Submitted via IRC for SoyCow1984
Life-saving pacemakers manufactured by Medtronic don't rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients' lives, security researchers said Thursday.
At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they're implanted in patients.
Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.
Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade
Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers
Related Stories
The Internet of Things has introduced security issues to hundreds of devices that previously were off-limits to hackers, turning innocuous appliances like refrigerators and toasters into gateways for data theft and spying. But most alarmingly, the Internet of Things has created a whole new set of security vulnerabilities with life-threatening risks. We're talking about the cars and, particularly, medical devices that are now in the sights of hackers—including drug infusion pumps, pacemakers, and other critical hospital equipment.
Now a California medical doctor is teaming up with technologists and patients to develop a new technical standard to secure insulin pumps used by diabetics. The standard, expected to be completed by July, could become a model to help secure other medical equipment in the future—especially because, in an unconventional move, the doctor is collaborating with patients who tinker with their own medical devices.
Dr. David Klonoff, an endocrinologist and medical director of the Diabetes Research Institute at the Mills-Peninsula Health Services facility, became concerned for the safety of his patients after reading stories about security researchers like Jay Radcliffe who found vulnerabilities in his own insulin pump in 2012. The vulnerabilities would allow a hacker to manipulate the dosage and deliver too much insulin, causing a patient's blood sugar to plummet and lead him to potentially fall into a diabetic coma or die. "Right now there is no [security] standard for any medical device," Klonoff notes. "As health-care professionals, we all want to see our patients have safe equipment and not be at risk."
Klonoff wants to find a way to secure insulin pumps to shut out nefarious hackers while still letting patients hack their own pumps for better performance.
Creating a security standard for insulin pumps, however, comes with a caveat: it has to consider the needs of a special group of do-it-yourself patients and technologists who use an existing vulnerability in current insulin pumps to hack their devices and produce better, personalized results.
The diabetes community has a heightened interest in their medical equipment that exceeds that of other patient communities. Klonoff says his committee wants to embrace that rather than discount it. "We have to keep in mind the tradeoff between wanting security and maintaining usability ... and make it possible that a do-it-yourselfer can still do some things with their device," he says. "If we make the standard too tight ... a lot of patients will complain, 'Now I can't use my device.' There is always going to be this tradeoff."
A computer security researcher has probed the communication protocols used by her pacemaker – and hopes her findings will raise awareness of just how much info medical devices are emitting.
Marie Moe received her pacemaker four years ago after she experienced a form of arrhythmia, and her heart began to slow.
Soon after, she sought out the manual for her closed-source device – and enlisted the help of Cambridge University industrial control hacker Eireann Leverett to find out more about the vital gizmo that keeps her heart beating normally.
Moe, once of Norway's Computer Emergency Response Team, found the device had two wireless interfaces: some near-field communications (NFC) electronics used to exchange data with medical equipment during hospital check-ups, and another system for communicating with a bedside device.
Leverett says the bedside unit passes sensitive medical information about herself from her pacemaker to remote servers, and finally to her doctor's workstation, via communications channels from SMS and 3G to the standard internet. Leverett fears these channels are not necessarily secure, and the servers are often held in foreign countries – which all in all is a headache for privacy.
Please refrain from making comments about Larry and Curly.
TechDirt reports:
A team of hackers working for cybersecurity startup MedSec found a bevy of flaws in medical devices sold by St. Jude Medical Inc, ranging from a lack of overall encryption to vulnerabilities letting unauthorized devices communicate with the company's pacemakers and defibrillators. And while we've talked about the threat of hackable pacemakers for more than a decade, hackers are increasingly worming their way into poorly secured radiology equipment, blood gas analyzers and other hospital and nursing home equipment to steal data for identity theft, giving the threat an added dimension.
[...] Historically, many hackers and security firms either contact companies to alert them to vulnerabilities, or try to sell the not-yet-public vulnerabilities to corporate espionage and security firms or government agencies, who then happily exploit any impacted, unpatched systems (in this case, with potentially fatal results). But MedSec did something notably different. It reached out to the Muddy Waters Capital LLC investment firm, suggesting a partnership to short sell St. Jude stock before reporting the vulnerabilities to the FDA. Under the deal, MedSec makes more money the further shares fall.
Updated: El Reg reports:
"We're not saying the [MedSec] report [on St Jude Medical's implanted pacemakers and defibrillators] is false. We're saying it's inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue", said Kevin Fu, [University of Michigan] associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security.
[...] MedSec's report [...] reads:
In many cases, the Crash Attack made the Cardiac Device completely unresponsive to interrogations from Merlin@home devices and Merlin programmers. It was therefore impossible to tell whether, and how the Cardiac Devices, are functioning. MedSec strongly suspects they were in many cases "bricked"--i.e., made to be non-functional. It is likely physicians would explant a device that did not respond to the programmer.
In some cases, a Cardiac Device subjected to a Crash Attack was still able to communicate with the programmer, and the information displayed was alarming.
According to U-M's team, though, the implanted pacemaker or defibrillators can and will continue operating as normal even if readings to the monitoring station are disrupted.
In other words, there's no conclusive evidence that the pacemaker or defibrillator actually stopped working after the radio communications were jammed. It's more of an annoyance for whoever is using the monitoring terminal than a potentially lethal situation.
Eduard Marin and Dave Singelée, researchers with KU Leuven University, Belgium, began examining the pacemakers under black box testing conditions in which they had no prior knowledge or special access to the devices, and used commercial off-the-shelf equipment to break the proprietary communications protocols.
From the position of blind attackers the pair managed to hack pacemakers from up to five metres away gaining the ability to deliver fatal shocks and turn off life-saving treatment.
The wireless attacks could also breach patient privacy, reading device information disclosing location history, treatments, and current state of health.
[...] "Using this black-box approach we just listened to the wireless communication channel and reverse-engineered the proprietary communication protocol. And once we knew all the zeros and ones in the message and their meaning, we could impersonate genuine readers and perform replay attacks etcetera."
TechDirt reports:
[The week of January 12,] the FDA was forced to issue a warning, noting that security vulnerabilities in the St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter could be a serious problem. It's notable as it's the first time we've seen the government publicly acknowledge this specific type of threat.
The St. Jude Medical Merlin@home Transmitter uses a home monitor to transmit and receive RF signals wirelessly to the pacemaker. But the FDA found that this transmitter was vulnerable to attack, with the press release politely tap dancing around the fact that said vulnerability could be used to kill:
"The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."
According to the FDA, they have no evidence of anybody dying because of the vulnerability yet. They're also quick to note that St. Jude Medical issued a patch on January 9 that fixes this vulnerability.
Apparently, the "Move on; nothing to see here" claims were wrong.
University of Michigan Says Flaws That MedSec Reported Aren't That Serious
...and the "Let's look closely at these" lot were right way back when.
US Security Agencies Look at Medical Device Security
The Security Ledger reports:
Software used to remotely program implantable cardiac devices by a number of vendors is rife with exploitable software vulnerabilities that leave the devices vulnerable to attacks and compromise, according to a report by the firm Whitescope Inc.
The analysis of hardware and software associated with implantable cardiac devices spanned four separate vendors and product families but found a wide range of security weaknesses, among them the use of permanent (or "hardcoded") authentication credentials like user names and passwords and the use of insecure communications, with one vendor transmitting patient data "in the clear." All four product families were found to be highly susceptible to "reverse engineering" by a knowledgeable adversary, exposing design flaws that might then be exploited in remote or local attacks, researchers Billy Rios of Whitescope and Dr. Jonathan Butts wrote in their report.
The two researchers investigated a range of hardware and software tools that together make up the ecosystem of implantable cardiac devices. In addition to the implantable devices, Rios and Butts obtained and analyzed "physician programmers" that are used to configure and update implanted devices wirelessly, home monitoring system hardware and software and the patient support network.
[...] A subsequent report by the U.S. Food and Drug Administration (FDA), released in April, found that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or other mitigations, or by replacing those devices.
The latest report, while omitting the names of specific products or vendors, finds similar evidence of lax security throughout implantable device ecosystems.
[...] "Across the 4 programmers built by 4 different vendors, we discovered over 8,000 vulnerabilities associated with outdated libraries and software in pacemaker programmers," the researchers report.
[...] Use of third-party hardware and software is rife in these medical devices. Across the four vendors, there was an average of 86 third-party components used in the implantable devices and 43 vulnerable third-party components. Per-device, the average number of known vulnerabilities in those third-party components was 2,166.
In its article on the topic, The BBC reports:
Ars Technica is reporting that 465,000 patients have been told to visit their doctor to patch a critical pacemaker vulnerability.
Cardiac pacemakers are small devices that are implanted in a patient's upper chest to correct abnormal or irregular heart rhythms. Pacemakers are generally outfitted with small radio-frequency equipment so the devices can be maintained remotely. That way, new surgeries aren't required after they're implanted. Like many wireless devices, pacemakers from Abbott Laboratories contain critical flaws that allow hijackers within radio range to seize control while the pacemakers are running.
"If there were a successful attack, an unauthorized individual (i.e., a nearby attacker) could gain access and issue commands to the implanted medical device through radio frequency (RF) transmission capability, and those unauthorized commands could modify device settings (e.g., stop pacing) or impact device functionality," Abbott representatives wrote in an open letter to doctors.
Also covered at Reuters.
The Abbot open letter also highlights that the upgrade process is not flawless:
Based on our previous firmware update experience, as with any software update, there is a very
low rate of malfunction resulting from the update. These risks (and their associated rates) include
but are not limited to:
* reloading of previous firmware version due to incomplete update (0.161%),
* loss of currently programmed device settings (0.023%),
* complete loss of device functionality (0.003%), and
* loss of diagnostic data (not reported).
Submitted via IRC for SoyCow3941
About 350,000 implantable defilibrators are up for a firmware update, to address potentially life-threatening vulnerabilities.
Abbott (formerly St. Jude Medical) has released another upgrade to the firmware installed on certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices. The update will strengthen the devices' protection against unauthorized access, as the provider said in a statement on its website: "It is intended to prevent anyone other than your doctor from changing your device settings."
The patch is part a planned series of updates that began with pacemakers, programmers and remote monitoring systems in 2017, following 2016 claims by researchers that the then-St. Jude's cardiac implant ecosystem was rife with cybersecurity flaws that could result in "catastrophic results."
Source: https://threatpost.com/abbott-addresses-life-threatening-flaw-in-a-half-million-pacemakers/131709/
Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade
Hacking Ventilators With DIY Dongles From Poland:
As COVID-19 surges, hospitals and independent biomedical technicians have turned to a global grey-market for hardware and software to circumvent manufacturer repair locks and keep life-saving ventilators running.
The dongle is handmade, little more than a circuit board encased in plastic with two connectors. One side goes to a ventilator’s patient monitor, another goes to the breath delivery unit. A third cable connects to a computer.
This little dongle—shipped to him by a hacker in Poland—has helped William repair at least 70 broken Puritan Bennett 840 ventilators that he’s bought on eBay and from other secondhand websites. He has sold these refurbished ventilators to hospitals and governments throughout the United States, to help them handle an influx of COVID-19 patients. Motherboard agreed to speak to William anonymously because he was not authorized by his company to talk to the media, but Motherboard verified the specifics of his story with photos and other biomedical technicians.
William is essentially Frankensteining together two broken machines to make one functioning machine. Some of the most common repairs he does on the PB840, made by a company called Medtronic, is replacing broken monitors with new ones. The issue is that, like so many other electronics, medical equipment, including ventilators, increasingly has software that prevents “unauthorized” people from repairing or refurbishing broken devices, and Medtronic will not help him fix them.
[...] Delays in getting equipment running put patients at risk. In the meantime, biomedical technicians will continue to try to make-do with what they can. “If someone has a ventilator and the technology to [update the software], more power to them,” Mackeil said. “Some might say you’re violating copyright, but if you own the machine, who’s to say they couldn’t or they shouldn’t?”
I understand that there is an ongoing debate on the "right to repair". However, many manufacturers increasingly find ways to ensure that "unauthorised" people cannot repair their devices. Where do you stand on this issue? During the ongoing pandemic, do medical device manufacturers have the right to prevent repair by third parties?
(Score: 0) by Anonymous Coward on Wednesday August 15 2018, @09:29AM (1 child)
Nice to see people picking up the mantle.
The last time I remember this being raised was back in 2012 by Barnaby Jack who then died under suspicious circumstances just before he had chance to present at Defcon 2013.
(Score: 3, Informative) by takyon on Wednesday August 15 2018, @09:38AM
We've covered this topic extensively:
A Doctor Trying to Save Medical Devices from Hackers [soylentnews.org]
Security Researcher Hacks Her Own Pacemaker [soylentnews.org]
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious [soylentnews.org]
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks [soylentnews.org]
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable [soylentnews.org]
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices [soylentnews.org]
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade [soylentnews.org]
Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers [soylentnews.org]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Rivenaleem on Wednesday August 15 2018, @09:31AM (8 children)
Sure, encrypting the firmware and requiring HTTPS seems like a no-brainer, but as per the relevant XKCD (https://xkcd.com/1958/) why do you need to hack someone's pacemaker to murder them? What scenario are people envisaging where this is the best method of murdering someone? So the murder weapon becomes a firmware update, now your list of suspects gets REALLY small, REALLY quickly. If someone wants to kill someone who is fitted with a pacemaker, is installing a malicious firmware update really the best way to do it?
(Score: 2) by MostCynical on Wednesday August 15 2018, @09:37AM
Extortion..
Kill one or two, ask for money or btc from a few others..
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1, Interesting) by Anonymous Coward on Wednesday August 15 2018, @10:02AM
And which coroner is going to look for that as a cause of death?? Also, brings a different meaning to "war driving".
And why is security of some less important than others?
https://nakedsecurity.sophos.com/2013/10/22/doctors-disabled-wireless-in-dick-cheneys-pacemaker-to-thwart-hacking/ [sophos.com]
(Score: 5, Interesting) by takyon on Wednesday August 15 2018, @10:09AM
Depending on how a device receives updates, this could be compared to a sniper rifle or nerve agent poisoning. But no matter what the true range is, heart attacks are not too suspicious and it's debatable whether anyone would audit a pacemaker to look for signs of e-murder.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by HiThere on Wednesday August 15 2018, @06:10PM (3 children)
I think that's the wrong argument. The real reason not to use encryption on pacemakers is so that in an emergency any emergency room can adjust them.
That said, *this* hack isn't of the pacemaker itself, but rather of the machine in the doctor's office that is used to adjust it. That *should* be better secured. For the pacemaker itself, requiring a near-field controller, as is (or was a couple of years ago) current practice, is the better solution.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2, Interesting) by doke on Wednesday August 15 2018, @07:18PM
"The real reason not to use encryption on pacemakers is so that in an emergency any emergency room can adjust them."
Tattoo the password on the patient's chest.
(Score: 2) by pipedwho on Thursday August 16 2018, @12:12AM (1 child)
Assuming the ER has the right control software and interface. And that the software supports that version of firmware and device manufacturer, etc.
I’d rather encryption that will at least attempt to prevent malicious access.
(Score: 2) by HiThere on Thursday August 16 2018, @12:55AM
My wife had a pacemaker, and ended up in ER multiple times. They were always able to (eventually) check the device, and sometimes adjust it. The bottleneck was trained cardiologists, not devices that could read the pacemaker. Perhaps if they'd needed to adjust it more frequently, the device would also have been a problem. In all events, I'm just as glad there wasn't an additional problem.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Thursday August 16 2018, @05:36PM
A nation-state scale actor looking to create panic amongst a population. "Strange sudden surge in cardiac pacemaker deaths across the country. 10,000 dead in 24 hours and climbing." That would more take a poison firmware update from the manufacturer with a timed delay to payload activation than a lone actor figuring it out.
Or a Columbo mystery. (Actually one where it will not be suspected as the mechanism of death and therefore the perpetrator cleanly walks away from murder. For any of the cold blooded classic murder motives where the perp wants to get away with it.)
You've truly got a point but doing so is already stupid and almost always illogical, so you have to be open to the most illogical possibilities.
(Score: 0) by Anonymous Coward on Wednesday August 15 2018, @06:45PM (1 child)
I'm really torn about this. On the one hand it's appalling to disregard security for these kinds of things.
On the other hand, murder is murder, and doing this kind of hack would be murder. I mean that in that "it's really easy to kill somebody, just stick a sharp piece of metal into them, or hold their nose and mouth closed for a few minutes, or..." The main thing which prevents people from killing others is laws and basic human decency/morality. Having another easy way to kill somebody doesn't help, but isn't the biggest threat vector.
I guess the main concern I'd have about this is if it is any easier than just stabbing somebody with a kitchen knife. If it is (e.g. the devices are internet connected so some hacker across the world could trigger it, if there is some auto-propagating malware which will affect it, etc), then it's a huge problem. Otherwise, it's unfortunate and bad, but maybe not a huge deal?
(Score: 2) by legont on Thursday August 16 2018, @12:54AM
Typically humans are hesitant to kill a nearby victim. Remote murder is no issue with the majority especially if employed for doing such.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.