by msauve · · Score: 1

      "Because the FDA does not maintain an elite army of Cyberhackers."

      So, you freely admit they're unqualified to complain about Cyberhacks [sic].

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    3. Re:The FDA is part of the problem. by sjames · · Score: 1

      If the FDA is going to regulate this sort of thing, they'd better get some experts in.

      Agreed, we don't need everything on the cloud, but with appropriate precautions, some things can be better if they are. Why not make the device read-only unless the patient holds a security token up to his chest, for example. If the FDA was actually about more than making sure the reams of paperwork were filled out correctly and the right asses were kissed, they might even give that advice or even insist on it.

    4. Re:The FDA is part of the problem. by skids · · Score: 2

      This is a silly argument you are making. Compliance to legal and policy requirements do not have to be validated by the enforcing agency. If they did, we'd have to hire people to stand in your driveway and check that your seatbelt was buckled every time you drove off.

      --
      Someone had to do it.
    5. Re:The FDA is part of the problem. by phantomfive · · Score: 4, Interesting

      I don't trust the FDA. I know what you are talking about, I've worked in the medical device industry, and it's a serious pain to get device approval, and the approval doesn't mean the code quality is good.

      That said, I trust the manufacturers even less, because I've worked with them. If you let them do easy OTA updates the way we update cell phones, you'll end up with a bunch of people dropping dead on February 29th.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:The FDA is part of the problem. by TheRaven64 · · Score: 4, Informative

      I agree with your heading, but not with the rest of your post. The problem is that the FDA requires that the company have the software certified as safe by a third party, but places very few rules on what this entails. In a lot of cases, the people certifying the software don't even have access to the code: they read the design docs, but nothing else. There's no red teaming of medical device software before widespread deployment and no auditing by the FDA. The FDA is happy to certify such devices as 'safe' with nothing like enough information to be able to honestly make that claim.

      --
      I am TheRaven on Soylent News
    7. Re:The FDA is part of the problem. by geekmux · · Score: 2

      If the FDA is going to regulate this sort of thing, they'd better get some experts in.

      After careful analysis, the expert steps up to the FDA Directors desk with a single sheet of paper. It reads:

      To Whomever is Pretending to Be Concerned,

      Stop putting every fucking thing in the damn cloud.

      Sincerely,

      Common F. Sense

  3. But Info DEMANDS to be FREE! by Anonymous Coward · · Score: 1

    See it free! Die? It's the cost you pay for info which MUST BE FREE! It's got to be FREE!

  4. IoT by e**(i+pi)-1 · · Score: 2

    = " I opt for a Tomb"

  5. Two simple rules solve this! by Gravis+Zero · · Score: 1

    1) Interactions with medical implants need to supply their own source of power (e.g. via RF).
    2) Unpower interactions may only occur if the medical implant detects a medical event.

    If your medical implant violates either of these rules then it is improperly designed.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Two simple rules solve this! by Gravis+Zero · · Score: 1

      Note: Basic security practices still apply but this solves the remote attack problem, especially those that would drain the battery.

      --
      Anons need not reply. Questions end with a question mark.
    2. Re: Two simple rules solve this! by Anonymous Coward · · Score: 1

      Most such devices have embedded CPUs that fall somewhere between a 1 MHz Z-80 and a 16 MHz Arduino. Attempting to do a proper RSA key exchange would take *way* too long at that rate, and the alternative would be to give every device a unique factory-assigned AES key & keep a copy of it so they can encrypt future updates to each device with the right key... at which point the manufacturer's database of encryption keys becomes the weak link in the security chain.

      RFID tokens are better, but you'd still have to keep a copy of their keys in case the user lost his token (see problem #1), or keep at least one spare with the doctor or mfr (leaving it vulnerable to theft and compromise).

      It's a hard problem to solve, because gaining physical access to an implanted medical device is nontrivial, and any mechanism that *doesn't* require physical access leaves you vulnerable to remote attacks (e.g., imagine a psychopath like Dylan Roof going into a black church armed with a digital radio transmitter instead of a gun & invisibly killing random strangers nearby by tricking their implants into thinking the user himself is doing the update.

    3. Re:Two simple rules solve this! by Ihlosi · · Score: 1
      Why not just use encryption?

      Because encryption may keep someone from accessing the device in an emergency, and the manufacturer will be confronted with a "patienty XYZ died because of a feature you intentionally put into your device" charge.

    4. Re: Two simple rules solve this! by TheRaven64 · · Score: 1

      How quick does the key exchange have to be? Most of the interactions with these devices are for non-emergency diagnostics. It's not like you're in an ambulance and the paramedic needs to log into your pacemaker to restart your heart. If the key exchange takes a few minutes, that's fine.

      --
      I am TheRaven on Soylent News
  6. A lack of software freedom can be lethal & sca by jbn-o · · Score: 4, Informative

    Karen Sandler, Executive Director of the Software Freedom Conservancy, has an enlarged heart (hypertrophic cardiomyopathy) and is at risk of suddenly dying (due to a medical condition called "sudden death"). She has no symptoms. She has given a talk about this many times at tech conferences, you should be able to find a copy of her talk online quite easily. She calls herself a "cyborg lawyer running on proprietary software" because she needs to wear a pacemaker/defibrillator device on her heart which keeps her heart beating within a predetermined acceptable range (not too slow, not too fast) by shocking her heart until it beats at an acceptable rhythm. Sandler said she's been shocked before and it's like being kicked in the chest and it takes the wind out of her for a while, requiring her to take some time for recovery.

    She knew of software freedom and figured on these weaknesses in these devices, some of which can be controlled remotely at some distance, because all of them run on proprietary software. She tried to get the source code, even offering to sign a non-disclosure agreement to do so, and nobody would share the code with her. She said she was the only one to ask her doctors about what ran on the device. She therefore chose an older model which requires the "programmer" device which sends a signal to the pacemaker/defibrillator be quite close to her body so that she'd probably know if someone were doing things to her device. The lack of software freedom and full user control (ownership) of the device is quite obviously a health risk and possibly lethal. Don't let anyone tell you a lack of software freedom isn't serious.

    An interesting thing happened during her pregnancy, which she explained in an update to her talk: She learned that a pregnant woman's heart sometimes naturally races. For most women of childbearing age this isn't a problem as they're unlikely to need a pacemaker/defibrillator, so their heart can occasionally race without serious consequences. For Sandler this racing triggers the device to shock her back into an "acceptable" heart rhythm. It appears that the pacemaker/defibrillator device makers didn't test this device on women young enough to be of childbearing age but they're apparently happy to sell the devices for implanting into users of any age. This lack of testing in combination with the lack of software freedom means the device manufacturers aren't doing due diligence and they're preventing younger women, such as Sandler, from looking out for their own interests—avoiding "sudden death". One can only imagine what horrible multiply lethal outcome could predictably result for a pregnant woman with the same condition Sandler has whose heart races when she was driving while receiving a shock from her non-free pacemaker/defibrillator device. Don't let anyone tell you a lack of software freedom isn't serious.

    --
    Digital Citizen
  7. What made anyone think they weren't ? by Crashmarik · · Score: 2

    I know I can't think of any internet connected system that doesn't have potential vulnerabilities. Why would anyone think medical devices were some sort of magical exception ?

  8. So medical researchers don't understand security. by mmell · · Score: 2
    During development of these devices, I suspect that if the software developers ever tried to raise security concerns, they were (correctly) told to worry about that after they had a device that could save lives. Not unlike documentation, once the miracle gizmo has made it past the FDA (I.e., gone into production), going back to fix kludges and clean up dirty code slides wa-a-ay down the list of priorities. Happens all the time in IT.

    True story.

  9. Re: Record and Replay by Miamicanes · · Score: 1

    I thought the only thing that non-negotiably *had* to be removed prior to cremation was the RTG nuclear batteries used about 40 years ago (before regulators banned new ones out of concerns that it was only a matter of time until one literally went "up in smoke", or got stolen (after killing the owner) by terrorists wanting plutonium for a diy dirty bomb.)

  10. Re: Record and Replay by GuB-42 · · Score: 2

    Pacemakers aren't that radioactive. They are on similar level as tritium tubes used for illumination. You need lots and lots of them to do a meaningful dirty bomb, and it isn't the right isotope for fission bombs.
    As for banning them, are they really banned? There are many reasons why they aren't used anymore :
    - improvement in lithium battery technology
    - life expectancy of people with pacemaker is relatively low on average. So in most case, the extreme battery life of nuclear pacemaker is not needed.
    - pacemaker technology constantly evolves so changing an old pacemaker has benefits beyond the battery
    - plutonium-238 is becoming more and more expensive and hard to find, even space agencies have trouble getting it

  11. Re:Reaction from Slashdot users by TheRaven64 · · Score: 2

    Anyone who manages to get Linux running on a pacemaker deserves a lot of credit. These devices consume an order of magnitude or two less power than the smallest systems to run Linux.

    --
    I am TheRaven on Soylent News
  12. It's physically secure by PatientZero · · Score: 1

    To apply the patch, you have to twist the patient's nipples in opposite directions to the beat of the music that plays when Darth Vader enters a scene.

    --
    Freedom to fear. Freedom from thought. Freedom to kill.
    I guess the War on Terror really is about freedom!
  13. Re:So medical researchers don't understand securit by drinkypoo · · Score: 1

    Not unlike documentation, once the miracle gizmo has made it past the FDA (I.e., gone into production), going back to fix kludges and clean up dirty code slides wa-a-ay down the list of priorities.

    And this is why capitalism is evil. It doesn't care about you, it just wants your money. It doesn't care how much environmental damage is done, for example. Therefore, it rewards a company for forever abandoning projects half-finished, at the point at which someone will pay for them. Then we are buried beneath an avalance of ill-conceived garbage.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  14. Re: A lack of software freedom can be lethal & by ihearthonduras · · Score: 1

    "One can imagine how X could be a problem therefore X is a problem" is a fallacy. I can imagine that unicorns exist. That doesn't mean (unfortunately) that they exist.

  15. Obviously the Russians by moeinvt · · Score: 1

    A high ranking intelligence official, speaking on condition of anonymity, cited details of a classified government report which confirms without a doubt that hackers working on behalf of the Russian government, and personally supervised by Vladimir Putin, are conspiring to hack pacemakers in elderly Democrat-leaning USA voters to interfere with the 2018 elections.

  16. Re:A lack of software freedom can be lethal & by cshamis · · Score: 1

    Pacemaker and implanted device procedures aren't that dumb. They're actually pretty well thought out. All implanted pacemaker devices require near-proximity access(1-2 centimeters) to access, the communication is completely encrypted between the programmer unit and the device being implanted. Once it's implanted it can ONLY be "tuned, modified" with your cardiac surgeon present, and in an operating theater environment. Changing anything in the device is treated exactly the same as a "new surgery." They expect that any change could potentially brick the device... so they have to be ready to go in. And, no the "manufacturer" does not retain any ownership of the device once it has been implanted. The laws upheld by the Supreme Court state anything implanted in a persons body becomes the property of the person. Period. That's just the law. The answer to the "nightmare scenario" as envisioned by techies, there is no universal "standard diagnostic port" in case you're wheeled into an emergency room and the doctors need to "access your device to save your life!" No. They can't. There's no expectation that they would, could, or should. That's not the medical procedure. If your pacemaker is malfunctioning and causing a threat to your life, then it *is* the problem, and they would remove it. They don't try to "fix" it... or reboot it, or read the diagnostic logs... not while you're dying on the table. They just remove it and stabilize you without one and get you prepped for a new one.

  17. Hardware switch by John+Allsup · · Score: 1

    Everything except telemetry should require some kind of hardware level permission (analogous to write protect switch), not software. Telemetry should be end to end encrypted.

    --
    John_Chalisque
  18. Re:A lack of software freedom can be lethal & by clodney · · Score: 1

    I don't see anything in your post that makes me believe that if Karen Sandler had access to the code she could make improvements to the device for her particular situation.

    First, as another poster has noted, modern implantable devices are extensively configurable, and yet most of them go in with the default settings, because the cardiologist/surgeon don't know enough about each device to tweak the settings. So it is quite conceivable that it could be already be configured to deal properly with a pregnant woman's racing heartbeat.

    Second, all of these devices walk a hazard/benefit tightrope. You are dealing with devices that can kill the patient if they fail. The patient might die due to the ordinary surgical complication risk that is always present. The device might function but not actually help them because of their particular physiology. So the validation of the device talks a lot about risk and reward, and the testing will focus on the population most likely to benefit. It is likely that pregnant women form a miniscule market for this device, so they may be considered an off label use - something that was not studied and about which nothing is known.

    Think of pharmaceutical ads, and how often you hear the phrase "women who are pregnant or thinking of becoming pregnant should consult their doctor". That tells you right there that either pregnant women weren't studied, or that they have additional risk factors because of the pregnancy.

    To think that access to the sourcecode by an interested layperson could make the software meaningfully better is a stretch. Perhaps getting access to the programming manual for the device would help, but that doesn't require access to the source code.

  19. Heartbleed bug wont just effect SSL now... by Idisagree · · Score: 1

    should we start CVE's for biomedical equipment?

  20. Re: Record and Replay by Miamicanes · · Score: 1

    Did some research... pacemakers actually used Promethium, not Plutonium. From what I can tell, the betavoltaic battery cost skyrocketed in the mid-70s, and the manufacturer decided it wasn't worth bothering with.

    A far as dirty bombs go, they wouldn't *have* to directly kill anyone with radiation... the sheer public panic after a confirmed explosion of one would almost *certainly* kill dozens, if not hundreds (trampling, car wrecks, panicked looting, etc). For terrorist purposes, just *having* something radioactive -- in any quantity -- will achieve the goal of inciting public panic.

  21. Re:So medical researchers don't understand securit by phantomfive · · Score: 1

    You don't want kludges in your pacemaker. There's a time and place for them, but that's not it.

    --
    "First they came for the slanderers and i said nothing."
  22. Re: So medical researchers don't understand securi by mmell · · Score: 1

    Al, is that you?

  23. I've heard this one before. by Tupsukka · · Score: 1

    This is exactly like from game Hacknet! One mission was to hack medical device manufacturer system, find a patient's pacer IP and kill him. He wanted a euthanasia, but wasn't allowed to get one legally, so the player had to overload the pacer.

  24. Re:A lack of software freedom can be lethal & by jbn-o · · Score: 1

    So the threat of death is enough for you to argue the status quo standing behind proprietors and denying the user full control of a device they obtained (in Sandler's case wear inside their body) but not enough for you to let the user control. We still don't think that's the case for more common devices that are involved in lot of harm such as cars. In light of what's actually already happened to Sandler, your response is remarkably sycophantic to power. Automakers would probably be interested to talk to you in light of the ongoing embarrassment they face in Dieselgate.

    Interested people already modify the source code to the software running on various devices, it's a matter of which people get to inspect, share, and modify. For all you know, in Sandler's case she could take said code to someone who is sufficiently skilled. In any event, to whom the user takes the source code is nobody's business but theirs and not a justification for the failures that have already occurred or foreseeable problems to others.

    --
    Digital Citizen
  25. Re:A lack of software freedom can be lethal & by clodney · · Score: 1

    So the threat of death is enough for you to argue the status quo standing behind proprietors and denying the user full control of a device they obtained (in Sandler's case wear inside their body) but not enough for you to let the user control. We still don't think that's the case for more common devices that are involved in lot of harm such as cars. In light of what's actually already happened to Sandler, your response is remarkably sycophantic to power.

    I think you are mixing arguments. I was making the utilitarian case that the remedy proposed (software freedom) was unlikely to be an effective remedy in this case. I said nothing pro or con about software freedom.

    If you want to argue conceptually for software freedom, then Karen Sandler's case is nothing but an anecdote, and we can rehash the usual pro/anti FSF and GPL arguments all day long. Personally I don't view proprietary software as evil or even morally suspect, and I am fairly sure you disagree with that view.

  26. Re:So medical researchers don't understand securit by mmell · · Score: 1

    Not quite - you see, the manufacturer is going to create a newer, better version of their product (to preserve patent and copyright protections and maximize profits^H^H^H^H^H^H^Hbenefits to the public), so the code cleanup will probably find its way into the 2.0 version of their wonder widget/frammis/dololly.