Medtronic Locks Down Vulnerable Pacemaker Programming Kit Due To Cybersecurity Concerns

AmiMoJo shares a report from The Register: The U.S. Food and Drug Administration (FDA) is advising health professionals to keep an eye on some of the equipment they use to monitor pacemakers and other heart implants. The watchdog's alert this week comes after Irish medical device maker Medtronic said it will lock some of its equipment out of its software update service, meaning the hardware can't download and install new code from its servers. That may seem counterintuitive, however, it turns out security vulnerabilities in its technology that it had previously thought could only be exploited locally could actually be exploited via its software update network. Malicious updates could be pushed to Medtronic devices by hackers intercepting and tampering with the equipment's internet connections -- the machines would not verify they were actually downloading legit Medtronic firmware -- and so the biz has cut them off.

How does it improve security?

[enriquevagu]

The original company stops making updates available.
Before that, a hacker could impersonate the update server (probably using a MITM attack) so the device received a hacked firmware, not the legit one. But if no hacking occurs, the device receives a legit update.
After the change, if a hacker impersonates the (unavailable) update server, the device can only find the hacked firmware, never the legit one.
How is this exactly improving security?

Re: And IoT will be much more secure... right

[BanHammer]

I don't think anyone wants you to believe that IoT devices will be much more secure. They just claim to add some small convenience to your life and the masses are buying them like hotcakes with little concern for security or privacy.

Security not even an agenda item

[ArhcAngel]

I worked for a competitor to Medtronics that manufactured pacemakers in the 90s. The "state of the art" communication with the IC was an antenna that used PWM to talk. As long as you knew the handshake you could program it however you wanted. But if you wanted to be malicious you didn't even need to go to that much trouble. Many remember the signs posted in convenient stores that had microwave ovens because the stray noise from them could literally wipe out the programming on a pacemaker.