Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hack Causes Pacemakers To Deliver Life-Threatening Shocks (arstechnica.com)

Posted by BeauHD on from the patient-safety dept.

An anonymous reader quotes a report from Ars Technica: Life-saving pacemakers manufactured by Medtronic don't rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients' lives, security researchers said Thursday. At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they're implanted in patients. Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients. Rios and Butts were also able to use a $200 HackRF software-defined radio to hack a Medtronic-made insulin pump and make it withhold a scheduled dose of insulin. Medtronic has released a page that lists all the security advisories they have issued on the pacemakers and insulin pumps.

72 comments

  1. Re: lol he name Butts by Anonymous Coward · · Score: 0

    I work as an MD. The amount of ignorance in the healthcare sector about info sec is absurdly high. Something needs to change before people start getting hurt.

  2. Re:lol he name BeauHD by Anonymous Coward · · Score: 0

    Stupid millenial child BeauHD.
     

    Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect.

    I just LOVE the implications of this naive statement.
     
    1. HTTPS is actually secure
    2. HTTPS is the protocol that they should be using
    3. There aren't millions of better protocols than HTTPS for this application
    4. Doctors actually try or would be the ones to try to detect malware

  3. who goes to jail by AndyKron · · Score: 1

    And the hackers go to jail now, right?

    1. Re:who goes to jail by ole_timer · · Score: 1

      or the designer who left that feature (as in authentication) out?

      --
      nothing to see here - move along
    2. Re:who goes to jail by Anonymous Coward · · Score: 0

      Well, if my relative gets harmed, I'm going full Jack Leon Ruby on the asshole, sentenced to jail or not, genius hacker or not. Mark my words.

    3. Re:who goes to jail by Pieroxy · · Score: 1

      And the hackers go to jail now, right?

      or the designer who left that feature (as in authentication) out?

      You apparently haven't been following the news lately. White hats go to jail for disclosing blatant security holes but the designers are fine.

      --
      Write boring code, not shiny code!
    4. Re:who goes to jail by Anonymous Coward · · Score: 0

      You apparently haven't been following the news lately. White hats go to jail for disclosing blatant security holes but the designers are fine.

      I always wondered about that. Suing the designer & company would be much more profitable than suing some hacker who don't have much.

    5. Re:who goes to jail by Anonymous Coward · · Score: 0

      Well, find out who did it first then.

      Someone wanting to kill through pacemaker faults, would prepare a pacemaker firmware in advance. Then, sit behind the target person on the bus (or in a cafe) with an rf device, reprogramming the pacemaker with the rogue firmware.

      Of course, nothing happens there and then. The attacker leaves, the firmware kills the person a week later by delivering shocks to the heart in the worst possible way. Later, the firmware goes back to normal operation, and is hard to detect. But the mark died.

    6. Re:who goes to jail by ole_timer · · Score: 1

      white hats don't - but grey hats do...read more closely my friend...

      --
      nothing to see here - move along
    7. Re:who goes to jail by ole_timer · · Score: 1

      except the eula typically contains language that spares the vendor in some way

      --
      nothing to see here - move along
  4. Jesus it shouldnt need firmware updates by Anonymous Coward · · Score: 3, Insightful

    It's not a gizmo no one cares about, all the products in the 80/90s had plenty of testing before shipping with just one firmware that wasn't updateable. These updates make manufacturers lazy and sometimes they push out something worse than the one that preceded it.

    No updates, much less need for security. I don't want stuff in me to use the internet in any fashion.

    1. Re:Jesus it shouldnt need firmware updates by ole_timer · · Score: 1

      ...I don't know about you but if I had a pacemaker i'd want it updated...by the way it's rf not the internet...

      --
      nothing to see here - move along
    2. Re:Jesus it shouldnt need firmware updates by Anonymous Coward · · Score: 0

      That's pure stupid. This is a medical device, they update medical procedure minutia all the time of necessity. A pacemaker isn't a fax machine or TV. You're under-thinking use case scenarios you haven't imagined. Updates are required functionality, doing it in plaintext over unsecured TCPIP pipes is the failure. If they didn't update you'd have brickware instead and you'd be thoughtlessly bitching about that, except you'd be correct in that case.

    3. Re:Jesus it shouldnt need firmware updates by ole_timer · · Score: 1

      actually I was wrong - the programmer updates (not the pacemaker itself which updated via rf) that had the bug in it

      --
      nothing to see here - move along
    4. Re:Jesus it shouldnt need firmware updates by Anonymous Coward · · Score: 2

      Yet we have lots of pacemakers who can't be updated which work just fine. Weird.

      Stop excusing incompetence.

    5. Re:Jesus it shouldnt need firmware updates by psychic_bacon · · Score: 2

      There are a lot of good reasons to have these devices connect remotely for firmware updates. For instance, the ability to recognize arrhythmia using signal detection has improved dramatically in the last 5-10 years. For defibrillators, that can be the difference between appropriate and inappropriate shocks where the machine misreads the rhythm. Same is true with pacing and other treatments for a pacemaker. I have a device like this, so I've read a lot about these hacks. I have a device from a different manufacturer, so I don't know if this applies, but the lack of security in many of these devices is scary. Most of the hacks I've read before involve hacking the device itself. It takes a few minutes with an RF wand to do a firmware update, so hacking the pacemaker/defibrillator itself is hard to do But if you can hack the device that does the updates, that is really scary. It's a lot easier to hack a device left in a closet rather than something physically embedded in a person.

    6. Re:Jesus it shouldnt need firmware updates by arglebargle_xiv · · Score: 1

      A lot of them shouldn't even need firmware. When you go to a hospital, you may get a choice between a traditional drip, dosage measured via drip rate, and the computerised equivalent, with 85 levels of menus, some with hundreds of entries, a 640 x 480 display filled with the programmers showing off how much crap they can cram into a 640 x 480 display, dozens of options and parameters to get wrong, beeps and bongs all night long, graphics and animations and a hidden flight simulator and a Tetris game as an easter egg and remote access via telnet and HTTP and inverse-logic morse code and a phone-home to a server in Uzbekistan where the RTOS was licensed from.

      Which one would you trust to function correctly?

    7. Re:Jesus it shouldnt need firmware updates by Cro+Magnon · · Score: 1

      ...I don't know about you but if I had a pacemaker i'd want it updated...by the way it's rf not the internet...

      Considering the mess with my last Win10 update, I don't think I would.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    8. Re:Jesus it shouldnt need firmware updates by Anonymous Coward · · Score: 0

      When patients demand adaptive pacing to improve their quality of life and possibly their longevity (so that the pacer adjusts its pacing based on perceived activity level) how do you plan on accomplishing that without firmware that senses and dynamically responds to the body's own electrocardio signals?

    9. Re:Jesus it shouldnt need firmware updates by ole_timer · · Score: 1

      i'm sure Microsoft didn't control your pc...who was the maker of it?

      --
      nothing to see here - move along
    10. Re:Jesus it shouldnt need firmware updates by Cro+Magnon · · Score: 1

      I believe it's an Azus.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    11. Re:Jesus it shouldnt need firmware updates by Cro+Magnon · · Score: 1

      Oops, ignore previous. The pc with the problem is an HP.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    12. Re:Jesus it shouldnt need firmware updates by ole_timer · · Score: 1

      exactly...

      --
      nothing to see here - move along
  5. Re:lol he name BeauHD by rickb928 · · Score: 0

    Sure, so true, because after all the manufacturers will take this article (and the fine /. writeup), post it on the bulletin board, and the product teams will study this and make the minimum changes to address those, and only those, deficiencies.

    Sadly, people think less of manufacturers every day. I would expect that they will also consider signing their data, oh, damn, you missed that.

    Feh.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
  6. So turn off the wi-fi? by Anonymous Coward · · Score: 0

    Can I do that? Is there a http access to my pacemaker to do that? How?

    1. Re:So turn off the wi-fi? by bobbied · · Score: 1

      It's not the pacemaker that's the issue, it's the programming device when it got updated firmware that was insecure.

      So, no HTTP access to your ticker or hacking the neighbor's pacemaker over his WiFi...

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  7. the film Dead in a Heartbeat by Joe_Dragon · · Score: 1

    the film Dead in a Heartbeat

  8. No remote access by Anonymous Coward · · Score: 1

    In addition to using signed binaries, run a pair of wires to just beneath my skin.

    If it ever needs reprogramming, make a small incision and wire me up for the upgrade.

    Save the wireless things for less-consequencial things like reading the device's status. Even then, figure our some way to prevent an adversary from reading it unless he is rught up next to me for an extended period of time.

    1. Re:No remote access by PPH · · Score: 1

      make a small incision and wire me up for the upgrade.

      Wire you up to what? A programmer that has been compromised?

      Your TV set has better end-to-end security to ensure unauthorized Mickey Mouse movies aren't being viewed on unapproved hardware.

      --
      Have gnu, will travel.
    2. Re: No remote access by Anonymous Coward · · Score: 0

      Aha! That's it. We need Disney to start making medical devices.

    3. Re: No remote access by Anonymous Coward · · Score: 0

      I guess you can afford to go to surgery every time the device needs to be tweaked, and don't care about the associated infection risk.

      When these things get infected, it's a nightmare.

  9. As long as a pacemaker patient.... by Anonymous Coward · · Score: 0

    ....does not go to the BlackHat Conference, they should be fine!

    1. Re:As long as a pacemaker patient.... by bobbied · · Score: 1

      ....does not go to the BlackHat Conference, they should be fine!

      It's not the patient's pacemaker that's at risk but the device the doctor uses to program the pacemaker.

      So, you don't want your doctor to take his Medtronic pacemaker programming device to the BlackHat conference and turn it on to load firmware updates using whatever WiFi access point he happens to find. So, I'm not very worried... Zapp.. What was that? Zapp....

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  10. Re:lol he name BeauHD by Anonymous Coward · · Score: 0

    Sadly, people think less of manufacturers every day

    As well they should. I know that my own company is pretty much incompetent, and it's a miracle we have any customers at all.
    Of course, we have tens of thousands of customers and are reasonably successful.
    And there you see is the problem.

  11. Re:lol he name BeauHD by mmaug · · Score: 2

    The vendors already default to lowest-cost solutions which is why HTTP is what is currently used; HTTPS isn't ideal but it would be a significant improvement (except of course the certs will get left out on a web server to be stolen, because security?).

    Beyond security, there are issues about proper testing (did you know that pace makers are only tested on 50+ males; what happens when you put one in a 20yo pregnant woman?) and (the lack of proper) government oversight.

    See Karen Sandler (https://twitter.com/o0karen0o; https://punkrocklaywer.com/ of the Software Freedom Conservancy and the battles she's had with pace maker manufacturers trying to get access to information on the device implanted in herself. And she can tell the first hand story about being a 20+yo pregnant woman being shocked by her pace maker while exercising...

  12. WTF??? by Anonymous Coward · · Score: 0

    Why in the bloody fuck does a pacemaker 1) connect to a network or 2) need firmware updates?

    Holy shit!

    1. Re:WTF??? by Anonymous Coward · · Score: 0

      How else are they going to get away with blaming "hackers" for their inability to build a reliable apparatus with software?

    2. Re:WTF??? by Chewbacon · · Score: 1

      RTFA

      --
      Chewbacon
      The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
    3. Re: WTF??? by Anonymous Coward · · Score: 0

      It's not the pacemaker itself. It's the programming devices that are in doctors offices. Imagine if the company comes out with a new pacemaker, it would be ridiculous to shell out the $$$ for a new office programmer when you could just update it.

  13. You need the update, dumbass, to your logic by Anonymous Coward · · Score: 1

    People with pacemakers die of problems every day, you're oblivious lol. "Faulty pacemakers 'killing 2,000 a year': Third of unexpected deaths among patients thought to be caused by malfunctions" :

    Scientists say there is evidence implants could be 'cause of mortality'

    Research found 30 per cent of cases of sudden death were caused by mechanical flaws in the battery-powered devices

    PUBLISHED: 19:29 EDT, 9 August 2015 | UPDATED: 13:08 EDT, 30 October 2015

    A third of unexpected deaths among heart patients with pacemakers and similar devices could be caused by malfunctions, research suggests.
    Scientists say there is evidence the implants could be a 'leading cause of mortality' and warn the findings are a 'major concern'.

    So no, there is room for improvement you dumbass. No device is perfectly designed in one go, anyone claiming that updates are never required is a FUCKING MORON, PERIOD. Get tested for the incompetence bug.
    The issue was their plaintext implementation and insecure IP protocols, not the fact that it needs to be updated from time to time like all complex digital devices in the world, you fucking moron.

    1. Re: You need the update, dumbass, to your logic by Anonymous Coward · · Score: 1

      How does a firmware update fix a mechanical flaw, IDIOT

      you ass baboon millennial

    2. Re: You need the update, dumbass, to your logic by Anonymous Coward · · Score: 0

      At the very least NEW FIRMWARE CAN HELP DETECT THEM, you fucking MORON? And pointing out 30% of them are mechanically flawed illustrates it's POSSIBLE that they have flawed software also, FUCKING MORON.

    3. Re: You need the update, dumbass, to your logic by Anonymous Coward · · Score: 0

      You might want to look up 'fucking' and 'moron' in a thesaurus. You repeat it a lot.

  14. A complicated way of committing murder by GuB-42 · · Score: 3, Informative

    Sure, you can hack a pacemaker and kill its wearer. You can also shoot him with a gun, poison him, bomb him, whatever. It is made even easier by the fact that people who wear pacemakers aren't usually at the peak of their shape.

    But like they say in obligatory xkcd, most people aren't murderers.

    1. Re:A complicated way of committing murder by bobbied · · Score: 1

      You are right.

      Somebody is going to hack into the programming device in some doctor's office. Wait for the device to get turned on to update it's firmware, perform a man in the middle attack to load the firmware of the hacker's choice, which is designed to change the parameters of a specific pacemaker device in ways which will kill the patient, not right away, but later, say when the target is asleep.

      I'm thinking that if death of a target is your goal, there might be easier ways..

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:A complicated way of committing murder by novakyu · · Score: 1

      You are right that this is useless if simple death of a target is your goal.

      OTOH, if you want to commit murder in a way that is hard to trace back to you, short of having a Death Note, this might be the next "best" thing.

    3. Re:A complicated way of committing murder by 93+Escort+Wagon · · Score: 1

      But like they say in obligatory xkcd, most people aren't murderers.

      Most people aren’t swatters, either - but unfortunately a few think it’s funny. And those sorts of people seemed to be wired not to blame themselves when their “prank” goes very wrong.

      --
      #DeleteChrome
    4. Re:A complicated way of committing murder by Anonymous Coward · · Score: 0

      Sure, you can hack a pacemaker and kill its wearer. You can also shoot him with a gun, poison him, bomb him, whatever. It is made even easier by the fact that people who wear pacemakers aren't usually at the peak of their shape.

      If the person is older, cause of death may be assumed and the real problem may not even be discovered.

      Even if it is discovered in autopsy, pacemakers have almost a 0.5% failure rate. 2 out of 1000 people with them will die due to malfunction.
      So long as one doesn't use this method in mass, it would likely be assumed they were one of those unlucky 0.5%

      To selectively target someone would need additional information (IE registered serial number to patient name) and a lot of time to wait for the infection vector to work.
      However if that is acceptable, you could target individual serial numbers and wait for their yearly doctor visit to have the payload installed, and never need to be within physical range of the target.

      That is a feature all of your alternate methods don't have.
      Guns and bombs can't kill anyone not within range of the weapon.

      Poison could, although if you went the simple route you would need to be within range of the target at least once, and the fact poison caused the death is easily determined, so it could very well be detected as murder and you were at one time an anomaly within range to deliver it.
      It would be possible to get caught.

      Of course the pacemaker method can be done a whole lot faster and specifically targeted if you're willing to get within range to plant your RF transmitter.
      That would have most of the downsides for poison above, but may or may not be detected as a murder.

      I'd also presume if a person wanted to kill someone, indiscriminately without caring who that someone is, the pacemaker option would be far too much work involved compared to most anything else.

    5. Re: A complicated way of committing murder by Anonymous Coward · · Score: 0

      .5% of 1000 is 5

    6. Re:A complicated way of committing murder by dasunt · · Score: 1

      But like they say in obligatory xkcd [xkcd.com], most people aren't murderers.

      Here's why this line of reasoning fails:

      All it takes is one individual who will threaten to kill pacemaker users unless they get ONE MILLION DOLLARS *raises pinky to mouth*

      Is the threat real? Who knows? Probably just some guy in Romania making idle threats. Can a major company risk it?

      What happens if the scammer realizes that people with pacemakers tend to die anyways, and publicizes a threat to kill one random person with the pacemaker within the next week? Note I'm not saying that the scammer has any capability to kill someone, but they are gambling on someone dying in the next week and the resulting outcry causing the company to pay up before they can fully investigate.

      Or what about this? Politicians tend to be of advanced age, which is the demographic that disproportionately use pacemakers as well as other medical devices. Sure, you may be able to fry the device various ways, but a lot of the time, a bricked device will likely still result in someone being alive, at least long enough to treat and replace the medical device. If you wish to kill someone, it's time to reprogram the device so it's active in a malicious way. We've seen complex assassination attempts, or attempted assassination attempts (Alexander Litvinenko, Viktor Yushchenko, Georgi Markov, etc). The resources needed to hack a pacemaker is within this realm of complexity.

    7. Re:A complicated way of committing murder by Anonymous Coward · · Score: 0

      OTOH, if you want to commit murder in a way that is hard to trace back to you, short of having a Death Note, this might be the next "best" thing.

      Exactly. Few will even think of this option. If anything, they chalk it up to "pacemaker failure" and sue the manufacturer. A silent killer don't want to use Russian nerve agents or polonium. Those are for "sending a clear message". Guns, knives or rat poison is no good either, foul play is obvious. But someone with a pacemaker died from heart trouble - no surprise there. Ideal if you need someone dead from "natural causes"

      Useful if you stand to inherit a very large sum. Can't resort to simpler forms of murder, as you're the only suspect. A hit-man is likewise a bad idea, you're the only one with a motive to hire one. So instead, you hire a programmer the medical company laid off recently.

    8. Re:A complicated way of committing murder by Anonymous Coward · · Score: 0

      Is the threat real? Who knows?

      To show the threat is real, disclose to them the alternative firmware. They can then test it in a test rig (or a lab animal) and see just what it does.

  15. Re: lol he name Butts by Anonymous Coward · · Score: 0

    I'm Sparticus!

  16. Re: lol he name Butts by Anonymous Coward · · Score: 0

    I work as an MD. The amount of ignorance in the healthcare sector about info sec is absurdly high. Something needs to change before people start getting hurt.

    The medical profession generally has arrogance and ignorance together while making life or death decisions. I'm not surprised they have issues with info sec too.

  17. Re:lol he name BeauHD by Anonymous Coward · · Score: 0

    This is not uncommon. Non-tech business people severely underestimate the costs of IT. Most of them have no business collecting credit cards because they are total dipshits.

  18. Wonder if Dick Cheney uses a MedTronic? by Dr_Marvin_Monroe · · Score: 1

    As the main cheerleader for US waterboarding, I've wondered how a motivated individual might subject him (Cheney) to a similarly terrifying and helplessness inducing experience.

    Tweaking his pacemaker up & down through it's full range of speeds...with occasional stops & restarts might just do the trick! Just imagine how exciting it would be to discover your heart racing at 180 BPM for no apparent reason...then dropping off to an almost unconsious 20 BPM...now back up to 180 for a bit... Perhaps almost as terrifying as the repeated sensation of drowning.

    1. Re:Wonder if Dick Cheney uses a MedTronic? by Anonymous Coward · · Score: 0

      Dick Cheney purposely had wireless communication turned off in his pacemaker for that very reason.

    2. Re: Wonder if Dick Cheney uses a MedTronic? by Anonymous Coward · · Score: 0

      Cheney had a Medtronic device but then had a heart transplant. Likely did not need a device after that.

  19. w/e by Anonymous Coward · · Score: 0

    Variations on this same story, with almost exactly the same comments, have been appearing for maybe 3 years afaik.

  20. Re: lol he name Butts by Anonymous Coward · · Score: 0

    So do I. The level of dumbassery is astounding. I can walk into any hospital with a HUGS infant tracking system and shut it down. I called the company about the vulnerability in 2008. Itâ(TM)s still there.

  21. Meditronic? Not their first vulnerability! by Anonymous Coward · · Score: 1

    Homebrew Pancreas Gets 30 Minutes of Fame

  22. Re: lol he name Butts by Anonymous Coward · · Score: 0

    I feel Life Hacks is oddly appropriate too.

  23. Yeah right by Anonymous Coward · · Score: 0

    They'll get it fixed in about 15 years after FDA approves their new design.

  24. New ransomware by Mishotaki · · Score: 1

    pony up 50 000$ or get shocked every 2 minutes!

  25. Re: lol he name BeauHD by Anonymous Coward · · Score: 0

    What's wrong with using tls with client certs for this?

  26. Sometimes direct murder is politically problematic by aepervius · · Score: 1

    Say you are the US and want to kill Putin/Castro/insert boogey man of your choice. There is a risk of nuclear war if detected. Do you : 1) do make a plain sniper murder or do you 2) hack the re-programmer for the pace maker so that if it detects a specific patient it change the therapy to be deadly ,e.g. fail to deliver shock or do it at an irregular rate, but report to forensic the correct rate ? Same thing for any group XYZ wanting to murder somebody ABC but wanting to avoid the consequence IJK associated with plain murder.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org
  27. Dick Cheney by TheCastro1689 · · Score: 1

    The VP was right with his concerns when he got one. Damn.

  28. No need to hack by Anonymous Coward · · Score: 0

    No hackers required for a pacemaker to malfunction. My father had one of those and it was of great benefit at first. But then, at some routine examination, the doctors decided to enroll him in a study /without telling him/. What exactly they did I don't know but it amounted to programming the pacemaker to only do its job when the heart on its own beats at a very low frequency (40 bpm). What they wanted to study was the psychological influence of bearing a pacemaker on the heart's pace, i.e. whether the psyche can control a failing heart.

    Only after my father's health deteriorated progressively without any obvious reason (he had a very hard time breathing, i.e. getting enough oxygen) did they undo these changes. His heart was damaged by this procedure though and he never recovered from it and eventually he died from the consequeces. My mother put the doctors and the hospital on trial and she could actually prove what they had done with the medical records while they could not produce any proof of his consent being included in the study.

    This was 65 years after WWII in Austria, btw.

    So yeah, pacemakers can be reprogrammed from the outside, whether by malicious hackers or malicious doctors makes no difference.