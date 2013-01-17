from the death-by-remote dept.
TechDirt reports:
[The week of January 12,] the FDA was forced to issue a warning, noting that security vulnerabilities in the St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter could be a serious problem. It's notable as it's the first time we've seen the government publicly acknowledge this specific type of threat.
The St. Jude Medical Merlin@home Transmitter uses a home monitor to transmit and receive RF signals wirelessly to the pacemaker. But the FDA found that this transmitter was vulnerable to attack, with the press release politely tap dancing around the fact that said vulnerability could be used to kill:
"The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."
According to the FDA, they have no evidence of anybody dying because of the vulnerability yet. They're also quick to note that St. Jude Medical issued a patch on January 9 that fixes this vulnerability.
Apparently, the "Move on; nothing to see here" claims were wrong.
University of Michigan Says Flaws That MedSec Reported Aren't That Serious
...and the "Let's look closely at these" lot were right way back when.
US Security Agencies Look at Medical Device Security
Related Stories
IEEE Spectrum has a a story on Medical device security, which follows a report from Reuters that The U.S. Department of Homeland Security is investigating possible security flaws in medical devices and hospital equipment.
From Reuters:
The products under review by the agency's Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira Inc and implantable heart devices from Medtronic Inc and St Jude Medical Inc, according to other people familiar with the cases, who asked not to be identified because the probes are confidential.
According to Spectrum the ICS-CERT team:
wants to help manufacturers fix software bugs and other vulnerabilities that could be exploited by hackers; agency sources emphasized that the companies did not do anything wrong.
The Spectrum article also references the 2011 case of remotely hacking an insulin pump, demonstrated by Jerome Radcliffe.
TechDirt reports:
A team of hackers working for cybersecurity startup MedSec found a bevy of flaws in medical devices sold by St. Jude Medical Inc, ranging from a lack of overall encryption to vulnerabilities letting unauthorized devices communicate with the company's pacemakers and defibrillators. And while we've talked about the threat of hackable pacemakers for more than a decade, hackers are increasingly worming their way into poorly secured radiology equipment, blood gas analyzers and other hospital and nursing home equipment to steal data for identity theft, giving the threat an added dimension.
[...] Historically, many hackers and security firms either contact companies to alert them to vulnerabilities, or try to sell the not-yet-public vulnerabilities to corporate espionage and security firms or government agencies, who then happily exploit any impacted, unpatched systems (in this case, with potentially fatal results). But MedSec did something notably different. It reached out to the Muddy Waters Capital LLC investment firm, suggesting a partnership to short sell St. Jude stock before reporting the vulnerabilities to the FDA. Under the deal, MedSec makes more money the further shares fall.
Updated: El Reg reports:
"We're not saying the [MedSec] report [on St Jude Medical's implanted pacemakers and defibrillators] is false. We're saying it's inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue", said Kevin Fu, [University of Michigan] associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security.
[...] MedSec's report [...] reads:
In many cases, the Crash Attack made the Cardiac Device completely unresponsive to interrogations from Merlin@home devices and Merlin programmers. It was therefore impossible to tell whether, and how the Cardiac Devices, are functioning. MedSec strongly suspects they were in many cases "bricked"--i.e., made to be non-functional. It is likely physicians would explant a device that did not respond to the programmer.
In some cases, a Cardiac Device subjected to a Crash Attack was still able to communicate with the programmer, and the information displayed was alarming.
According to U-M's team, though, the implanted pacemaker or defibrillators can and will continue operating as normal even if readings to the monitoring station are disrupted.
In other words, there's no conclusive evidence that the pacemaker or defibrillator actually stopped working after the radio communications were jammed. It's more of an annoyance for whoever is using the monitoring terminal than a potentially lethal situation.
Microsofters dragging down the Univeristies (Score:0)
> Apparently, the "Move on; nothing to see here" claims were wrong.
> University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Apparently there are Microsofters inside the University of Michigan and Fu appears to be one. The University can't maintain a top ranking with Microsofters as members of its faculty, or for that matter even its staff. HR needs to go through the resumes and send them packing.
Same for the other top universities. It only hurts the nation as a whole to let them stay on board.
Reply to This