Stories
Slash Boxes
Comments

SoylentNews is people

posted by azrael on Tuesday October 28 2014, @05:11PM   Printer-friendly
from the hacking-your-tricorder dept.

IEEE Spectrum has a a story on Medical device security, which follows a report from Reuters that The U.S. Department of Homeland Security is investigating possible security flaws in medical devices and hospital equipment.

From Reuters:

The products under review by the agency's Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira Inc and implantable heart devices from Medtronic Inc and St Jude Medical Inc, according to other people familiar with the cases, who asked not to be identified because the probes are confidential.

According to Spectrum the ICS-CERT team:

wants to help manufacturers fix software bugs and other vulnerabilities that could be exploited by hackers; agency sources emphasized that the companies did not do anything wrong.

The Spectrum article also references the 2011 case of remotely hacking an insulin pump, demonstrated by Jerome Radcliffe.

Related Stories

After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable 5 comments

TechDirt reports:

[The week of January 12,] the FDA was forced to issue a warning, noting that security vulnerabilities in the St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter could be a serious problem. It's notable as it's the first time we've seen the government publicly acknowledge this specific type of threat.

The St. Jude Medical Merlin@home Transmitter uses a home monitor to transmit and receive RF signals wirelessly to the pacemaker. But the FDA found that this transmitter was vulnerable to attack, with the press release politely tap dancing around the fact that said vulnerability could be used to kill:

"The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."

According to the FDA, they have no evidence of anybody dying because of the vulnerability yet. They're also quick to note that St. Jude Medical issued a patch on January 9 that fixes this vulnerability.

Apparently, the "Move on; nothing to see here" claims were wrong.
University of Michigan Says Flaws That MedSec Reported Aren't That Serious
...and the "Let's look closely at these" lot were right way back when.
US Security Agencies Look at Medical Device Security


Original Submission

Why Repair Techs are Hacking Ventilators with DIY Dongles from Poland 84 comments

Hacking Ventilators With DIY Dongles From Poland:

As COVID-19 surges, hospitals and independent biomedical technicians have turned to a global grey-market for hardware and software to circumvent manufacturer repair locks and keep life-saving ventilators running.

The dongle is handmade, little more than a circuit board encased in plastic with two connectors. One side goes to a ventilator’s patient monitor, another goes to the breath delivery unit. A third cable connects to a computer.

This little dongle—shipped to him by a hacker in Poland—has helped William repair at least 70 broken Puritan Bennett 840 ventilators that he’s bought on eBay and from other secondhand websites. He has sold these refurbished ventilators to hospitals and governments throughout the United States, to help them handle an influx of COVID-19 patients. Motherboard agreed to speak to William anonymously because he was not authorized by his company to talk to the media, but Motherboard verified the specifics of his story with photos and other biomedical technicians.

William is essentially Frankensteining together two broken machines to make one functioning machine. Some of the most common repairs he does on the PB840, made by a company called Medtronic, is replacing broken monitors with new ones. The issue is that, like so many other electronics, medical equipment, including ventilators, increasingly has software that prevents “unauthorized” people from repairing or refurbishing broken devices, and Medtronic will not help him fix them.

[...] Delays in getting equipment running put patients at risk. In the meantime, biomedical technicians will continue to try to make-do with what they can. “If someone has a ventilator and the technology to [update the software], more power to them,” Mackeil said. “Some might say you’re violating copyright, but if you own the machine, who’s to say they couldn’t or they shouldn’t?”

I understand that there is an ongoing debate on the "right to repair". However, many manufacturers increasingly find ways to ensure that "unauthorised" people cannot repair their devices. Where do you stand on this issue? During the ongoing pandemic, do medical device manufacturers have the right to prevent repair by third parties?

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by davester666 on Tuesday October 28 2014, @05:56PM

    by davester666 (155) on Tuesday October 28 2014, @05:56PM (#110917)

    Computers and computer hacking have around for a LONG time, and these are people-critical devices. The manufacturers have put less effort into ensuring that these can't be improperly accessed and altered than most websites.

    • (Score: 2) by Sir Garlon on Tuesday October 28 2014, @07:04PM

      by Sir Garlon (1264) on Tuesday October 28 2014, @07:04PM (#110944)

      I agree, but the problem is so serious I am more interested in getting the companies to change their behavior than in beating them up. Let the government give them a chance to clean up their act before bringing out the big stick.

      That said, I adamant that we, the taxpayers, not bail out these companies if they get sued into oblivion for their decade of gross negligence.

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
      • (Score: 3, Insightful) by davester666 on Tuesday October 28 2014, @07:08PM

        by davester666 (155) on Tuesday October 28 2014, @07:08PM (#110946)

        How many times are we going to give companies velvet-gloved handjobs, "to encourage them to do the right thing", only to find out they all are into S&M, and need a high-heel spike to the groin to even consider doing "the right thing".

        • (Score: 2) by Sir Garlon on Tuesday October 28 2014, @08:30PM

          by Sir Garlon (1264) on Tuesday October 28 2014, @08:30PM (#110971)

          I understand your frustration and I share it to some considerable extent.

          In my own experience, if you take a demanding and compliance-based approach to security, saying "do X or else!" then people resent it. They become passive-aggressive and they will do the minimum required to achieve the appearance of X, and bitterly refuse to do more. The cynic in me says this is what the PCI standards [pcisecuritystandards.org] have achieved.

          On the other hand, if you can successfully persuade them of the need to do the Right Thing, then they will do what it takes to do the Right Thing.

          Persuading people to do the Right Thing does not have to be all rainbows and unicorns. For example, pointing out that insecure medical devices are a horrendous liability risk (because they are) could be quite persuasive to some suits.

          --
          [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
          • (Score: 1, Interesting) by Anonymous Coward on Tuesday October 28 2014, @10:54PM

            by Anonymous Coward on Tuesday October 28 2014, @10:54PM (#110995)
            Anon for obvious reasons.

            I worked for a few years at a medical device manufacturer company; one of the big ones that does heart-lung machines and the like. They were all about 'doing the right thing' and 'customer focus' and stuff and had a relatively through CAPA system for all sorts of defects and other reports. But despite that, they had an abysmal investigation rate. There were hundreds of items in the complaint logs for their heart-lung machines that had been 'filed and forgotten'; without even attempting to investigate or reproduce the problems (or very minimal, rudimentary ones). Some of them were pretty serious, like spurious flow rate increases and pump shutdowns.

            The FDA eventually caught on to it through audits, and started their process for getting the company to do a proper job investigating their failures (we're talking heart-lung machines after all, they need to be pretty damn sure they're reliable). The FDA process is actually fairly lengthy and involved, escalating through nearly a dozen different 'levels' over a several-year time frame (allowing for time to implement actions), with the final being the closure of the company for non-compliance.

            What did the company do? Ignore the FDA. So they got elevated to the next level. Now? Ignore the FDA. It took reaching a consent decree, the final step immediately before company closure, coupled with a 35$ million fine, before the company actually did something about it. It's not like the logs were hidden from view or anything, I was in the hardware department and saw them personally. But that didn't matter because they were too wrapped up in developing their next iteration of products (having failed multiple times at getting one to market) and couldn't be bothered to do the investigations (the 'sustaining' department was minimal and overbooked).

            So, a kick to the balls might be more in order than you think, especially when there's a reasonable process in place like the FDA uses and it still takes years and millions of dollars in fines before the company does something about it.....
            • (Score: 2) by Sir Garlon on Wednesday October 29 2014, @12:40AM

              by Sir Garlon (1264) on Wednesday October 29 2014, @12:40AM (#111021)

              Ouch, because from where I'm standing the FDA looks like an extremely industry-friendly agency.

              --
              [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
  • (Score: 1, Informative) by Anonymous Coward on Tuesday October 28 2014, @06:27PM

    by Anonymous Coward on Tuesday October 28 2014, @06:27PM (#110931)

    A little over a year ago, a grassroots movement was started at Security BSides Las Vegas for network and application security experts to reach out to critical industries -- medical devices, transportation, power companies -- and help them do a better job at securing their products. As we all know, there is plenty of room for improvement.

    The movement is called I am the Cavalry [iamthecavalry.org]. I encourage you to check it out and become part of the solution to this current mess.

    I'm posting anonymously so as not to appear to be grubbing for karma.

  • (Score: 0) by Anonymous Coward on Tuesday October 28 2014, @07:06PM

    by Anonymous Coward on Tuesday October 28 2014, @07:06PM (#110945)

    The Department of Homeland Security?? Why not refuse to certify life-and-death devices whose security is unacceptable, and prosecute anyone who runs uncertified medical equipment? Why all the complexity and bureaucracy?

    • (Score: 2) by Sir Garlon on Tuesday October 28 2014, @08:38PM

      by Sir Garlon (1264) on Tuesday October 28 2014, @08:38PM (#110972)

      It's the Food and Drug Administration (FDA) that certifies medical devices, and a few weeks ago the FDA issued completely toothless, voluntary recommendations [fda.gov] for medical device security. Since the FDA is not taking device security seriously (because it's been captured by industry lobbyists), DHS feels the need to step in.

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
      • (Score: 0) by Anonymous Coward on Wednesday October 29 2014, @01:14PM

        by Anonymous Coward on Wednesday October 29 2014, @01:14PM (#111127)

        The DHS should stop doing the FDA's job then. They're wasting taxpayer money. They should shout loud and clear lives are at risk because the FDA refuses to do its job, and their manager (the President, ultimately) should resolve the conflict by ensuring one agency isn't doing another agency's job, and that if an agency is not doing their own job, heads roll. What the DHS is doing is just making matters worse.

  • (Score: 0) by Anonymous Coward on Tuesday October 28 2014, @08:05PM

    by Anonymous Coward on Tuesday October 28 2014, @08:05PM (#110967)