Pacemaker Hack Installs Malware Directly On the Unit

Source: communitynews.com.au

Advancements in healthcare technology continues to find ways to help doctors in giving their patients better care and to assist patients in monitoring their own health.  However, the same technology that is designed to benefit patients can be manipulated to cause harm.  One example of this was made public last week when it was revealed that a new pacemaker hack can install malware directly on the unit.

The Threat of Hacking a Pacemaker is Real

When hearing about the potential of hacking a person’s pacemaker, many may think this is something one would see in a science fiction movie; however, the threat is not only real but is nothing new.  Roughly a decade ago, it was reported that it was possible for someone who possessed the right tools and a little know-how to successfully hack a pacemaker.

Source: thehackernews.com

The article said that many pacemakers were designed to hold a radio which allowed heart-control devices to be reprogrammed.  Since the signal was unencrypted, this opening allowed any malicious attackers to either deliver a shock to the heart that would cause ventricular fibrillation or to completely shut down the device.  Although pacemakers have been modified to protect against this, new reporting states that hackers have found a new way to access and control a pacemaker.

Researchers Warn of Potentially Life-threatening Vulnerabilities

Writer Lily Hay Newman from Wired reported last week about the latest weapon that hackers are using to hack into a pacemaker; the ability to install malware directly on an implanted device.  The warning comes from two researchers, Jonathon Butts of QED Secure Solutions and Billy Rios from the security firm Whitescope, who for roughly two years have been going back and forth with Medtronic; the company manufactures pacemakers.  They also design Carelink 2090 pacemaker programmers and other equipment that is relevant which the researchers stated contain possible life-threatening vulnerabilities.

Others who have gotten involved are the Food and Drug Administration as well as the Department of Homeland and Security.  Though some of the issues the researchers discovered have been taken care of by Medtronic, Butts and Rios stated that many other issues remain unresolved, which puts patients with pacemakers at a high risk.  Both researchers presented their findings at the recent Black Hat Security Conference. 

Failing to Respond Appropriately

According to Butts and Rios, they say that they have found a chain of vulnerabilities in the infrastructure of Medtronic’s that could be exploited by an attacker to gain control remotely of an implanted pacemaker.  This means a patient would be at serious risk of having someone deliver a shock to the individual that is not required or withhold shocks that are required, which can cause real harm.

Source: csoonline.com

Butts said that the time period Medtronic spent discussing this with us, if they had just put that time into making a fix they could have solved a lot of these issues.  Now we’re two years down the road and there are patients still susceptible to this risk of altering therapy, which means we could do a shock when we wanted to or we could deny shocks from happening. It’s very frustrating.

Apparently, it took ten months for Medtronic to vet the submission; they decided not to take any action in securing the network.  The company wrote in February that Medtronic has assessed the vulnerabilities per our internal process.  These findings revealed no new potential safety risks based on the existing product security risk assessment. The risks are controlled, and residual risk is acceptable. 

Rios said that they sent recommendations and data to both the FDA and Medtronic.  Spokesperson Erika Winkels for Medtronic said in a statement to Wired that all devices carry some associated risk, and, like the regulators, we continuously strive to balance the risks against the benefits our devices provide.  Medtronic deploys a robust, coordinated disclosure process and takes seriously all potential cybersecurity vulnerabilities in our products and systems. … In the past, WhiteScope, LLC has identified potential vulnerabilities which we have assessed independently and also issued related notifications, and we are not aware of any additional vulnerabilities they have identified at this time.

Source: forbes.com

The bottom line is that Medtronic insists it has researched the concerns and established adequate defenses set up to protect patients.  Rios responded by saying we’ll just demonstrate the exploits in action and let people decide for themselves.