SoylentNews is people
SoylentNews
A team of academic security researchers from KU Leuwen, Belgium, have discovered that medical implants like electrical brain implants are quite insecure devices because these have defected [sic] wireless interfaces.
Researchers identified that the security factor of these devices is pretty weak; the defects in their wireless interfaces can allow attackers obtain sensitive neurological data, administer shocks and intercept confidential medical data, which gets transmitted between the implant and the connected devices that are responsible for controlling, updating and reading it.
[...] By hacking neurostimulators, an attacker can cause irreversible damage to the patients by preventing them from speaking or moving. The hacking may also prove to be life-threatening, wrote the Belgian researchers in their paper that provide details about the research findings.
Source: Hackread
The research paper in PDF form. [DOI: 10.1145/3176258.3176310]
From the abstract:
Implantable medical devices (IMDs) typically rely on proprietary protocols to wirelessly communicate with external device programmers. In this paper, we fully reverse engineer the proprietary protocol between a device programmer and a widely used commercial neurostimulator from one of the leading IMD manufacturers. For the reverse engineering, we follow a black-box approach and use inexpensive hardware equipment. We document the message format and the protocol state-machine, and show that the transmissions sent over the air are neither encrypted nor authenticated. Furthermore, we conduct several software radio-based attacks that could compromise the safety and privacy of patients, and investigate the feasibility of performing these attacks in real scenarios.
(Score: 4, Interesting) by JoeMerchant on Tuesday April 24 2018, @10:49PM
Ha! My first day on the job with a Neurostim company (in the very early 2000s) I was shocked (not literally - that happens at defibrillator companies) to learn that the device comm protocol had an 8 bit and "open" checksum. Not only was the checksum only 8 bits, but it was also a simple calculation which an attacker could/would guess easily by just observing a couple of transactions. So, program the device to 1mA - that's a 4 byte sequence. Program it to 2mA - another 4 byte sequence. Company approved programmer software (and FDA permission to market for human use) limits current to a maximum of ~2.5mA, but... if you just identify what changed between the 1 and 2 programming sequences, you could easily plug your own RS-232 port into the company programming wand and program 4 or 8 milliamps which has the potential to do several very bad things, but mostly is just really painful.
Feeling the need to step forward and voice my concerns, I was eventually (on the first day, before lunch) put face to face with the engineer / legal expert witness who blew the same smoke up my ass about how the mathematical analysis he did found that it would be so many billions of years before a random error caused an adverse programming event. Yeah, I'm not buying what you're selling, but I'm not the customer. So, 18 months later he, I, and the programmer software lead were called into a room to investigate a rash of reports of inadvertent programming error events with associated painful stimulation. Turns out that the programming code for 8mA stim is just like the programming code for a common lower stim value, except that the 8mA code ends in all zeroes (including that 8 bit checksum), so accidentally moving the programming wand away too early lead to programming the device to max (and off-label) power. A) we worked out a longer programming sequence that used confirmation before activation to prevent this from happening and a fix was pushed to the field very quickly. B) the new device that came out a few years later sported an "upgraded" 16 bit (still non-crypto) checksum, so by now all the old devices have been replaced with marginally better ones. C) the programming wand only had an effective range of about 4 inches, so a malicious attacker would have to get pretty close to make anything interesting happen. D) nobody died as a direct result of the programming error events, but you would be shocked (in a different way from the victims) to learn how many times that accident happened in the field with 50,000 users of the device.
🌻🌻 [google.com]