Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Saturday June 03 2017, @03:27AM   Printer-friendly
from the feeling-a-little-uneasy-right-now dept.

The Security Ledger reports:

Software used to remotely program implantable cardiac devices by a number of vendors is rife with exploitable software vulnerabilities that leave the devices vulnerable to attacks and compromise, according to a report by the firm Whitescope Inc.

The analysis of hardware and software associated with implantable cardiac devices spanned four separate vendors and product families but found a wide range of security weaknesses, among them the use of permanent (or "hardcoded") authentication credentials like user names and passwords and the use of insecure communications, with one vendor transmitting patient data "in the clear." All four product families were found to be highly susceptible to "reverse engineering" by a knowledgeable adversary, exposing design flaws that might then be exploited in remote or local attacks, researchers Billy Rios of Whitescope and Dr. Jonathan Butts wrote in their report.

The two researchers investigated a range of hardware and software tools that together make up the ecosystem of implantable cardiac devices. In addition to the implantable devices, Rios and Butts obtained and analyzed "physician programmers" that are used to configure and update implanted devices wirelessly, home monitoring system hardware and software and the patient support network.

[...] A subsequent report by the U.S. Food and Drug Administration (FDA), released in April, found that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or other mitigations, or by replacing those devices.

The latest report, while omitting the names of specific products or vendors, finds similar evidence of lax security throughout implantable device ecosystems.

[...] "Across the 4 programmers built by 4 different vendors, we discovered over 8,000 vulnerabilities associated with outdated libraries and software in pacemaker programmers," the researchers report.

[...] Use of third-party hardware and software is rife in these medical devices. Across the four vendors, there was an average of 86 third-party components used in the implantable devices and 43 vulnerable third-party components. Per-device, the average number of known vulnerabilities in those third-party components was 2,166.

In its article on the topic, The BBC reports:

The separate study [PDF] that quizzed manufacturers, hospitals, and health organisations about the equipment they used when treating patients found that 80% said devices were hard to secure.

Bugs in code, lack of knowledge about how to write secure code, and time pressures made many devices vulnerable to attack, suggested the study.

Despite acknowledging these problems, only 9% of device makers and 5% of health organisations tested equipment annually for potential security vulnerabilities, it found.

A higher percentage of makers, 17%, took steps to secure the equipment they made.

The study found that 49% of manufacturers were not using advice from the US Food and Drug Administration about how to secure devices.

Previous: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Saturday June 03 2017, @05:57AM

    by Anonymous Coward on Saturday June 03 2017, @05:57AM (#519749)

    Hey, I slip in a good one now and then. 8-)

    Now, I'm wondering what the brands were.
    ...and how other brands might fare.
    See the dept. line.

    -- OriginalOwner_ [soylentnews.org]