Medtronic Locks Down Vulnerable Pacemaker Programming Kit Due To Cybersecurity Concerns (theregister.co.uk)

← Back to Stories (view on slashdot.org)

Medtronic Locks Down Vulnerable Pacemaker Programming Kit Due To Cybersecurity Concerns (theregister.co.uk)

Posted by BeauHD on Monday October 15, 2018 @10:00PM from the locked-down dept.

AmiMoJo shares a report from The Register: The U.S. Food and Drug Administration (FDA) is advising health professionals to keep an eye on some of the equipment they use to monitor pacemakers and other heart implants. The watchdog's alert this week comes after Irish medical device maker Medtronic said it will lock some of its equipment out of its software update service, meaning the hardware can't download and install new code from its servers. That may seem counterintuitive, however, it turns out security vulnerabilities in its technology that it had previously thought could only be exploited locally could actually be exploited via its software update network. Malicious updates could be pushed to Medtronic devices by hackers intercepting and tampering with the equipment's internet connections -- the machines would not verify they were actually downloading legit Medtronic firmware -- and so the biz has cut them off.

40 comments

Min score:

Reason:

Sort:

And IoT will be much more secure... right by Mathinker · 2018-10-15 22:12 · Score: 4, Interesting

We're talking a device which when it malfunctions, kills (or could kill) someone. And still the manufacturer didn't get the basics of security correct: using signed software updates.
How can we believe that IoT devices, which are manufactured with much less profit overhead, will be more secure? (Unless somehow regulated -- which also didn't for for those FDA-approved pacemakers).
1. Re:And IoT will be much more secure... right by Mathinker · 2018-10-15 22:18 · Score: 1
  
  Errata:
  "which also didn't for for those FDA-approved pacemakers" -> "which also didn't work for those FDA-approved pacemaker programmers"
2. Re:And IoT will be much more secure... right by JaredOfEuropa · 2018-10-15 22:27 · Score: 2
  
  Does the FDA approval process include an audit of IT security measures and practices?
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
3. Re:And IoT will be much more secure... right by AmiMoJo · 2018-10-15 22:33 · Score: 1
  
  The FDA alert notice says that the FDA made the determination that there was a problem, so it sounds like they didn't realize during the approval process but have figured it out now.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:And IoT will be much more secure... right by gnasher719 · 2018-10-15 22:44 · Score: 2, Interesting
  
  To put this into perspective: Anyone having _any_ pacemaker is vulnerable to non-electronic attacks involving loaded guns, and there are many more people capable of doing such an attack than the electronic attack.
5. Re: And IoT will be much more secure... right by BanHammer · 2018-10-15 22:56 · Score: 3, Insightful
  
  I don't think anyone wants you to believe that IoT devices will be much more secure. They just claim to add some small convenience to your life and the masses are buying them like hotcakes with little concern for security or privacy.
6. Re:And IoT will be much more secure... right by Anonymous Coward · 2018-10-15 22:56 · Score: 1
  
  but an electronics attack could happen from anywhere in the world and leave practically no trace, not so easy with a gun
7. Re:And IoT will be much more secure... right by Anonymous Coward · 2018-10-15 23:19 · Score: 0
  
  The mail bomb attack can happen from anywhere in the world. Similar for various poisons that don't register on metal detectors.
8. Re:And IoT will be much more secure... right by Anonymous Coward · 2018-10-15 23:53 · Score: 0
  
  We're talking a device which when it malfunctions, kills (or could kill) someone. And still the manufacturer didn't get the basics of security correct: using signed software updates.
  If it's optional to a business and that option costs money, they won't do it. Plain and simple. Until these devices actually start killing people and become more than a theoretical threat on paper, there won't be a damn thing done about it from a mandatory/regulatory standpoint.
  And unfortunately, it sounds like the vendor didn't really fix anything here. You still have a device that does not check for signed software updates, which could likely be exploited locally. Disabling OTA updates isn't really a true fix.
  
  How can we believe that IoT devices, which are manufactured with much less profit overhead, will be more secure? (Unless somehow regulated -- which also didn't for for those FDA-approved pacemakers).
  Same answer as above. Until some class-level attack against home thermostats ends up actually killing people, there won't be a damn thing done about insecurity in IoT.
9. Re:And IoT will be much more secure... right by JaredOfEuropa · 2018-10-16 00:18 · Score: 1
  
  Those are two different things: finding a problem in approved hardware and acting on that, or actively looking for problems and gaps during the approval process. Which would include for example the aforementioned lack of signed software updates.
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
10. Re:And IoT will be much more secure... right by jellomizer · 2018-10-16 00:35 · Score: 2
  
  The problem is no one wants to add 6 additional months to a product to make it much more secure.
  Then there is getting people who are willing to think about security problems when making such products.
  A good security design is much more then a normal checklist of items. It is designing your product in a way that you will assume that any level of your application could be broken into. So you need to make sure that each level once in will need to limit what damage it could do.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
11. Re:And IoT will be much more secure... right by Anonymous Coward · 2018-10-16 11:49 · Score: 0
  
  You're not putting anything into perspective, you're confusing the issue and possibly attempting to inject your own politics.
  Guns have fuck-all to do with this conversation.
set the recording straight by Anonymous Coward · 2018-10-15 22:44 · Score: 0

cease fire stand down.. extrapolate along,, https://www.youtube.com/watch?v=T-6FmYqIeps
Re:The federal deficit has soared +17 percent. by Anonymous Coward · 2018-10-15 22:48 · Score: 0

The federal deficit has soared 17 percent in the president’s first fiscal year. Other people's money is running out again, "conservatives"? - https://www.huffingtonpost.com...
Never mind that, just keep repeating the line that trump is the best thing ever and eveything is better than it ever has been as everything will be just fine, the truth is irrelevant.
How does it improve security? by enriquevagu · 2018-10-15 22:53 · Score: 2, Insightful

The original company stops making updates available.
Before that, a hacker could impersonate the update server (probably using a MITM attack) so the device received a hacked firmware, not the legit one. But if no hacking occurs, the device receives a legit update.
After the change, if a hacker impersonates the (unavailable) update server, the device can only find the hacked firmware, never the legit one.
How is this exactly improving security?
1. Re:How does it improve security? by gnasher719 · 2018-10-15 23:51 · Score: 2
  
  How is this exactly improving security?
  Depends on how they are doing it. If you try to update an iPhone, the iPhone will ask Apple if the update is legit. Maybe they did something similar, but hackers found ways to create updates that will be identified as "legitimate". All they need to change is the "legitimate" checker to always return "NO".
2. Re:How does it improve security? by Anonymous Coward · 2018-10-16 00:26 · Score: 0
  
  It improves legal security for them.
  No need to keep their servers secure, being able to claim that any harm was caused exclusively by a third party, without them being in the loop.
  And since the users were already somewhat warned about the issue the company deflect most of the responsability to those reckless ones whom knowingly kept using known vulnerable gear againt the responsible company advise.</s>
3. Re:How does it improve security? by dissy · 2018-10-16 00:35 · Score: 1
  
  After the change, if a hacker impersonates the (unavailable) update server, the device can only find the hacked firmware, never the legit one.
  How is this exactly improving security?
  "The change" was to push an update that modifies the software to never attempt to retrieve updates.
  It improves the security in a way, because a hacker impersonating the update server would never get any hits to download those updates.
  Obviously it isn't the type of improvement that's desired, to sign updates to ensure they are from the right source, but ultimately if the computers aren't connecting anywhere to attempt to download updates, both methods still result in no malicious updates being retrieved.
4. Re:How does it improve security? by AmiMoJo · 2018-10-16 00:36 · Score: 2
  
  From what I can get from their web site the diagnostic system is basically a PC that downloads a firmware image, and then uploads it to the pacemaker. The pacemaker itself never connects directly to the internet.
  The update disables the online update mechanism on the diagnostic equipment entirely. Presumably they could still send out a USB flash drive with new firmware if required. But the diagnostic PC won't even look for new firmware any more.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
5. Re:How does it improve security? by jellomizer · 2018-10-16 00:49 · Score: 2
  
  Perhaps. But these things are being implanted on Baby Boomers, That generation made suing people for any sort of damages (Real or imaginary) cool and the trendy thing to do.
  Granted it is probably a bit better then the old way, where they would just shoot each other.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
6. Re:How does it improve security? by Anonymous Coward · 2018-10-16 10:07 · Score: 0
  
  Obviously it isn't the type of improvement that's desired, to sign updates to ensure they are from the right source,
  
  Why code signing will always fail in a nutshell:
  (But, especially when the attacker controls the hardware.)
  # Before Hack: if (update-available() == TRUE) { if (update-sigcheck() == ERR_VERIFIED_OK) { install_update(); } else { abort_update(); } }
  # After Hack: if (update-available() == TRUE) { if (update-sigcheck() == ERR_VERIFIED_OK) { install_update(); } else { install_update(); # <=== Oops. } }
  Bonus for the ASM hackers:
  ; Before Hack: mov r2, ebx cmp JZ [ EIP + 0x33656 ] JMP [ EIP + 0x34678 ]
  ; After Hack: mov r2, ebx cmp JZ [ EIP + 0x33656 ] JMP [ EIP + 0x33656 ] ; <=== Oops.
  Come up with as many convoluted hashing and encryption algs as you want, if they can control the final JMP pointer, they win.
Re:And IoT will be much more secure... by Alwin+Henseler · 2018-10-16 00:26 · Score: 1

From the article:

The security bugs are not present in the implants themselves, but rather in Medtronic "programmers," which doctors and medics connect to patients' implants during and after surgery, allowing them to check battery levels, monitor heart rhythms, and adjust any settings.

So -in this case- it's not patients' pacemakers etc at risk, but the equipment that monitors those pacemakers & perhaps adjust their settings. I'd imagine that as a hacker, you could (perhaps) still do some damage like adjust settings to the point where a pacemaker becomes ineffective. But this is rather different from upload-compromised-firmware-to-implant, which the summary might suggest to some.
Barnaby Jack said it best.... by Anonymous Coward · 2018-10-16 00:26 · Score: 0

there is "certainly a potential health risk".
Security not even an agenda item by ArhcAngel · 2018-10-16 00:49 · Score: 4, Insightful

I worked for a competitor to Medtronics that manufactured pacemakers in the 90s. The "state of the art" communication with the IC was an antenna that used PWM to talk. As long as you knew the handshake you could program it however you wanted. But if you wanted to be malicious you didn't even need to go to that much trouble. Many remember the signs posted in convenient stores that had microwave ovens because the stray noise from them could literally wipe out the programming on a pacemaker.

--
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
1. Re:Security not even an agenda item by Anonymous Coward · 2018-10-16 01:57 · Score: 0
  
  Yeah, your information is 20 years out of date. The devices use a protocol for wand-distance telemetry.
  Regardless, even in the 90's if you were within wand distance you were also within knifing and strangulation distance, among other things.
Walk Away from CoCs by Anonymous Coward · 2018-10-16 00:59 · Score: 0

Free Software developers of the world, open your eyes! Our communities are being raped, our work pillaged.
Detestable villains - thieving, mean spirited, belligerent, racist, unprincipled - are using underhanded tricks to force hypocritical "Codes of Conduct" on the projects we built.
These petty-authoritarian CoCs are always imposed anti-democratically. There is never free debate, and usually no public discussion at all. They are imposed by force without a vote. If the CoCs were put up for a fair democratic vote by project contributors, they would always lose by a landslide.
The purpose of these CoCs is to allow social activists, who have contributed nothing to the project, to conduct witch hunts against anyone who opposes their hate-driven agenda. Thereby they plan to steal our work for their shadowy corporate paymasters.
You can readily tell these CoCs are not about "just being nice" - because they are ALWAYS supported by the very LEAST NICE, most aggressively mean and shamelessly bigoted people you can imagine. Look how the CoC-mongers treat anyone who disagrees with them as subhuman.
If a project to which you contribute has been raped by CoC-mongers there is a simple solution: WALK AWAY. Never contribute again. If you have a patch almost ready, count the time you spent on it as a loss and throw it away. If you see a security issue, remain silent and do nothing. IT'S NO LONGER YOUR PROJECT. YOU ARE NOT WELCOME THERE.
If you are evaluating new software, don't even consider any projects burdened under the tyranny of a CoC. Their technical attributes do not matter - just don't consider them. Never be openly political, always make up a technical reason for rejecting CoCed projects.
Don't argue in public about the CoC. Doing so only exposes you to needless risk. You might be dis-employed, blackballed, and even set up for a #MeToo purge. Just stay far away. If you resign from a project that gets CoCed, try to do so on the same day the CoC is imposed. But give "spend more time with friends & family" or "pursue other interests & projects" as your reason for resignation. Protect yourself!
Comrades: Individually we are powerless, and easily crushed beneath the iron boot of Corporate Social Just-Us. But together in solidarity we are millions and we are strong. The Internet itself depends on our collective labor. If we stop working, the internet stops working.
Free Software developers, save yourselves and save your communities! Just WALK AWAY from any project with a CoC. Without our labor they are nothing.
How is this not a solved problem by cciechad · 2018-10-16 00:59 · Score: 2

Sign the code with a private key and compare a hash. Secure devices have been doing this for some time.

--
https://www.fsf.org/associate/support_freedom
Extremely misleading by Anonymous Coward · 2018-10-16 02:06 · Score: 0

There are no "security" problems in these devices. Read the articles properly people and stop adding your "interpretation".
As usual this is all overblown bullshit by the likes of marxists who want to force companies to "open source" there products to protect the feelings of snowflakes.
1. Re:Extremely misleading by Anonymous Coward · 2018-10-16 04:25 · Score: 0
  
  "want to force companies to "open source" there products"
  I'm actually hoping they'll "open source" HERE products instead.
Damn, now can't overclock grandpa by Anonymous Coward · 2018-10-16 02:50 · Score: 0

Now that grandpa can't be overclocked, who's gonna play football with me.
Anyone surprised? by Anonymous Coward · 2018-10-16 03:25 · Score: 0

That may seem counterintuitive, however, it turns out security vulnerabilities in its technology that it had previously thought could only be exploited locally could actually be exploited via its software update network. Malicious updates could be pushed to Medtronic devices by hackers intercepting and tampering with the equipment's internet connections

I wish I could say I'm surprised, or I'm shocked ... but the reality is, most consumer electronics have shit security, and from what I've heard most medical devices have even less.
There's only one solution to this ... companies bear full legal liability for the security of their products. None of this "oh, we tried but we're just too stupid", but full legal liability leading to huge fines and sanctions.
The less actual security you had, the higher the penalties, so that all of those default passwords and backdoors should lead to a company being crippled financially. If you're a medical device company and someone dies because you had little or no security, your CEO is criminally liable.
Until this happens, shit security written by morons at the encouragement of greedy assholes will be the norm.
This is why the overwhelming majority of network connected things are complete and utter garbage, and not something I will buy. Until most consumer electronics companies demonstrate actual abilities to implement security, I'm going to keep assuming most of it is shit, and not waste my money on it.
And we're a long way from that changing.
1. Re:Anyone surprised? by Woeful+Countenance · 2018-10-16 06:38 · Score: 1
  
  There's only one solution to this ... companies bear full legal liability for the security of their products.
  The problem with that is that instead of having insecure pacemakers, we'd have no pacemakers at all, which would be worse. Or they'd cost a lot more, to support the cost of fighting lawsuits and paying fines. There has to be a middle ground somewhere.
Updating... Please Wait. by kackle · 2018-10-16 04:14 · Score: 1

I write embedded firmware for a living. Someone mentioned using keys/certificates. I don't see how such a small device with limited power can deal with the heft of full digital security.

Further, it's a pacemaker! It does the same thing as they did decades ago, no? Why are there even post-factory updates?!
Re:Updating... Please Wait. by Anonymous Coward · 2018-10-16 05:24 · Score: 0

I write embedded firmware for a living.

I write embedded firmware for a living too. I can't think of a microprocessor made in the last 10 years that doesn't have hardware crypto instructions.
Maybe you should update your skills.
Incomplete solution... by dkman · 2018-10-16 06:36 · Score: 1

...medical device maker Medtronic said it will lock some of its equipment out of its software update service, meaning the hardware can't download and install new code from its servers. That may seem counterintuitive... Malicious updates could be pushed to Medtronic devices by hackers intercepting and tampering with the equipment's internet connections -- the machines would not verify they were actually downloading legit Medtronic firmware -- and so the biz has cut them off.
If this is right, locking them out of the service on the server side doesn't do a damn thing. You need to tell the devices to stop "looking for updates". All this does is let's me know that if I got an update after the shutdown then it's fake.
Cutting off the server side still allows a device to look for updates and if a man-in-the-middle answers it will allow the update, because the whole problem is that it's not verifying the update's source.

--
I refuse to sign
1. Re:Incomplete solution... by dkman · 2018-10-16 06:50 · Score: 1
  
  After reading some of the other comments it appears they made one "final" update that tells the devices to stop looking for updates. So that works.
  
  --
  I refuse to sign
I owe Hacknet an apology.. by modi123 · 2018-10-16 08:21 · Score: 1

I thought Hacknet was full it, but here I see I was wrong. That event just seemed a little.. too far.. on the far side of the reality bright-line. Whoops.
https://store.steampowered.com...
Re:Updating... Please Wait. by Anonymous Coward · 2018-10-16 09:23 · Score: 0

In the microcontroller market (not embedded PC), an X.509 certificate might be larger than available RAM. Some of those chips don't even have hardware multipliers, let alone crypto instructions. And frankly, I'd consider a PIC16 overkill for a pacemaker.
This is misleading... by Anonymous Coward · 2018-10-17 02:39 · Score: 0

Sorry guys... they don't OTA update firmware in pacemakers. Ever. What it has, is what is has. What this article was talking about is how the manufacturer updates the machines used by the surgeons to initially program the pacemakers during implantation.
Cardiac surgeons aren't stupid.