Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Medicine Security Software

750,000 Medtronic Defibrillators Vulnerable To Hacking (startribune.com) 54

The Homeland Security Department has issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients' homes and in-office programming computers used by doctors. From the report: Medtronic recommends that patients only use bedside monitors obtained from a doctor or from Medtronic directly, and to keep it plugged in so it can receive software updates, and that they maintain "good physical control" over the monitor. Implantable defibrillators are complex, battery-run computers implanted in patients' upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday do not affect Medtronic pacemakers.

The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn't use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says. A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient's name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.)
The FDA isn't expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.
This discussion has been archived. No new comments can be posted.

750,000 Medtronic Defibrillators Vulnerable To Hacking

Comments Filter:
  • by Anonymous Coward

    No, sireeeee.

    Let's put Bluetooth and WiFi in everything just because.

  • by rmdingler ( 1955220 ) on Thursday March 21, 2019 @08:44PM (#58313524) Journal

    Implantable defibrillators at risk to be compromised by potential outside control?

    If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.

    • by Anonymous Coward

      "Pay me or I turn off your heart" is a great money maker if you're truly awful.

    • Re:Cheese and Rice (Score:5, Insightful)

      by JustAnotherOldGuy ( 4145623 ) on Thursday March 21, 2019 @09:42PM (#58313648) Journal

      If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.

      I agree, but the sad fact is that there are plenty of people who would be only too happy to devote the time to hacking this device so they could threaten or kill people.

      • by GuB-42 ( 2483988 )

        I agree, but the sad fact is that there are plenty of people who would be only too happy to devote the time to hacking this device so they could threaten or kill people.

        There are much simpler ways of killing people than hacking defibrillators.
        Killing people is easy. Good thing most of us aren't murderers.

    • If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.

      Out of billions some would do that, for free. Why take the risk?

    • Implantable defibrillators at risk to be compromised by potential outside control?

      If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.

      4chan 8chan gab are full of these trolls that would salivate at doing exactly that.

    • by hermi ( 809034 )
      Or, you are a patient, wear one of those and want to not fear for your life because some idiot thought that an open WLAN into your heart was a good idea.
  • Logic today seems to dictate that all the input data is sent over to a server somewhere, and the control commands come back down from the server over the internet, with zero local control between the two. Isn't that how things should be done these days?

  • "Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster"

    Locking your door is tricky because is[sic] increases the time to get into your house and makes you use up calories.

    Having a PIN on your credit card is tricky because is[sic] increases the time to get your munney and stuff.

    Coming up with stupid excuses why in 2019 you didn't deploy encryption by blaming battery life means your software is SHIT.
    (Is[sic] increases the stupid f

    • If that's the concern it seems like the solution would be to implement wireless inductive charging rather than dumb down the gizmo.
  • Prison (Score:4, Informative)

    by JustAnotherOldGuy ( 4145623 ) on Thursday March 21, 2019 @09:40PM (#58313646) Journal

    People need to go to prison for releasing insecure pieces of shit like this onto the market and for allowing them to be implanted in people.

    I read about this shit all the time, and sadly I'm always astounded that NO ONE paid the slightest thought to hardening or securing these kinds of devices. It goes well beyond negligence. Fucking mind-boggling.

    • People need to go to prison for releasing insecure pieces of shit like this onto the market

      Unfortunately that happens more and more ; even the aircraft industry is affected, it seems.

  • Can we turn them into something useful like tac-welders?
  • Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster

    I claim bullshit. An AES implementation in hardware is secure and very cheap, especially at the modest communication speeds that these devices would need.

  • by misnohmer ( 1636461 ) on Friday March 22, 2019 @05:33AM (#58314498)

    University of Washington had a presentation I saw almost a decade ago where security researchers showed how they can use the fact that the implantable defibrillator uses plain text serial communications (via RF) and how they can remotely do many things, including:
    * read all of patients data, including their social security numbers
    * change settings of the device, including disabling it completely
    * kill a person (theoretical exploit) by disabling the defibrillator function and enabling a test mode which induced a heart attack to stop the heart (the mode is supposed to be used during implantation only, with chest open and doctor ready to standby to revive if the defibrillator didn't revive the patient)
    All of the above done with a laptop and $50 worth of parts, up to 100 feet away. The presentation I saw did not disclose which manufacturer that was, but they did say that FDA did not have rules at that time that would prevent manufacturers from using un-encrupted, un-authenticated, not even simple password, connections to control all functions of the device.

  • Don't hack me, Bro!
  • My personal experience with Medronic has been terrible. I once had a Insulin pump from them that forced data uploads to occur over HTTP connections. I raised that as a likely HIPA violation with them, since they weren't securing the transfer of my medical records. Such bounced around their support for months before I gave up wasting my time trying to get it resolved.

  • oh so bad!
  • Karen Sandler of the GNOME Foundation (and Software Freedom Law Center) called attention to this exact problem in 2010 after she had a Medtronic defibrillator installed.

    http://www.softwarefreedom.org... [softwarefreedom.org]
    https://www.youtube.com/watch?... [youtube.com]

Genius is ten percent inspiration and fifty percent capital gains.

Working...