from the sms-[phone]_1234_[cmd]_[on|off|#] dept.
A computer security researcher has probed the communication protocols used by her pacemaker – and hopes her findings will raise awareness of just how much info medical devices are emitting.
Marie Moe received her pacemaker four years ago after she experienced a form of arrhythmia, and her heart began to slow.
Soon after, she sought out the manual for her closed-source device – and enlisted the help of Cambridge University industrial control hacker Eireann Leverett to find out more about the vital gizmo that keeps her heart beating normally.
Moe, once of Norway's Computer Emergency Response Team, found the device had two wireless interfaces: some near-field communications (NFC) electronics used to exchange data with medical equipment during hospital check-ups, and another system for communicating with a bedside device.
Leverett says the bedside unit passes sensitive medical information about herself from her pacemaker to remote servers, and finally to her doctor's workstation, via communications channels from SMS and 3G to the standard internet. Leverett fears these channels are not necessarily secure, and the servers are often held in foreign countries – which all in all is a headache for privacy.
Please refrain from making comments about Larry and Curly.
Related Stories
Submitted via IRC for SoyCow3941
About 350,000 implantable defilibrators are up for a firmware update, to address potentially life-threatening vulnerabilities.
Abbott (formerly St. Jude Medical) has released another upgrade to the firmware installed on certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices. The update will strengthen the devices' protection against unauthorized access, as the provider said in a statement on its website: "It is intended to prevent anyone other than your doctor from changing your device settings."
The patch is part a planned series of updates that began with pacemakers, programmers and remote monitoring systems in 2017, following 2016 claims by researchers that the then-St. Jude's cardiac implant ecosystem was rife with cybersecurity flaws that could result in "catastrophic results."
Source: https://threatpost.com/abbott-addresses-life-threatening-flaw-in-a-half-million-pacemakers/131709/
Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade
Submitted via IRC for SoyCow1984
Life-saving pacemakers manufactured by Medtronic don't rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients' lives, security researchers said Thursday.
At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they're implanted in patients.
Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.
Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade
Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers
(Score: -1, Redundant) by Anonymous Coward on Wednesday January 06 2016, @03:26PM
Whoop whoop-whoop-whoop-whoop nyah-yah-yah ruff! ruff!
(Score: 1, Funny) by Anonymous Coward on Wednesday January 06 2016, @04:01PM
Soylent-stance
(Score: 0) by Anonymous Coward on Wednesday January 06 2016, @03:27PM
Please refrain from making comments about Larry and Curly.
Whaddya think I am, some kind of wise guy?
(Score: 0) by Anonymous Coward on Wednesday January 06 2016, @03:57PM
Can it run crysis?
(Score: 0) by Anonymous Coward on Wednesday January 06 2016, @04:05PM
Crysis would be the gold, but I think a Doom port is traditionally the first fps ported to a new homebrew software platform such as this. Not sure I'd want to include any form of force feedback from such a device....
(Score: 2) by dyingtolive on Wednesday January 06 2016, @05:12PM
DON'T YOU UNDERSTAND?! IF YOU DIE IN THE GAME, YOU DIE... IN REAL LIFE!
Don't blame me, I voted for moose wang!
(Score: 1, Interesting) by Anonymous Coward on Thursday January 07 2016, @11:09AM
everyone who buys a gun should have one of these implanted.
ofc the encrypted backdoor key-escrow to activate it would lie with infallible law and government enforcement ^_^
(Score: 2) by GlennC on Wednesday January 06 2016, @03:59PM
Please refrain from making comments about Larry and Curly.
So that means Shemp, Joe, and Curly Joe are fair game then....
Sorry folks...the world is bigger and more varied than you want it to be. Deal with it.
(Score: 1) by redneckmother on Thursday January 07 2016, @01:49AM
Nyuk, Nyuk, Nyuk!
Niagara Falls! Slowly I turn, step by step, inch by inch...
Mas cerveza por favor.
(Score: 3, Informative) by canopic jug on Wednesday January 06 2016, @04:02PM
The Register links to the wrong video site. YouTube should not be used for CCC videos [events.ccc.de], even if copies do turn up there.
For these events, the CCC has its own video service [media.ccc.de] and this particular presentation is Unpatchable : Living with a vulnerable implanted device [media.ccc.de], but if you listen she does not mess with her own device. That would be too dangerous.
Money is not free speech. Elections should not be auctions.
(Score: 1) by D2 on Wednesday January 06 2016, @04:59PM
Yeah, if the first rule of intelligent tinkering is 'save all the parts' (Aldo Leopold), the zeroth law must be "don't kill the researcher".
Fuzzing one's own pacemaker would be high on my list of things I wouldn't do, **ESPECIALLY** since only I know how many gadgets I've broken, shut down, shorted-out, or otherwise deactivated (even momentarily) to understand them.
(Score: 4, Interesting) by VLM on Wednesday January 06 2016, @06:31PM
Here's a strange outlook on life to consider.
I know for a fact if "thing" is on the internet, the internet is big enough and screwed up enough that someone will mess with it. But I have no idea when.
So at 2:47 am next tuesday some dude in Russia thinks he's breaking into my IoT "toilet paper roll on the internet" in order to expand his botnet but he's actually buffer overflowing and therefore killing my pacemaker and me.
I don't like the indeterminacy.
Therefore given that a buffer overflow attack is absolutely inevitable, I'm better off trying a buffer overflow attack at a time, place, and helpers of my own choosing.
Someone's gonna try to ssh in as root/password or log in to the web interface as Little Bobby Tables, so it may as well be me when I got someone right here to call the ambulance rather than waiting until a random indeterminate time in the near future when it happens anyway completely outside my control, such as when I'm driving to work or in my sleep or something equally awful.
If you think you're the "neo" the ultimate hacker of the universe you've been watching too many movies and some random dude on the internet who's better than you will pown you later. So I wouldn't be too worried about the immovable force / unmovable object problem of being the worlds best security researcher.
(Score: 0) by Anonymous Coward on Wednesday January 06 2016, @09:58PM
pown is not a word. Stop using it.
(Score: 0) by Anonymous Coward on Thursday January 07 2016, @05:22AM
And in unrelated news, a new candidate has been added to the Darwin Awards list...
(Score: 2) by SanityCheck on Wednesday January 06 2016, @04:03PM
Does the old adage about doctor who operates on himself/herself apply here?
I think I saw some pacemaker wireless shenanigans on Homeland...
(Score: 2) by VLM on Wednesday January 06 2016, @04:04PM
received her pacemaker
the bedside unit passes sensitive medical information about herself
The largest bug here is probably in the definition of "sensitive medical information"
There's some pretty funny irony that appearing unreasonably paranoid to the point of irrational fear in the press for the whole world including possible future employers to see for all eternity is not "sensitive medical information", but some obscure battery voltage telemetry is sensitive. "Sure everyone knows your nuts, but at least nobody knows your backup lithium battery was 3.14159 volts yesterday."
The other smaller bug its a planted story to discredit actual security failures in the future. "Oh who cares about some claim of STD lab test results being accidentally posted by a bot as public on the patient's facebook wall, its just like that story that amounted to nothing from 2016 where that woman worried about her pacemaker telemetry, just chill"
(Score: 0) by Anonymous Coward on Wednesday January 06 2016, @04:31PM
Working along side the medical industry for most of my career, PHI (personal or private health information) is fairly specific. Basic demographic information is not phi. The fact that you have visited an office is not, but the dates and frequency is for instance.
Given what this device is, what could be there? I doubt they put things such as her insurance info into it. It probably doesn't even have her name. This would be readouts of how many CCs of its payload medicine it's administered and timestamps. Yes there's probably a device id but without the companion database the vendor has that says which person has which device and what the payload drug is, what could be derived from this? We aren't at the point of "smart pacemakers" (how would you take pictures? Or plug it in for charging every night) so this is not going to hold much information, yet. Communicating via a base station is fine, NFC not so much but the range is extremely short. When we start building in WiFi and cellular and Bluetooth, THAT'S the time to panic.
(Score: 0) by Anonymous Coward on Wednesday January 06 2016, @04:36PM
There's some pretty funny irony that appearing unreasonably paranoid to the point of irrational fear in the press for the whole world including possible future employers to see for all eternity is not "sensitive medical information", but some obscure battery voltage telemetry is sensitive. "Sure everyone knows your nuts, but at least nobody knows your backup lithium battery was 3.14159 volts yesterday."
Just because you can't figure out a way to exploit that information doesn't mean it can't be exploited. All it takes is for someone with sufficient motivation to figure out a novel way to combine it with other information deemed non-sensitive to come up with something revealing. Its been over a decade since netflix released "anonymous" viewing records which were then combined with movie ratings by users on IMDB to out gay people even though they only ever rated straight movies on IMDB. You should know better by now.
(Score: 3, Insightful) by pe1rxq on Wednesday January 06 2016, @04:52PM
The battery level of a pacemaker is very sensitive. Modern pace makers do not fire constantly, they 'help' only when needed. By monitoring the rate at which the battery level drops you can easily deduce the general health of the owner's heart.
(Score: 2) by VLM on Wednesday January 06 2016, @06:40PM
And...
I'm not seeing something after the and...
Note that its not much different than those people who post fitbit steps, or try to become mayor of 4sq for their cardiologists office (is 4sq still a thing? Guessing not)
Also my wife's friends post the craziest things about their kids to facebook WRT medical results, so before age 18 or so its often enough out of control. Also my generation is old enough to be posting weird medical details about parents.
Adding to the paranoia even if the system isn't powned, by design the doctor has a record, which likely passes to the insurance company, which means the employer has some access, meanwhile the NSA logs all this stuff. And its all shared with every .com and .gov on the planet, legally or illegally or via NSLs whichever they are. So everyone who cares was told via a facebook post, everyone who doesn't care was told via extensive .com and .gov information sharing, and the only guy who doesn't know is the next door neighbor and the supermarket clerk, whom don't care. So the only people not being shared the data are the people who don't care. And that's best case scenario if everything is working as designed...
(Score: 1) by cyxs on Wednesday January 06 2016, @08:07PM
The information is important in multiple areas.
Say your heart rate is reported or that it increased the speed because your having sex so battery is lower. That gives personal information about the activities of the day. Someone could use that to ransom you because of the fact you weren't with your husband/wife/gf/bf/whatever that day. Or that information is out there telling people when your having sex. Or said person ransoms you saying you had an affair and you really just had a 15 min workout.
It also shows your sleep/work cycle as it shows that your daily habit is to sleep till 5 am via slower heartbeats till then or that your going to bed at 10pm each night when the data is uploaded on a regular rate. Social engineering information can be gotten from this info.
What about that base station does it say when it picks up the signal or when it losses it another way to tell habits from a person. All this with a device that they can't live without. Also what is the range on the NFC and other things. How easy is it to intercept it? Saying nothing is vital without knowing what is is just stupid. Like when people checked in on facebook and someone rob their house cause they were out. Information can imply or infer lots of different things.
(Score: 3, Funny) by wonkey_monkey on Wednesday January 06 2016, @05:04PM
Sure everyone knows your nuts
How do you know my nuts?
systemd is Roko's Basilisk
(Score: 2) by VLM on Wednesday January 06 2016, @06:18PM
Must... resist ... retro 80s ... male bonding ritual ... of playfully teasing ... your buddies with ... ur mom jokes ...
This post, and its dramatic pauses, brought to you by William Shatner. Also from the retro 80s.
(Score: 3, Funny) by isostatic on Wednesday January 06 2016, @09:51PM
Must... resist
Funny, that's not what your mom said!
(Score: 3, Touché) by Gaaark on Wednesday January 06 2016, @07:21PM
By word of mouth! :)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by rigrig on Wednesday January 06 2016, @05:36PM
Well, how about the fact that she's got a pacemaker?
No one remembers the singer.
(Score: 2) by Gravis on Wednesday January 06 2016, @05:37PM
The largest bug here is probably in the definition of "sensitive medical information"
i disagree. any information regarding your health and medical devices should always be considered "sensitive medical information" regardless of it's perceived importance. the saying, "one man's trash is another man's treasure," also applies to information. the very fact that it's sending information means it's possible to search for signals specific to pacemakers. this could then be used as a list of people you could target with the worst kind of ransomware, threatening your very life. how many people do you think would pay $100/month for the rest of their lives because an SMS hits their phone and threatens to disable their pacemaker if they don't pay? most people with pacemakers are old and easy targets really.
(Score: 2) by VLM on Wednesday January 06 2016, @06:11PM
When everything is sensitive, nothing is sensitive, leading to the second paragraph of my post, where her battery voltage is no different than her STD test results. I don't think that's a good idea.
Old people are already victimized to the best of their ability to pay by "magnetic therapy" and faith healing and homeopathy and endless other scams, so someone trying the SMS thing is trying to wedge into an already extremely full field. In terms of speed of impact therefore speed of response required, by analogy we're talking about email spammer number one million, not the first sql slammer worm. Its bad, but not really new or important or even rising to the level of clickbaitworthy.
Its also possible to flip the conversation and note that there's a unicorn startup based on people sharing the number of steps they take per day in social media. That might be a stupid idea or a dangerous idea, but the relevant adjective for it is 'popular' or at least temporarily 'profitable'. So its not unrealistic to predict that you'll have to scroll past friend's battery voltages as part of your social media feeds and they'll convince themselves that's the best idea ever. Personally I feel its TMI.
I think my second paragraph isn't getting enough air time. This story smells like those blinking banner ads from the 90s "warning, you are broadcasting an ip address" and if you click on the ad you get malware installed. "warning you are broadcasting sensitive medical information" and if we're dumb enough to click here, we'll get the last of our civil rights eliminated "for our safety" or some equally awful outcome. Imagine a DMCA that imprisoned anyone researching medical security or anyone reporting on security holes, such that all our devices will be hopelessly buggy and it'll be illegal to complain.
(Score: 2) by Gravis on Wednesday January 06 2016, @06:58PM
When everything is sensitive, nothing is sensitive,
not everything, just medical data.
(Score: 0) by Anonymous Coward on Thursday January 07 2016, @11:13AM
What? VLM substituting a trite phrase for critical thinking? What else is new?
(Score: 2) by isostatic on Wednesday January 06 2016, @09:53PM
ow many people do you think would pay $100/month for the rest of their lives ... most people with pacemakers are old
So not a major financial win then
(Score: 2) by sjames on Wednesday January 06 2016, @10:16PM
Her particular pacemaker might not be passing information that is all THAT sensitive, but it's also not your father's pacemaker. These days, they often include remote EKG monitoring and defibrillator functionality as well as sensing demand. It may well report every time it needs to overdrive to overcome Afib.
A defibrillation discharge will surely affect the battery status. Suddenly health insurance providers consider you a hot potato (even more than you were just for getting an implantable defibrillator).
Not to worry, Mr. VLM, this is not a polygraph exam (glancing down at EKG readout).
(Score: 0) by Anonymous Coward on Wednesday January 06 2016, @04:46PM
Probing the comms protocols and hacking the thing are very different things...
I was expecting to read about how she changed the frequency at which the gizmo zaps her heart but no... this was just her wondering about the comms...
(Score: 2) by Snotnose on Wednesday January 06 2016, @07:57PM
Came here to make the same point. Sounds like she was using Wireshark, not metasploit.
When the dust settled America realized it was saved by a porn star.
(Score: 3, Insightful) by bart9h on Wednesday January 06 2016, @06:58PM
Soon after, she sought out the manual for her closed-source device
there, I spotted the problem
(Score: 0) by Anonymous Coward on Wednesday January 06 2016, @08:05PM
"Personally I am not worried about being remotely assassinated, I am more worried about software bugs,"
...
"We don't want to hype the point [of fatal medical exploits] we want to show that hacking can save lives, and that hackers are a global resource to save lives,"
...except, this doesn''t preclude the premise of some technically adept miscreant (an angel of death, or killer nurse, if you will [0]) floating around a shopping mall with a software defined radio, and jamming the spectrum to affect (NFC) and kill for amusiement, rather than political target.
[0] https://en.wikipedia.org/wiki/Angel_of_mercy_%28criminology%29 [wikipedia.org]
(Score: 0) by Anonymous Coward on Thursday January 07 2016, @11:16AM
...except, this doesn''t preclude the premise of some technically adept miscreant (an angel of death, or killer nurse, if you will [0]) floating around a shopping mall with a software defined radio, and jamming the spectrum to affect (NFC) and kill for amusiement, rather than political target.
Could also do it for political target. Cheney famously had the wireless interface on his pacemaker disabled. [washingtonpost.com] It was even a plotline in Homeland. A show that gets a surprising amount of tech right, even when the politics are so often fanciful.