Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday April 15 2020, @03:54PM   Printer-friendly
from the takes-your-breath-away dept.

Medical device "jailbreak" could help solve the dangerous shortage of ventilators:

[...] Security researcher Trammell Hudson analyzed the AirSense 10—the world's most widely used CPAP—and made a startling discovery. Although its manufacturer says the AirSense 10 would require "significant rework to function as a ventilator," many ventilator functions were already built into the device firmware.

Its manufacturer, ResMed, says the $700 device solely functions as a continuous positive airway pressure machine used to treat sleep apnea. It does this by funneling air into a mask. ResMed says the device can't work as a bilevel positive airway pressure device, which is a more advanced machine that pushes air into a mask and then pulls it back out. With no ability to work in both directions or increase the output when needed, the AirSense 10 can't be used as the type of ventilator that could help patients who are struggling to breathe. After reverse-engineering the firmware, Hudson says the ResMed claim is simply untrue.

To demonstrate his findings, Hudson on Tuesday is releasing a patch that he says unlocks the hidden capabilities buried deep inside the AirSense 10. The patch is dubbed Airbreak in a nod to jailbreaks that hobbyists use to remove technical barriers Apple developers erect inside iPhones and iPads. Whereas jailbreaks unlock functions that allow the installation of unauthorized apps and the accessing of log files and forensic data, Airbreak allows the AirSense 10 to work as a bilevel positive airway pressure machine, a device that many people refer to as a BiPAP.

"Our changes bring the AirSense S10 to near feature parity with BiPAP machines from the same manufacturer, boost the maximum pressure output available, and provide a starting point to add more advanced emergency ventilator functionality," Hudson and other researchers wrote on their website disclosing the findings.


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by Anonymous Coward on Wednesday April 15 2020, @05:55PM (3 children)

    by Anonymous Coward on Wednesday April 15 2020, @05:55PM (#983142)

    Airbreak allows the AirSense 10 to work as a bilevel positive airway pressure machine, a device that many people refer to as a BiPAP.

    I have a ResMed BiPap machine, the AirCurve 10. It treats my sleep apnea.

    You know what the physical difference is between the AirCurve and the AirSense? The outer case is a different color. All the attachments for each work in either one. It's the same physical device, with the only difference being the AirSense is set to one pressure, and the AirCurve is set to two pressures (upper and lower bounds).

    If you were a manufacturer making two machines like this, wouldn't you make it so both have the same parts, with some internal setting deciding if it works in CPAP or BiPAP mode? Of fucking course you would.

    That's all this "security researcher" found, whatever setting flips it from CPAP to BiPAP. And it STILL doesn't make it a ventilator. I use this machine every single night of my life; trust me, it ain't a ventilator. It does not breathe for you, it just increases the air pressure that you are breathing, so that your throat doesn't collapse.

    Oh, and if you have an AirSense and install this "jailbreak", you'll void the warranty and possibly fuck up your breathing at night, which could potentially make your sleep apnea even worse.

    This guy should be taken out into the public square and soundly lashed for being a moron.

    Starting Score:    0  points
    Moderation   +5  
       Troll=1, Insightful=1, Interesting=4, Informative=1, Total=7
    Extra 'Interesting' Modifier   0  

    Total Score:   5  
  • (Score: 1, Interesting) by Anonymous Coward on Wednesday April 15 2020, @06:09PM

    by Anonymous Coward on Wednesday April 15 2020, @06:09PM (#983146)

    Asked this on an earlier ventilator thread, but was too late to the party to get an answer.

    How do the current devices (any of these ventilators or other breathing assist) compare with the old "iron lung" in terms of performance? Anyone tried one to help a covid patient breathe? Clearly the iron lung is a much bigger device--I'm more interested in how well it performs.
        https://en.wikipedia.org/wiki/Iron_lung [wikipedia.org]

  • (Score: 2, Interesting) by mce on Wednesday April 15 2020, @07:32PM

    by mce (2811) on Wednesday April 15 2020, @07:32PM (#983169)

    Not saying that you are not right about limitations of the devices - after all you do use them a lot.

    However, If I'm the manufacturer of both types, then: 1) Yes, I want to reuse the design as much as possible; but 2) I want the cheaper device to actually be cheaper to produce as well, so as to increase my margin while still saving development costs through design reuse. In other words: leave out components, or replace them by cheaper variants (because my component supplier followed the same approach), depopulate PCBs to the minimum needed, ... If all that is not an option - that is, if the more capable device already is at "minimal hardware", then I have two options: either I scrap the entire differentiation idea and ask/get more money for what would otherwise be the cheap device, or I make sure that the cheap device cannot be turned into an expensive one by means of a mere SW hack. E.g. by adding proper security - which is hard to do if I'm not an expert - or by actually leaving out the unused SW. If in view of all that I then still choose to differentiate but leave all functions inside the product, I get what I deserve when a security breach happens.

    So yes, a "security researcher" can find this thing and is still entitled to be called just that. The fact that he or she found a design defect in this device does not mean that he or she is not a competent security researcher who may know more about security than you and me combined (warning: I do know a few relevant things myself) and who may already have found way bigger security issues in the past.

    Even more so in case the original intent of the manufacturer honestly was to prevent devices from being used for a purpose for which they are not safely suited. In that case, it really is a critical security bug if that intent can be circumvented. Posting patch that enables these functions may then present (or rather make accessible) a safety issue and may therefore not be ideal, but that does nothing to diminish the importance of the security bug that made it possible in the first place.

    Never confuse security and safety, but understand that security can be critical to obtain safety.

  • (Score: 3, Interesting) by mhajicek on Thursday April 16 2020, @01:33AM

    by mhajicek (51) on Thursday April 16 2020, @01:33AM (#983357)

    I have an AirSense 10. If you go into the "hidden" controls it has a BiPAP mode.

    --
    The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek