Eduard Marin and Dave Singelée, researchers with KU Leuven University, Belgium, began examining the pacemakers under black box testing conditions in which they had no prior knowledge or special access to the devices, and used commercial off-the-shelf equipment to break the proprietary communications protocols.
From the position of blind attackers the pair managed to hack pacemakers from up to five metres away gaining the ability to deliver fatal shocks and turn off life-saving treatment.
The wireless attacks could also breach patient privacy, reading device information disclosing location history, treatments, and current state of health.
[...] "Using this black-box approach we just listened to the wireless communication channel and reverse-engineered the proprietary communication protocol. And once we knew all the zeros and ones in the message and their meaning, we could impersonate genuine readers and perform replay attacks etcetera."
Related Stories
Submitted via IRC for SoyCow3941
About 350,000 implantable defilibrators are up for a firmware update, to address potentially life-threatening vulnerabilities.
Abbott (formerly St. Jude Medical) has released another upgrade to the firmware installed on certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices. The update will strengthen the devices' protection against unauthorized access, as the provider said in a statement on its website: "It is intended to prevent anyone other than your doctor from changing your device settings."
The patch is part a planned series of updates that began with pacemakers, programmers and remote monitoring systems in 2017, following 2016 claims by researchers that the then-St. Jude's cardiac implant ecosystem was rife with cybersecurity flaws that could result in "catastrophic results."
Source: https://threatpost.com/abbott-addresses-life-threatening-flaw-in-a-half-million-pacemakers/131709/
Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade
Submitted via IRC for SoyCow1984
Life-saving pacemakers manufactured by Medtronic don't rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients' lives, security researchers said Thursday.
At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they're implanted in patients.
Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.
Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade
Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers
(Score: 3, Informative) by Dunbal on Saturday December 03 2016, @03:49PM
Of course for most of these you have to be in physical contact with the patient. The "wireless" attack has a range of 2-5 meters, but very few defibrillators/pacemakers have that feature turned on. The others you need to be in skin contact with the person. Well if you can get that close, a knife could be much simpler.
(Score: 2, Informative) by Ethanol-fueled on Saturday December 03 2016, @04:12PM
Notably, Dick "Darth Vader" Cheney had high-profile issues [sophos.com] with potential threats to his pacemaker.
(Score: 2) by Dunbal on Saturday December 03 2016, @05:48PM
The wireless is disabled by default. You have to enable it. This is per my experience as a physician and per TFA. So the Cheney story was probably just attention-seeking which is all well and good because secure devices are not a bad idea, but not exactly the truth either.
(Score: 0) by Anonymous Coward on Sunday December 04 2016, @01:48AM
Wow, a physician.
Hey listen, doc. I got this weird itch...
(Score: 2) by Snotnose on Sunday December 04 2016, @01:58AM
If it's disabled by default how do you enable it? Get the pulse rate up to 120, down to 90, up to 100, within 5 minutes?
Every time a Christian defends Trump an angel loses it's lunch.
(Score: 2) by davester666 on Sunday December 04 2016, @08:05AM
You have to hit it with a defibrillator to flip the switch.
(Score: 1) by anubi on Sunday December 04 2016, @06:15AM
Seems like something like an induction-coil coupler would be appropriate, so one would have to have the communication coil right over the skin under which the other coil resides.
If one has intent to do another in, its probably gonna happen anyway... whether it be done by clever technical means, chemical means, or physical means.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 5, Informative) by TheRaven on Saturday December 03 2016, @06:53PM
sudo mod me up
(Score: 2) by dyingtolive on Saturday December 03 2016, @11:14PM
Five fingered death punch?
Don't blame me, I voted for moose wang!
(Score: 0) by Anonymous Coward on Saturday December 03 2016, @04:24PM
Are they going to publish them as metasploit modules anytime soon? Also, wouldn't increasing transmit power increase the range, as some people did aeons ago with bluetooth "sniper rifle"?
(Score: 5, Interesting) by bradley13 on Saturday December 03 2016, @05:24PM
The signals are not encrypted; there is no security to hack. This is a design decision. The manufacturers have some command protocol that they developed and use; while this may not be publicly documented, it is hardly secret: monitor the signals used, and you can figure it out. This doesn't take a "security researcher", all it takes is a kid with the right radio kit.
Consider: you have a pacemaker with a secure interface. You have a heart problem, and are taken to the nearest hospital. How does that hospital get the private key required to talk to your pacemaker? Which is the lesser risk to the patient's health: leaving the interface open, or securing it?
Everyone is somebody else's weirdo.
(Score: 3, Insightful) by RamiK on Saturday December 03 2016, @07:14PM
How does that hospital get the private key required to talk to your pacemaker?
0. Pacemakers shouldn't have built-in keys.
1. As part of the installation procedure, you create your own private key and install it as root trust in the pacemaker.
2. Using your private key, you log-in to the admin interface and install the hospital's public key for special and speicic operations (turn pacemaker on\off & logs...) but not the right to replace the private key. You do this with all the area's hospitals. A key ring might also work here.
3. If the hospital loses their key, they issue a revocation certificates to a prearranged key repository. You \ your IoT pacemaker occasionally pulls updates from there.
So, this way you're not depended on the manufacturer keeping their key secure. If you don't trust a specific hospital or care provider, you don't have to give them some or all rights. If you're traveling somewhere, you check up on the local hospital's sites and install their keys. If you're too lazy, you can just install some kind of state \ insurance \ manufacturer's run keyring's and you'd still benefit from being able to remove them if they're ever compromised. You can time limit certain keys - like say, you're going up on a plane and decide to give access to the airline for the duration of the flight....
In short, the GnuPG model.
compiling...
(Score: 0) by Anonymous Coward on Saturday December 03 2016, @08:02PM
Unfortunately, it is difficult to have enough precognition to determine where you will end up in an emergency (not to mention the staff's familiarity with whatever tech you happen to be using). Hospitals on divert can have you end up in the strangest places, including a hospital several hours away if you happen to live in the boonies.
It might be wiser to have keys available to ambulance services instead of hospitals for just this reason. Still reasonably secure, but the keys can travel to the patient instead of vice-versa.
(Score: 2) by RamiK on Saturday December 03 2016, @10:06PM
staff's familiarity with whatever tech you happen to be using
This kind of key system will need to go through the FDA anyhow so it implies standardizing pacemaker protocols around it in the same way GSM is standardized.
It might be wiser to have keys available to ambulance services instead of hospitals for just this reason. Still reasonably secure, but the keys can travel to the patient instead of vice-versa.
Redundant with a local keyring. Ambulances and paramedics need certifying anyhow. Might as well give them a key and have them register as part of the keyring.
compiling...
(Score: 2) by maxwell demon on Saturday December 03 2016, @08:03PM
So, please tell me, what is the hospital you'll be delivered to in case of an emergency while on your next travel? Do you search out every hospital along your travel route to register all their keys?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Saturday December 03 2016, @08:16PM
MD here. Upvote parent, this is the correct answer.
(Score: 0) by Anonymous Coward on Saturday December 03 2016, @11:31PM
System designer here. Public key server or possibly a public block-chain (depending on merits of centralized vs decentralized) is the right answer. Don't let MDs decide technical issues outside their field of expertise is another correct answer.
(Score: 2) by RamiK on Saturday December 03 2016, @09:53PM
A time limited travel-route \ country wide keyring while traveling would be a quick fix. Maybe a small bar-code on a necklace or bracelet that you get before heading out that has the time limited key on it it... People with chronic conditions (allergies, chronic heart, pancreatic, renal problems...) deal with these sort of headaches all the time where they might be admitted to the care of doctor that doesn't have their medical records.
compiling...
(Score: 0) by Anonymous Coward on Saturday December 03 2016, @11:52PM
The most critical messages should be encrypted using symmetric cryptography. The passkey would be stored in software and carried by the patient in his/her wallet or house key ring. They would also be registered with the patient's health care provider(s).
Of course critical messages would include changing the passkey, and some way to do a secure ping to verify that the key is correct (the answer would be yet another numeric code, whose correct value would also be stored on the passkey card; failure would produce a non-matching code, indistinguishable in appearance from a correct value).
Status and other routine messages could be unencrypted, to give attackers less opportunity to monitor encrypted traffic.
This is all pretty much common sense.
(Score: 2) by Dogeball on Sunday December 04 2016, @03:36PM
Option 1) Tatoo the access code on the patient.
Option 2) Interact using a manufacturer-signed device that is provided to paramedics (I assume non-hackers need a specific device or software to control the settings anyway)
Option 3) Patient carries device or app paired to their pacemaker
Option 4) Hospital has ability to cut the damn device out and defibrilate the normal way.
It is emminently possible to make bad things as difficult as possible while making good things able to be done: this is called safety engineering.
(Score: -1, Troll) by Anonymous Coward on Saturday December 03 2016, @06:25PM
If someone is victimized using the methods described by this paper, it would be hard for the authors to claim that their work had nothing to do with the crime.
Of course this issue comes up with other exploit publishing as well, but in this case the downside risk is unusually stark.
(Score: 2) by quintessence on Saturday December 03 2016, @08:30PM
I thought the security through obscurity model was sufficiently out of vogue by now.
While the notion of keeping people safe is laudable, there is also the not so small matter of determining whether a crime has been committed. If researchers can find the exploits, it is almost certain people with better incentives and more highly motivated can too. Better that those methods be described than hidden under wraps, especially for people who aren't necessarily in the know with regards to the latest tech, unaware that devices can be hacked; it just seems a run of bad luck with certain devices.
(Score: 2) by chewbacon on Sunday December 04 2016, @02:38PM
At first I thought maybe they interfered with the device sensing thus preventing stimulation, but they're just tampering with shit. And pacemakers are not intended to shock, that's an implanted cardioverter defibrillator (ICD). So either this is an oversight by the author and editor or the device manufacturer needs to engineer some safety in to their devices.