SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1984
Life-saving pacemakers manufactured by Medtronic don't rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients' lives, security researchers said Thursday.
At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they're implanted in patients.
Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.
Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade
Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers
(Score: 0) by Anonymous Coward on Wednesday August 15 2018, @09:29AM (1 child)
Nice to see people picking up the mantle.
The last time I remember this being raised was back in 2012 by Barnaby Jack who then died under suspicious circumstances just before he had chance to present at Defcon 2013.
(Score: 3, Informative) by takyon on Wednesday August 15 2018, @09:38AM
We've covered this topic extensively:
A Doctor Trying to Save Medical Devices from Hackers [soylentnews.org]
Security Researcher Hacks Her Own Pacemaker [soylentnews.org]
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious [soylentnews.org]
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks [soylentnews.org]
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable [soylentnews.org]
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices [soylentnews.org]
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade [soylentnews.org]
Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers [soylentnews.org]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Rivenaleem on Wednesday August 15 2018, @09:31AM (8 children)
Sure, encrypting the firmware and requiring HTTPS seems like a no-brainer, but as per the relevant XKCD (https://xkcd.com/1958/) why do you need to hack someone's pacemaker to murder them? What scenario are people envisaging where this is the best method of murdering someone? So the murder weapon becomes a firmware update, now your list of suspects gets REALLY small, REALLY quickly. If someone wants to kill someone who is fitted with a pacemaker, is installing a malicious firmware update really the best way to do it?
(Score: 2) by MostCynical on Wednesday August 15 2018, @09:37AM
Extortion..
Kill one or two, ask for money or btc from a few others..
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1, Interesting) by Anonymous Coward on Wednesday August 15 2018, @10:02AM
And which coroner is going to look for that as a cause of death?? Also, brings a different meaning to "war driving".
And why is security of some less important than others?
https://nakedsecurity.sophos.com/2013/10/22/doctors-disabled-wireless-in-dick-cheneys-pacemaker-to-thwart-hacking/ [sophos.com]
(Score: 5, Interesting) by takyon on Wednesday August 15 2018, @10:09AM
Depending on how a device receives updates, this could be compared to a sniper rifle or nerve agent poisoning. But no matter what the true range is, heart attacks are not too suspicious and it's debatable whether anyone would audit a pacemaker to look for signs of e-murder.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by HiThere on Wednesday August 15 2018, @06:10PM (3 children)
I think that's the wrong argument. The real reason not to use encryption on pacemakers is so that in an emergency any emergency room can adjust them.
That said, *this* hack isn't of the pacemaker itself, but rather of the machine in the doctor's office that is used to adjust it. That *should* be better secured. For the pacemaker itself, requiring a near-field controller, as is (or was a couple of years ago) current practice, is the better solution.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2, Interesting) by doke on Wednesday August 15 2018, @07:18PM
"The real reason not to use encryption on pacemakers is so that in an emergency any emergency room can adjust them."
Tattoo the password on the patient's chest.
(Score: 2) by pipedwho on Thursday August 16 2018, @12:12AM (1 child)
Assuming the ER has the right control software and interface. And that the software supports that version of firmware and device manufacturer, etc.
I’d rather encryption that will at least attempt to prevent malicious access.
(Score: 2) by HiThere on Thursday August 16 2018, @12:55AM
My wife had a pacemaker, and ended up in ER multiple times. They were always able to (eventually) check the device, and sometimes adjust it. The bottleneck was trained cardiologists, not devices that could read the pacemaker. Perhaps if they'd needed to adjust it more frequently, the device would also have been a problem. In all events, I'm just as glad there wasn't an additional problem.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Thursday August 16 2018, @05:36PM
A nation-state scale actor looking to create panic amongst a population. "Strange sudden surge in cardiac pacemaker deaths across the country. 10,000 dead in 24 hours and climbing." That would more take a poison firmware update from the manufacturer with a timed delay to payload activation than a lone actor figuring it out.
Or a Columbo mystery. (Actually one where it will not be suspected as the mechanism of death and therefore the perpetrator cleanly walks away from murder. For any of the cold blooded classic murder motives where the perp wants to get away with it.)
You've truly got a point but doing so is already stupid and almost always illogical, so you have to be open to the most illogical possibilities.
(Score: 0) by Anonymous Coward on Wednesday August 15 2018, @06:45PM (1 child)
I'm really torn about this. On the one hand it's appalling to disregard security for these kinds of things.
On the other hand, murder is murder, and doing this kind of hack would be murder. I mean that in that "it's really easy to kill somebody, just stick a sharp piece of metal into them, or hold their nose and mouth closed for a few minutes, or..." The main thing which prevents people from killing others is laws and basic human decency/morality. Having another easy way to kill somebody doesn't help, but isn't the biggest threat vector.
I guess the main concern I'd have about this is if it is any easier than just stabbing somebody with a kitchen knife. If it is (e.g. the devices are internet connected so some hacker across the world could trigger it, if there is some auto-propagating malware which will affect it, etc), then it's a huge problem. Otherwise, it's unfortunate and bad, but maybe not a huge deal?
(Score: 2) by legont on Thursday August 16 2018, @12:54AM
Typically humans are hesitant to kill a nearby victim. Remote murder is no issue with the majority especially if employed for doing such.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.