Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Saturday January 14 2017, @12:40PM   Printer-friendly
from the death-by-remote dept.

TechDirt reports:

[The week of January 12,] the FDA was forced to issue a warning, noting that security vulnerabilities in the St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter could be a serious problem. It's notable as it's the first time we've seen the government publicly acknowledge this specific type of threat.

The St. Jude Medical Merlin@home Transmitter uses a home monitor to transmit and receive RF signals wirelessly to the pacemaker. But the FDA found that this transmitter was vulnerable to attack, with the press release politely tap dancing around the fact that said vulnerability could be used to kill:

"The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."

According to the FDA, they have no evidence of anybody dying because of the vulnerability yet. They're also quick to note that St. Jude Medical issued a patch on January 9 that fixes this vulnerability.

Apparently, the "Move on; nothing to see here" claims were wrong.
University of Michigan Says Flaws That MedSec Reported Aren't That Serious
...and the "Let's look closely at these" lot were right way back when.
US Security Agencies Look at Medical Device Security


Original Submission

Related Stories

US Security Agencies Look at Medical Device Security 11 comments

IEEE Spectrum has a a story on Medical device security, which follows a report from Reuters that The U.S. Department of Homeland Security is investigating possible security flaws in medical devices and hospital equipment.

From Reuters:

The products under review by the agency's Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira Inc and implantable heart devices from Medtronic Inc and St Jude Medical Inc, according to other people familiar with the cases, who asked not to be identified because the probes are confidential.

According to Spectrum the ICS-CERT team:

wants to help manufacturers fix software bugs and other vulnerabilities that could be exploited by hackers; agency sources emphasized that the companies did not do anything wrong.

The Spectrum article also references the 2011 case of remotely hacking an insulin pump, demonstrated by Jerome Radcliffe.

Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious 12 comments

TechDirt reports:

A team of hackers working for cybersecurity startup MedSec found a bevy of flaws in medical devices sold by St. Jude Medical Inc, ranging from a lack of overall encryption to vulnerabilities letting unauthorized devices communicate with the company's pacemakers and defibrillators. And while we've talked about the threat of hackable pacemakers for more than a decade, hackers are increasingly worming their way into poorly secured radiology equipment, blood gas analyzers and other hospital and nursing home equipment to steal data for identity theft, giving the threat an added dimension.

[...] Historically, many hackers and security firms either contact companies to alert them to vulnerabilities, or try to sell the not-yet-public vulnerabilities to corporate espionage and security firms or government agencies, who then happily exploit any impacted, unpatched systems (in this case, with potentially fatal results). But MedSec did something notably different. It reached out to the Muddy Waters Capital LLC investment firm, suggesting a partnership to short sell St. Jude stock before reporting the vulnerabilities to the FDA. Under the deal, MedSec makes more money the further shares fall.

Updated: El Reg reports:

"We're not saying the [MedSec] report [on St Jude Medical's implanted pacemakers and defibrillators] is false. We're saying it's inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue", said Kevin Fu, [University of Michigan] associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security.

[...] MedSec's report [...] reads:

In many cases, the Crash Attack made the Cardiac Device completely unresponsive to interrogations from Merlin@home devices and Merlin programmers. It was therefore impossible to tell whether, and how the Cardiac Devices, are functioning. MedSec strongly suspects they were in many cases "bricked"--i.e., made to be non-functional. It is likely physicians would explant a device that did not respond to the programmer.

In some cases, a Cardiac Device subjected to a Crash Attack was still able to communicate with the programmer, and the information displayed was alarming.

According to U-M's team, though, the implanted pacemaker or defibrillators can and will continue operating as normal even if readings to the monitoring station are disrupted.

In other words, there's no conclusive evidence that the pacemaker or defibrillator actually stopped working after the radio communications were jammed. It's more of an annoyance for whoever is using the monitoring terminal than a potentially lethal situation.

8,000 Vulnerabilities Found in Software to Manage Cardiac Devices 6 comments

The Security Ledger reports:

Software used to remotely program implantable cardiac devices by a number of vendors is rife with exploitable software vulnerabilities that leave the devices vulnerable to attacks and compromise, according to a report by the firm Whitescope Inc.

The analysis of hardware and software associated with implantable cardiac devices spanned four separate vendors and product families but found a wide range of security weaknesses, among them the use of permanent (or "hardcoded") authentication credentials like user names and passwords and the use of insecure communications, with one vendor transmitting patient data "in the clear." All four product families were found to be highly susceptible to "reverse engineering" by a knowledgeable adversary, exposing design flaws that might then be exploited in remote or local attacks, researchers Billy Rios of Whitescope and Dr. Jonathan Butts wrote in their report.

The two researchers investigated a range of hardware and software tools that together make up the ecosystem of implantable cardiac devices. In addition to the implantable devices, Rios and Butts obtained and analyzed "physician programmers" that are used to configure and update implanted devices wirelessly, home monitoring system hardware and software and the patient support network.

[...] A subsequent report by the U.S. Food and Drug Administration (FDA), released in April, found that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or other mitigations, or by replacing those devices.

The latest report, while omitting the names of specific products or vendors, finds similar evidence of lax security throughout implantable device ecosystems.

[...] "Across the 4 programmers built by 4 different vendors, we discovered over 8,000 vulnerabilities associated with outdated libraries and software in pacemaker programmers," the researchers report.

[...] Use of third-party hardware and software is rife in these medical devices. Across the four vendors, there was an average of 86 third-party components used in the implantable devices and 43 vulnerable third-party components. Per-device, the average number of known vulnerabilities in those third-party components was 2,166.

In its article on the topic, The BBC reports:

Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers 4 comments

Submitted via IRC for SoyCow3941

About 350,000 implantable defilibrators are up for a firmware update, to address potentially life-threatening vulnerabilities.

Abbott (formerly St. Jude Medical) has released another upgrade to the firmware installed on certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices. The update will strengthen the devices' protection against unauthorized access, as the provider said in a statement on its website: "It is intended to prevent anyone other than your doctor from changing your device settings."

The patch is part a planned series of updates that began with pacemakers, programmers and remote monitoring systems in 2017, following 2016 claims by researchers that the then-St. Jude's cardiac implant ecosystem was rife with cybersecurity flaws that could result in "catastrophic results."

Source: https://threatpost.com/abbott-addresses-life-threatening-flaw-in-a-half-million-pacemakers/131709/

Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade


Original Submission

Hack Causes Pacemakers to Deliver Life-Threatening Shocks 13 comments

Submitted via IRC for SoyCow1984

Life-saving pacemakers manufactured by Medtronic don't rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients' lives, security researchers said Thursday.

At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they're implanted in patients.

Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.

Source: https://arstechnica.com/information-technology/2018/08/lack-of-encryption-makes-hacks-on-life-saving-pacemakers-shockingly-easy/

Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade
Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Saturday January 14 2017, @01:26PM

    by Anonymous Coward on Saturday January 14 2017, @01:26PM (#453780)

    > Apparently, the "Move on; nothing to see here" claims were wrong.
    > University of Michigan Says Flaws That MedSec Reported Aren't That Serious

    Apparently there are Microsofters inside the University of Michigan and Fu appears to be one. The University can't maintain a top ranking with Microsofters as members of its faculty, or for that matter even its staff. HR needs to go through the resumes and send them packing.

    Same for the other top universities. It only hurts the nation as a whole to let them stay on board.

  • (Score: 3, Informative) by bradley13 on Saturday January 14 2017, @03:41PM

    by bradley13 (3053) on Saturday January 14 2017, @03:41PM (#453789) Homepage Journal

    First, let's put the truth out there: Security on most medical devices is essentially non-existent.

    Just like any other random electronics manufacturers, software is not their specialty, and they probably don't even have anyone on staff with a clue about security. It's bad when this happens with lightbulbs [theregister.co.uk]. It's a lot worse when it happens with critical medical devices. There is no excuse for this, other than the reality that really good developers are actually rather rare, and good developers with a deep understanding of security are even rarer.

    Ok, with those unpleasant truths out of the way: we need to keep in mind that there is always a compromise between security and usability. If you totally lock down a medical device, you will make it much more difficult to access it when you need to. To take an example I used in a comment on another post: Imagine you have a pacemaker that can be remotely controlled, and it has a super-secure system. You are travelling, and have a heart attack in some random spot on the planet. Whatever random hospital they wind up taking you do will be unable to access your pacemaker. Arguably, you are better off with *no* security beyond a proprietary protocol and a limited-range antenna.

    --
    Everyone is somebody else's weirdo.
  • (Score: 2) by tisI on Saturday January 14 2017, @04:13PM

    by tisI (5866) on Saturday January 14 2017, @04:13PM (#453804)

    Who Cares?

    I have a St. Jude pace maker and Merlin set up.
    The Merlin sits right next to my bed and does it's thing interacting with my device while I sleep.

    If some body wants to "hack" my Merlin or device, they will have to do it while I am in my home, in my bed, .. get the idea?
    Who the fuck cares? I certainly don't!
    Any would-be-hacker/attacker in my home has much more on his plate right now with a .357mag barrel down his throat!
    This would NOT be his best day ever. More like his last.

    Nothing the see here
    move along ..

    --
    "Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself."
    • (Score: 2) by tisI on Saturday January 14 2017, @04:20PM

      by tisI (5866) on Saturday January 14 2017, @04:20PM (#453819)

      And this is just me ..

      I bet anyone's Aunt Tilly would be able to beat some nerd to death with her cane if they were found in her bedroom at night trying to bork her Merlin, pacemaker, or dentures as well.

      --
      "Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself."
  • (Score: 0) by Anonymous Coward on Saturday January 14 2017, @04:21PM

    by Anonymous Coward on Saturday January 14 2017, @04:21PM (#453821)

    Back in 2007 Cheney had the wireless part of his pacemaker disabled [sophos.com] because of this risk.

    Those were the days!
    Back then Cheney shot a man in the face with a shotgun and his victim apologized to Cheney. [theguardian.com]

    That's real power. Trump only fantasizes about shooting people, [theguardian.com] Cheney actually does it. Trump will never live up to that.