750,000 Medtronic Defibrillators Vulnerable To Hacking

The Homeland Security Department has issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients' homes and in-office programming computers used by doctors. From the report: Medtronic recommends that patients only use bedside monitors obtained from a doctor or from Medtronic directly, and to keep it plugged in so it can receive software updates, and that they maintain "good physical control" over the monitor. Implantable defibrillators are complex, battery-run computers implanted in patients' upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday do not affect Medtronic pacemakers.

The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn't use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says. A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient's name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.) The FDA isn't expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.

Prison

[JustAnotherOldGuy]

People need to go to prison for releasing insecure pieces of shit like this onto the market and for allowing them to be implanted in people.

I read about this shit all the time, and sadly I'm always astounded that NO ONE paid the slightest thought to hardening or securing these kinds of devices. It goes well beyond negligence. Fucking mind-boggling.

Re:I'm surprised they aren't on the cloud yet

[Dunbal]

I have a defibrillator from Boston Scientific. The wireless has to be turned on by placing a magnet against my skin above the defibrillator. Then it will talk to the technician's computer. Once the magnet is removed, the wireless is off again. It would be pretty dumb to have a device default to open at all times.

Finally FDA takes action

[misnohmer]

University of Washington had a presentation I saw almost a decade ago where security researchers showed how they can use the fact that the implantable defibrillator uses plain text serial communications (via RF) and how they can remotely do many things, including:
* read all of patients data, including their social security numbers
* change settings of the device, including disabling it completely
* kill a person (theoretical exploit) by disabling the defibrillator function and enabling a test mode which induced a heart attack to stop the heart (the mode is supposed to be used during implantation only, with chest open and doctor ready to standby to revive if the defibrillator didn't revive the patient)
All of the above done with a laptop and $50 worth of parts, up to 100 feet away. The presentation I saw did not disclose which manufacturer that was, but they did say that FDA did not have rules at that time that would prevent manufacturers from using un-encrupted, un-authenticated, not even simple password, connections to control all functions of the device.