750,000 Medtronic Defibrillators Vulnerable To Hacking (startribune.com) 54
The Homeland Security Department has issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients' homes and in-office programming computers used by doctors. From the report: Medtronic recommends that patients only use bedside monitors obtained from a doctor or from Medtronic directly, and to keep it plugged in so it can receive software updates, and that they maintain "good physical control" over the monitor. Implantable defibrillators are complex, battery-run computers implanted in patients' upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday do not affect Medtronic pacemakers.
The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn't use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says. A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient's name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.) The FDA isn't expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.
The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn't use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says. A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient's name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.) The FDA isn't expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.
Nobody saw this comming. (Score:1)
No, sireeeee.
Let's put Bluetooth and WiFi in everything just because.
Re: (Score:1)
Already happened: The Cryptobanker (The Blacklist season 6 episode 10). Aired a fortnight ago.
Cheese and Rice (Score:3)
Implantable defibrillators at risk to be compromised by potential outside control?
If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.
Re: (Score:1)
"Pay me or I turn off your heart" is a great money maker if you're truly awful.
Re:Cheese and Rice (Score:5, Insightful)
If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.
I agree, but the sad fact is that there are plenty of people who would be only too happy to devote the time to hacking this device so they could threaten or kill people.
Re: (Score:2)
I agree, but the sad fact is that there are plenty of people who would be only too happy to devote the time to hacking this device so they could threaten or kill people.
There are much simpler ways of killing people than hacking defibrillators.
Killing people is easy. Good thing most of us aren't murderers.
Re: (Score:3)
If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.
Out of billions some would do that, for free. Why take the risk?
Re: (Score:2)
Implantable defibrillators at risk to be compromised by potential outside control?
If you're sitting at home hacking your ass off to shorten the life of defibrillator patients, man, you need to get out more.
4chan 8chan gab are full of these trolls that would salivate at doing exactly that.
Re: (Score:1)
I'm surprised they aren't on the cloud yet (Score:2)
Logic today seems to dictate that all the input data is sent over to a server somewhere, and the control commands come back down from the server over the internet, with zero local control between the two. Isn't that how things should be done these days?
Re: (Score:1)
The chance of getting an infection and dying from wires hanging out of your chest are probably a lot greater than someone hacking your defibrillator. I think I'll get a second opinion, Dr Anonymous.
Re:I'm surprised they aren't on the cloud yet (Score:5, Informative)
Re: (Score:2)
That makes a lot of sense. Easy to access legitimately, hard to access nefariously.
Re: (Score:2)
The wireless has to be turned on by placing a magnet against my skin above the defibrillator.
That's not going to work well when it needs to talk to the bedside monitor every night.
Encryption costs battery power (Score:1)
"Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster"
Locking your door is tricky because is[sic] increases the time to get into your house and makes you use up calories.
Having a PIN on your credit card is tricky because is[sic] increases the time to get your munney and stuff.
Coming up with stupid excuses why in 2019 you didn't deploy encryption by blaming battery life means your software is SHIT.
(Is[sic] increases the stupid f
Re: (Score:1)
I don't think you are qualified to remark on how qualified I am, but thanks for opining without any factual basis whatsoever.
You can go back to making up random stuff now.
I actually do know what I'm talking about. You can go join DJ Trump in the Land of Make Believe.
E
Re: (Score:2)
Prison (Score:4, Informative)
People need to go to prison for releasing insecure pieces of shit like this onto the market and for allowing them to be implanted in people.
I read about this shit all the time, and sadly I'm always astounded that NO ONE paid the slightest thought to hardening or securing these kinds of devices. It goes well beyond negligence. Fucking mind-boggling.
Re: (Score:3)
People need to go to prison for releasing insecure pieces of shit like this onto the market
Unfortunately that happens more and more ; even the aircraft industry is affected, it seems.
How hackable? (Score:2)
Re: (Score:2)
encryption (Score:2)
Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster
I claim bullshit. An AES implementation in hardware is secure and very cheap, especially at the modest communication speeds that these devices would need.
Finally FDA takes action (Score:5, Informative)
University of Washington had a presentation I saw almost a decade ago where security researchers showed how they can use the fact that the implantable defibrillator uses plain text serial communications (via RF) and how they can remotely do many things, including:
* read all of patients data, including their social security numbers
* change settings of the device, including disabling it completely
* kill a person (theoretical exploit) by disabling the defibrillator function and enabling a test mode which induced a heart attack to stop the heart (the mode is supposed to be used during implantation only, with chest open and doctor ready to standby to revive if the defibrillator didn't revive the patient)
All of the above done with a laptop and $50 worth of parts, up to 100 feet away. The presentation I saw did not disclose which manufacturer that was, but they did say that FDA did not have rules at that time that would prevent manufacturers from using un-encrupted, un-authenticated, not even simple password, connections to control all functions of the device.
Re: (Score:2)
You can only penetrate human tissue a certain depth at the comm frequency used by these devices, regardless of the signal amplitude
Not really a relevant objection, since the extra distance between normal use vs remote hacker is not going through human tissue.
Re: (Score:2)
The manufacturers struggle to get it to work beyond a few centimeters.
I've seen one work about 6 feet away, and it didn't require a large box, or directional antennas.
Re: (Score:2)
We can talk criminal negligence the moment someone gets seriously hurt. So far, I haven't heard of that happening in even one single case. I'm not saying it can't happen, I'm not saying it won't happen in the future, just that it doesn't really seem to be happening now.
I know this is not a popular opinion on /., but there is a need for perspective. These devices save lives, and delaying a product launch by even just six months in order to work out the crypto would likely cost lives. Strange as it may so
Software Taser (Score:2)
Medronic Is Completely Incompetent with IT (Score:1)
My personal experience with Medronic has been terrible. I once had a Insulin pump from them that forced data uploads to occur over HTTP connections. I raised that as a likely HIPA violation with them, since they weren't securing the transfer of my medical records. Such bounced around their support for months before I gave up wasting my time trying to get it resolved.
oh so bad! (Score:1)
We've seen this before (Score:2)
Karen Sandler of the GNOME Foundation (and Software Freedom Law Center) called attention to this exact problem in 2010 after she had a Medtronic defibrillator installed.
http://www.softwarefreedom.org... [softwarefreedom.org]
https://www.youtube.com/watch?... [youtube.com]