SoylentNews is people
SoylentNews
TechDirt reports:
[The week of January 12,] the FDA was forced to issue a warning, noting that security vulnerabilities in the St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter could be a serious problem. It's notable as it's the first time we've seen the government publicly acknowledge this specific type of threat.
The St. Jude Medical Merlin@home Transmitter uses a home monitor to transmit and receive RF signals wirelessly to the pacemaker. But the FDA found that this transmitter was vulnerable to attack, with the press release politely tap dancing around the fact that said vulnerability could be used to kill:
"The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."
According to the FDA, they have no evidence of anybody dying because of the vulnerability yet. They're also quick to note that St. Jude Medical issued a patch on January 9 that fixes this vulnerability.
Apparently, the "Move on; nothing to see here" claims were wrong.
University of Michigan Says Flaws That MedSec Reported Aren't That Serious
...and the "Let's look closely at these" lot were right way back when.
US Security Agencies Look at Medical Device Security
(Score: 3, Informative) by bradley13 on Saturday January 14 2017, @03:41PM
First, let's put the truth out there: Security on most medical devices is essentially non-existent.
Just like any other random electronics manufacturers, software is not their specialty, and they probably don't even have anyone on staff with a clue about security. It's bad when this happens with lightbulbs [theregister.co.uk]. It's a lot worse when it happens with critical medical devices. There is no excuse for this, other than the reality that really good developers are actually rather rare, and good developers with a deep understanding of security are even rarer.
Ok, with those unpleasant truths out of the way: we need to keep in mind that there is always a compromise between security and usability. If you totally lock down a medical device, you will make it much more difficult to access it when you need to. To take an example I used in a comment on another post: Imagine you have a pacemaker that can be remotely controlled, and it has a super-secure system. You are travelling, and have a heart attack in some random spot on the planet. Whatever random hospital they wind up taking you do will be unable to access your pacemaker. Arguably, you are better off with *no* security beyond a proprietary protocol and a limited-range antenna.
Everyone is somebody else's weirdo.