SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1984
Life-saving pacemakers manufactured by Medtronic don't rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients' lives, security researchers said Thursday.
At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they're implanted in patients.
Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.
Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade
Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers
(Score: 2) by HiThere on Wednesday August 15 2018, @06:10PM (3 children)
I think that's the wrong argument. The real reason not to use encryption on pacemakers is so that in an emergency any emergency room can adjust them.
That said, *this* hack isn't of the pacemaker itself, but rather of the machine in the doctor's office that is used to adjust it. That *should* be better secured. For the pacemaker itself, requiring a near-field controller, as is (or was a couple of years ago) current practice, is the better solution.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2, Interesting) by doke on Wednesday August 15 2018, @07:18PM
"The real reason not to use encryption on pacemakers is so that in an emergency any emergency room can adjust them."
Tattoo the password on the patient's chest.
(Score: 2) by pipedwho on Thursday August 16 2018, @12:12AM (1 child)
Assuming the ER has the right control software and interface. And that the software supports that version of firmware and device manufacturer, etc.
I’d rather encryption that will at least attempt to prevent malicious access.
(Score: 2) by HiThere on Thursday August 16 2018, @12:55AM
My wife had a pacemaker, and ended up in ER multiple times. They were always able to (eventually) check the device, and sometimes adjust it. The bottleneck was trained cardiologists, not devices that could read the pacemaker. Perhaps if they'd needed to adjust it more frequently, the device would also have been a problem. In all events, I'm just as glad there wasn't an additional problem.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.