750,000 Medtronic Defibrillators Vulnerable To Hacking

The Homeland Security Department has issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients' homes and in-office programming computers used by doctors. From the report: Medtronic recommends that patients only use bedside monitors obtained from a doctor or from Medtronic directly, and to keep it plugged in so it can receive software updates, and that they maintain "good physical control" over the monitor. Implantable defibrillators are complex, battery-run computers implanted in patients' upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday do not affect Medtronic pacemakers.

The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn't use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says. A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient's name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.) The FDA isn't expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.

Re: All Slashdot Articles are Vulnerable to First

Only hitler?

Nobody saw this comming.

No, sireeeee.

Let's put Bluetooth and WiFi in everything just because.

Re: Nobody saw this comming.

Sounds like a good basis for the plot of the next season of 24. You could theoretically work in telemetry. Well, I'm guessing not. Too complicated for TV.

Re: Nobody saw this comming.

Implantable medical devices are ones that merit wireless connections.

Therefore, you're barking up the wrong tree.

Re: Nobody saw this comming.

[mrbester]

Already happened: The Cryptobanker (The Blacklist season 6 episode 10). Aired a fortnight ago.

Cheese and Rice

[rmdingler]

Implantable defibrillators at risk to be compromised by potential outside control?

If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.

Re:Cheese and Rice

"Pay me or I turn off your heart" is a great money maker if you're truly awful.

Re:Cheese and Rice

[JustAnotherOldGuy]

If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.

I agree, but the sad fact is that there are plenty of people who would be only too happy to devote the time to hacking this device so they could threaten or kill people.

Re:Cheese and Rice

[hcs_$reboot]

If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.

Out of billions some would do that, for free. Why take the risk?

Re:Cheese and Rice

[andydread]

Implantable defibrillators at risk to be compromised by potential outside control?

If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.

4chan 8chan gab are full of these trolls that would salivate at doing exactly that.

Re:Cheese and Rice

[GuB-42]

I agree, but the sad fact is that there are plenty of people who would be only too happy to devote the time to hacking this device so they could threaten or kill people.

There are much simpler ways of killing people than hacking defibrillators.
Killing people is easy. Good thing most of us aren't murderers.

Re:Cheese and Rice

[hermi]

Or, you are a patient, wear one of those and want to not fear for your life because some idiot thought that an open WLAN into your heart was a good idea.

Re: All Slashdot Articles are Vulnerable to First

If I were a poet I would capture you

I'm surprised they aren't on the cloud yet

[Rosco+P.+Coltrane]

Logic today seems to dictate that all the input data is sent over to a server somewhere, and the control commands come back down from the server over the internet, with zero local control between the two. Isn't that how things should be done these days?

Re:I'm surprised they aren't on the cloud yet

These things should only connect with a physical interface. You're going to need some wires coming out.

Re:I'm surprised they aren't on the cloud yet

The chance of getting an infection and dying from wires hanging out of your chest are probably a lot greater than someone hacking your defibrillator. I think I'll get a second opinion, Dr Anonymous.

Re:I'm surprised they aren't on the cloud yet

[Dunbal]

I have a defibrillator from Boston Scientific. The wireless has to be turned on by placing a magnet against my skin above the defibrillator. Then it will talk to the technician's computer. Once the magnet is removed, the wireless is off again. It would be pretty dumb to have a device default to open at all times.

Re:I'm surprised they aren't on the cloud yet

[sjames]

That makes a lot of sense. Easy to access legitimately, hard to access nefariously.

Re:I'm surprised they aren't on the cloud yet

[religionofpeas]

The wireless has to be turned on by placing a magnet against my skin above the defibrillator.

That's not going to work well when it needs to talk to the bedside monitor every night.

Re:I'm surprised they aren't on the cloud yet

Pretty dumb from a technology perspective but being able to monitor someone 24x7 and automatically submit information to doctors as soon as the defib fired could be very useful and potentially life saving.

No recall

The FDA isn't expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.

Could you imagine (another)heart surgery due to a recall for a software bug? This entire concept needs to be rethought IMO. The testing obviously does not meet requirements. Wonder if there's a "make grandpa grab his chest" easter egg /s.

Re:No recall

Derp. The physical leads go into the heart. The actual device sits in a pocket of fatty tissue outside of the ribcage. No heart surgery required to replace devices.

Please go back to pretending you know what you're talking about with your basic Ruby-on-rails-based simple CRUD apps.

Encryption costs battery power

[gavron]

"Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster"

Locking your door is tricky because is[sic] increases the time to get into your house and makes you use up calories.

Having a PIN on your credit card is tricky because is[sic] increases the time to get your munney and stuff.

Coming up with stupid excuses why in 2019 you didn't deploy encryption by blaming battery life means your software is SHIT.
(Is[sic] increases the stupid factor).

E

Re:Encryption costs battery power

Unlocking your door isn't likely to threaten your life, cutting you open to swap out a battery does. I have no idea how much extra juice encryption would require, but it makes sense that it would require more power. I don't think you or I are qualified to weigh the risk of hacking vs shortened battery life. So your emphatic hand waving is some pretty serious armchair medical professionalism.

Re:Encryption costs battery power

Since the battery is under the skin and requires surgery to replace, extending its life is of some value to the life of the patient as well.

Re:Encryption costs battery power

[chuckugly]

If that's the concern it seems like the solution would be to implement wireless inductive charging rather than dumb down the gizmo.

Re:Encryption costs battery power

[gavron]

I don't think you are qualified to remark on how qualified I am, but thanks for opining without any factual basis whatsoever.
You can go back to making up random stuff now.

I actually do know what I'm talking about. You can go join DJ Trump in the Land of Make Believe.

E

Re:Encryption costs battery power

You obviously know what you're talking about because you said so and you're so rational.

How much is a heartbeat worth?

Sounds like a great ransomware opportunity. Other malicious operators have shown zero remorse or mercy for impacting systems that manage patient care and could lead to deaths.

Prison

[JustAnotherOldGuy]

People need to go to prison for releasing insecure pieces of shit like this onto the market and for allowing them to be implanted in people.

I read about this shit all the time, and sadly I'm always astounded that NO ONE paid the slightest thought to hardening or securing these kinds of devices. It goes well beyond negligence. Fucking mind-boggling.

Re:Prison

[hcs_$reboot]

People need to go to prison for releasing insecure pieces of shit like this onto the market

Unfortunately that happens more and more ; even the aircraft industry is affected, it seems.

Re:Prison

I'm always astounded that NO ONE paid the slightest thought to hardening or securing these kinds of devices.

There's usually somebody, a lone engineer perhaps, who is familiar with security, encryption or hacking techniques and tries to warn the business people of the danger. Unfortunately, these security wonks are rarely in positions of authority that would allow them to delay releases or increase the costs of product development merely to "increase security". The problem with security is not ignorance, it's money. It's like clean air and water, most people want it but few are truly willing to pay for it. The MBAs cut the budget and rush the product to market as soon as something is halfway working, security be damned. If the engineer tries to interfere, they fire him or if they really need him they just politely ignore him whenever he mentions security.

Everybody Panic Now!

Hackers! With Hacks! Hacking! Everywhere! And the Hackers are now even Hacking with their Hacks IN YOUR HEART!!!!1!

It's Official! You Should Panic! And also click our links a lot. Thanks. Remember! It's Okay To Panic About HACKERS!!!!!1!

How hackable?

[technosaurus]

Can we turn them into something useful like tac-welders?

Re:How hackable?

[Errol+backfiring]

Probably. Even without getting the device out of a person first.

encryption

[religionofpeas]

Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster

I claim bullshit. An AES implementation in hardware is secure and very cheap, especially at the modest communication speeds that these devices would need.

Finally FDA takes action

[misnohmer]

University of Washington had a presentation I saw almost a decade ago where security researchers showed how they can use the fact that the implantable defibrillator uses plain text serial communications (via RF) and how they can remotely do many things, including:
* read all of patients data, including their social security numbers
* change settings of the device, including disabling it completely
* kill a person (theoretical exploit) by disabling the defibrillator function and enabling a test mode which induced a heart attack to stop the heart (the mode is supposed to be used during implantation only, with chest open and doctor ready to standby to revive if the defibrillator didn't revive the patient)
All of the above done with a laptop and $50 worth of parts, up to 100 feet away. The presentation I saw did not disclose which manufacturer that was, but they did say that FDA did not have rules at that time that would prevent manufacturers from using un-encrupted, un-authenticated, not even simple password, connections to control all functions of the device.

Re:Finally FDA takes action

I call BS on the 100 feet away claim. The manufacturers struggle to get it to work beyond a few centimeters. The hack vector IRL would be something like "Do you mind if I place this homemade dongle on the skin above your clavicle, connect it to my laptop, and mess around with your devices settings a little?"
There is realistically no way to do this surreptitiously on any currently-existing device. But it sure does generate headlines for those biomedical geniuses at Homeland Security.

Re:Finally FDA takes action

The manufacturers (Guidant I believe was the above manufacturer, before they got swallowed up) have to follow FCC and FDA guidelines and worry about things like not causing cancer by bombarding people with certain wavelengths constantly.

The hackers, especially like this in a controlled lab environment, not so much.

Re:Finally FDA takes action

If you are suggesting that a higher amplitude signal would work from a longer distance, you are mistaken. You can only penetrate human tissue a certain depth at the comm frequency used by these devices, regardless of the signal amplitude. The best you could realistically do is "Stand still while I place this refrigerator-sized box of electronics a few feet away you and aim it at the device above your clavicle." Is that still considered hacking?

Re:Finally FDA takes action

[religionofpeas]

The manufacturers struggle to get it to work beyond a few centimeters.

I've seen one work about 6 feet away, and it didn't require a large box, or directional antennas.

Re:Finally FDA takes action

[religionofpeas]

You can only penetrate human tissue a certain depth at the comm frequency used by these devices, regardless of the signal amplitude

Not really a relevant objection, since the extra distance between normal use vs remote hacker is not going through human tissue.

This doesn't sound like a bug

I'm sorry but this doesn't sound like a run of the mill bug. This sounds like criminal negligence. Failure to make even a small amount of effort to take reasonable steps to secure a potentially lethal device is criminal.

Re:This doesn't sound like a bug

[munch117]

We can talk criminal negligence the moment someone gets seriously hurt. So far, I haven't heard of that happening in even one single case. I'm not saying it can't happen, I'm not saying it won't happen in the future, just that it doesn't really seem to be happening now.

I know this is not a popular opinion on /., but there is a need for perspective. These devices save lives, and delaying a product launch by even just six months in order to work out the crypto would likely cost lives. Strange as it may sound, delaying proper IT security has saved lives.

I'm not saying it should continue that way, on the contrary: We have the tech now to properly secure low-power devices, and it's time for medical authorities to require its use.

But please, stop calling the people who are building life-saving tech criminals, just because they're not experts in the same field that you are an expert in.

SHOCKING!

SHOCKING!

I Served on a Security Eval Panel at a Hospital...

I served on a security eval panel at a Hospital for network device approval. While not the only vendor that was apathetic about security Medtronic was absolutely the worst for not caring about security. They deserve to be sued.

Software Taser

[LordByronStyrofoam]

Don't hack me, Bro!

That's the 2nd biggest Medtronic programming issue

There was an FDA medical recall a few months ago, which is a far bigger problem in practice. That too is expected to be fixed with a software 'update'.

Medronic Is Completely Incompetent with IT

[kolano]

My personal experience with Medronic has been terrible. I once had a Insulin pump from them that forced data uploads to occur over HTTP connections. I raised that as a likely HIPA violation with them, since they weren't securing the transfer of my medical records. Such bounced around their support for months before I gave up wasting my time trying to get it resolved.

physical proximity

You have to be physically touching the patient with a com cone to activate the communication (reed switch)
So you are worried about a hacker where, in the same room?

Remote execution.

Such devices should not exist in the first place.

oh so bad!

[superhuman.tech]

oh so bad!

We've seen this before

[rickmoen]

Karen Sandler of the GNOME Foundation (and Software Freedom Law Center) called attention to this exact problem in 2010 after she had a Medtronic defibrillator installed.

http://www.softwarefreedom.org...
https://www.youtube.com/watch?...