Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hack Causes Pacemakers To Deliver Life-Threatening Shocks (arstechnica.com)

Posted by BeauHD on from the patient-safety dept.

An anonymous reader quotes a report from Ars Technica: Life-saving pacemakers manufactured by Medtronic don't rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients' lives, security researchers said Thursday. At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they're implanted in patients. Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients. Rios and Butts were also able to use a $200 HackRF software-defined radio to hack a Medtronic-made insulin pump and make it withhold a scheduled dose of insulin. Medtronic has released a page that lists all the security advisories they have issued on the pacemakers and insulin pumps.

5 of 72 comments (clear)

  1. Jesus it shouldnt need firmware updates by Anonymous Coward · · Score: 3, Insightful

    It's not a gizmo no one cares about, all the products in the 80/90s had plenty of testing before shipping with just one firmware that wasn't updateable. These updates make manufacturers lazy and sometimes they push out something worse than the one that preceded it.

    No updates, much less need for security. I don't want stuff in me to use the internet in any fashion.

    1. Re:Jesus it shouldnt need firmware updates by Anonymous Coward · · Score: 2

      Yet we have lots of pacemakers who can't be updated which work just fine. Weird.

      Stop excusing incompetence.

    2. Re:Jesus it shouldnt need firmware updates by psychic_bacon · · Score: 2

      There are a lot of good reasons to have these devices connect remotely for firmware updates. For instance, the ability to recognize arrhythmia using signal detection has improved dramatically in the last 5-10 years. For defibrillators, that can be the difference between appropriate and inappropriate shocks where the machine misreads the rhythm. Same is true with pacing and other treatments for a pacemaker. I have a device like this, so I've read a lot about these hacks. I have a device from a different manufacturer, so I don't know if this applies, but the lack of security in many of these devices is scary. Most of the hacks I've read before involve hacking the device itself. It takes a few minutes with an RF wand to do a firmware update, so hacking the pacemaker/defibrillator itself is hard to do But if you can hack the device that does the updates, that is really scary. It's a lot easier to hack a device left in a closet rather than something physically embedded in a person.

  2. Re:lol he name BeauHD by mmaug · · Score: 2

    The vendors already default to lowest-cost solutions which is why HTTP is what is currently used; HTTPS isn't ideal but it would be a significant improvement (except of course the certs will get left out on a web server to be stolen, because security?).

    Beyond security, there are issues about proper testing (did you know that pace makers are only tested on 50+ males; what happens when you put one in a 20yo pregnant woman?) and (the lack of proper) government oversight.

    See Karen Sandler (https://twitter.com/o0karen0o; https://punkrocklaywer.com/ of the Software Freedom Conservancy and the battles she's had with pace maker manufacturers trying to get access to information on the device implanted in herself. And she can tell the first hand story about being a 20+yo pregnant woman being shocked by her pace maker while exercising...

  3. A complicated way of committing murder by GuB-42 · · Score: 3, Informative

    Sure, you can hack a pacemaker and kill its wearer. You can also shoot him with a gun, poison him, bomb him, whatever. It is made even easier by the fact that people who wear pacemakers aren't usually at the peak of their shape.

    But like they say in obligatory xkcd, most people aren't murderers.