Significant vulnerabilities have been discovered in pacemakers that could allow hackers to deliver potentially fatal shocks.
At the Black Hat security conference in Las Vegas last week, researchers Billy Rios of WhiteScope and Jonathan Butt of QED Secure Solutions demonstrated the hack, targeting Medtronic’s CareLink 2090 programmer, used by doctors to monitor pacemakers after they are implanted into an individual.
As the devices don’t rely on encryption to protect software updates, the researchers were able to show they could install malicious firmware that its users couldn’t detect, then allowing them to deliver or prevent shocks, leading to potentially fatal consequences.
In a statement, Medtronic said an ICS-CERT advisory was issued on the matter in February, and that existing controls mitigate the vulnerabilities identified by the researchers.
“Medtronic recommends that customers continue to follow the security guidance detailed in the Medtronic 2090 CareLink Programmer reference manner,” Medtronic said in a statement.
“This guidance includes maintaining good physical controls over the Programmer and having a secure physical environment that prevents access to the 2090 Programmer.”
But the researchers criticised Medtronic for its response, saying they had first alerted the company to the vulnerability in February 2017, and that despite the reassurances, the hack could still work today.
“The time period Medtronic spent discussing this with us, if they had just put that time into making a fix they could have solved a lot of these issues,” Butts said.
“Now we’re two years down the road and there are patients still susceptible to this risk of altering therapy, which means we could do a shock when we wanted to or we could deny shocks from happening. It’s very frustrating.”
It was this lack of action from Medtronic that led the researchers to go public with their findings.
“About 155 days ago we told them how someone could actually take it over. Months ago, we hit a turning point and said ‘enough’s enough’,” Rios said.
Medtronic said the delays were due to its discussions and consultations with various enforcement bodies.
“While the advisory process took longer than all parties desired, this process was necessary to coordinate with WhiteScope, ICS-CERT and FDA to determine whether this should result in a public disclosure or advisory,” the company said in a statement.
In February, the company said that the “residual risk” is “acceptable”.
“Medtronic has assessed the vulnerabilities per our internal process,” the company said.
“These findings revealed no new potential safety risks based on the existing product security risk assessment. The risks are controlled, and residual risk is acceptable.”
But the company has chosen not to issue a security update to address the issue, despite the researchers saying that “code signing” could easily prevent it. Code signing involves the digital signing of scripts to confirm they haven’t been corrupted or altered.
The researchers also demonstrated that they could hack Medtronic’s insulin pump, showing they were able to send the pump instructions to withhold a scheduled dosage of insulin. They were able to do this by exploiting another vulnerability in the software delivery servers Medtronic employs in its internal network, with hackers able to join the network and tamper the updating process.
It’s important that users of life-saving medical technologies trust the companies that develop them, Rios said.
“At this time, as security researchers, we believe the benefits for implanting medical devices outweigh the risks,” he said.
“However, when you have manufacturers acting the way Medtronic did, it’s hard to trust them.”
He also criticised the medtech company for not clearly outlining the risks to its consumers and the measures in place to mitigate them.
“When someone gets this advisory and they’re reading this language, it’s almost impossible for them to understand what the risks are,” Rios said.
The revelations come after the US Food and Drug Administration recalled nearly 500,000 pacemakers late last year after it was found that hackers could remotely force the devices to run at potentially deadly speeds.
It was found that hackers could also potentially cause the batteries in the pacemaker to quickly go flat.
Only recently implanted pacemakers allow for “remote monitoring” by doctors, the process which has made these devices vulnerable to a cyber attack.