SoylentNews is people
SoylentNews
A team of academic security researchers from KU Leuwen, Belgium, have discovered that medical implants like electrical brain implants are quite insecure devices because these have defected [sic] wireless interfaces.
Researchers identified that the security factor of these devices is pretty weak; the defects in their wireless interfaces can allow attackers obtain sensitive neurological data, administer shocks and intercept confidential medical data, which gets transmitted between the implant and the connected devices that are responsible for controlling, updating and reading it.
[...] By hacking neurostimulators, an attacker can cause irreversible damage to the patients by preventing them from speaking or moving. The hacking may also prove to be life-threatening, wrote the Belgian researchers in their paper that provide details about the research findings.
Source: Hackread
The research paper in PDF form. [DOI: 10.1145/3176258.3176310]
From the abstract:
Implantable medical devices (IMDs) typically rely on proprietary protocols to wirelessly communicate with external device programmers. In this paper, we fully reverse engineer the proprietary protocol between a device programmer and a widely used commercial neurostimulator from one of the leading IMD manufacturers. For the reverse engineering, we follow a black-box approach and use inexpensive hardware equipment. We document the message format and the protocol state-machine, and show that the transmissions sent over the air are neither encrypted nor authenticated. Furthermore, we conduct several software radio-based attacks that could compromise the safety and privacy of patients, and investigate the feasibility of performing these attacks in real scenarios.
(Score: 1, Interesting) by Anonymous Coward on Tuesday April 24 2018, @03:58PM (2 children)
Literally everything in medicine is proprietary and security by obscurity. There's a reason your hospital runs on out-of-date Windows - and we're talking XP or 7 here, never later than 7 - because their suppliers and software providers can't be bothered to make anything up to date or standards-compliant. The joke is really that they claim to care about information security / protected health information, then shoot themselves in both feet right at boot time.
Of course the devices are no different.
It is worth noting, however, that for implanted stuff running on super low power batteries, adding encryption is nontrivial and may well tank the battery life. Telling patients the new version lasts half or a third as long as last year's version is not going to go over well.
(Score: 2) by HiThere on Tuesday April 24 2018, @05:14PM (1 child)
It's actually worse than that, they don't just run an out of date MSWindows machine, they run one without many of the security patches. Because it would cost a lot to get the updated one certified...and the manufacturer is the one who would need to do the certification, and he'd rather sell you a new machine (that also wouldn't get updates). And some of those things are *EXPENSIVE*.
It a combination of bureaucracy and perverse incentives. But since any patch might break the drivers, there is no obvious way forwards except keeping them all isolated from the internet. Unfortunately, that would be inconvenient.
But with medical devices, I think they're made by people who considered IoT to be insanely secure.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Wednesday April 25 2018, @04:33AM
And also ineffective. There is always at least one boob with a USB stick around, cf. Stuxnet [wikipedia.org].