Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Software Hardware Technology

Medtronic Locks Down Vulnerable Pacemaker Programming Kit Due To Cybersecurity Concerns (theregister.co.uk) 40

AmiMoJo shares a report from The Register: The U.S. Food and Drug Administration (FDA) is advising health professionals to keep an eye on some of the equipment they use to monitor pacemakers and other heart implants. The watchdog's alert this week comes after Irish medical device maker Medtronic said it will lock some of its equipment out of its software update service, meaning the hardware can't download and install new code from its servers. That may seem counterintuitive, however, it turns out security vulnerabilities in its technology that it had previously thought could only be exploited locally could actually be exploited via its software update network. Malicious updates could be pushed to Medtronic devices by hackers intercepting and tampering with the equipment's internet connections -- the machines would not verify they were actually downloading legit Medtronic firmware -- and so the biz has cut them off.
This discussion has been archived. No new comments can be posted.

Medtronic Locks Down Vulnerable Pacemaker Programming Kit Due To Cybersecurity Concerns

Comments Filter:
  • by Mathinker ( 909784 ) on Tuesday October 16, 2018 @05:12AM (#57485150) Journal

    We're talking a device which when it malfunctions, kills (or could kill) someone. And still the manufacturer didn't get the basics of security correct: using signed software updates.

    How can we believe that IoT devices, which are manufactured with much less profit overhead, will be more secure? (Unless somehow regulated -- which also didn't for for those FDA-approved pacemakers).

    • Errata:

      "which also didn't for for those FDA-approved pacemakers" -> "which also didn't work for those FDA-approved pacemaker programmers"

    • Does the FDA approval process include an audit of IT security measures and practices?
      • by AmiMoJo ( 196126 )

        The FDA alert notice says that the FDA made the determination that there was a problem, so it sounds like they didn't realize during the approval process but have figured it out now.

        • Those are two different things: finding a problem in approved hardware and acting on that, or actively looking for problems and gaps during the approval process. Which would include for example the aforementioned lack of signed software updates.
    • Re: (Score:3, Interesting)

      by gnasher719 ( 869701 )
      To put this into perspective: Anyone having _any_ pacemaker is vulnerable to non-electronic attacks involving loaded guns, and there are many more people capable of doing such an attack than the electronic attack.
      • by Anonymous Coward

        but an electronics attack could happen from anywhere in the world and leave practically no trace, not so easy with a gun

    • I don't think anyone wants you to believe that IoT devices will be much more secure. They just claim to add some small convenience to your life and the masses are buying them like hotcakes with little concern for security or privacy.
    • From the article:

      The security bugs are not present in the implants themselves, but rather in Medtronic "programmers," which doctors and medics connect to patients' implants during and after surgery, allowing them to check battery levels, monitor heart rhythms, and adjust any settings.

      So -in this case- it's not patients' pacemakers etc at risk, but the equipment that monitors those pacemakers & perhaps adjust their settings. I'd imagine that as a hacker, you could (perhaps) still do some damage like adjust settings to the point where a pacemaker becomes ineffective. But this is rather different from upload-compromised-firmware-to-implant, which the summary might suggest to some.

    • The problem is no one wants to add 6 additional months to a product to make it much more secure.
      Then there is getting people who are willing to think about security problems when making such products.

      A good security design is much more then a normal checklist of items. It is designing your product in a way that you will assume that any level of your application could be broken into. So you need to make sure that each level once in will need to limit what damage it could do.

  • by enriquevagu ( 1026480 ) on Tuesday October 16, 2018 @05:53AM (#57485232)

    The original company stops making updates available.
    Before that, a hacker could impersonate the update server (probably using a MITM attack) so the device received a hacked firmware, not the legit one. But if no hacking occurs, the device receives a legit update.
    After the change, if a hacker impersonates the (unavailable) update server, the device can only find the hacked firmware, never the legit one.
    How is this exactly improving security?

    • How is this exactly improving security?

      Depends on how they are doing it. If you try to update an iPhone, the iPhone will ask Apple if the update is legit. Maybe they did something similar, but hackers found ways to create updates that will be identified as "legitimate". All they need to change is the "legitimate" checker to always return "NO".

    • by dissy ( 172727 )

      After the change, if a hacker impersonates the (unavailable) update server, the device can only find the hacked firmware, never the legit one.
      How is this exactly improving security?

      "The change" was to push an update that modifies the software to never attempt to retrieve updates.

      It improves the security in a way, because a hacker impersonating the update server would never get any hits to download those updates.

      Obviously it isn't the type of improvement that's desired, to sign updates to ensure they are from the right source, but ultimately if the computers aren't connecting anywhere to attempt to download updates, both methods still result in no malicious updates being retrieved.

    • by AmiMoJo ( 196126 )

      From what I can get from their web site the diagnostic system is basically a PC that downloads a firmware image, and then uploads it to the pacemaker. The pacemaker itself never connects directly to the internet.

      The update disables the online update mechanism on the diagnostic equipment entirely. Presumably they could still send out a USB flash drive with new firmware if required. But the diagnostic PC won't even look for new firmware any more.

  • by ArhcAngel ( 247594 ) on Tuesday October 16, 2018 @07:49AM (#57485596)
    I worked for a competitor to Medtronics that manufactured pacemakers in the 90s. The "state of the art" communication with the IC was an antenna that used PWM to talk. As long as you knew the handshake you could program it however you wanted. But if you wanted to be malicious you didn't even need to go to that much trouble. Many remember the signs posted in convenient stores that had microwave ovens because the stray noise from them could literally wipe out the programming on a pacemaker.
  • Sign the code with a private key and compare a hash. Secure devices have been doing this for some time.
  • I write embedded firmware for a living. Someone mentioned using keys/certificates. I don't see how such a small device with limited power can deal with the heft of full digital security.

    Further, it's a pacemaker! It does the same thing as they did decades ago, no? Why are there even post-factory updates?!
  • ...medical device maker Medtronic said it will lock some of its equipment out of its software update service, meaning the hardware can't download and install new code from its servers. That may seem counterintuitive... Malicious updates could be pushed to Medtronic devices by hackers intercepting and tampering with the equipment's internet connections -- the machines would not verify they were actually downloading legit Medtronic firmware -- and so the biz has cut them off.

    If this is right, locking them out of the service on the server side doesn't do a damn thing. You need to tell the devices to stop "looking for updates". All this does is let's me know that if I got an update after the shutdown then it's fake.

    Cutting off the server side still allows a device to look for updates and if a man-in-the-middle answers it will allow the update, because the whole problem is that it's not verifying the update's source.

    • by dkman ( 863999 )

      After reading some of the other comments it appears they made one "final" update that tells the devices to stop looking for updates. So that works.

  • I thought Hacknet was full it, but here I see I was wrong. That event just seemed a little.. too far.. on the far side of the reality bright-line. Whoops.

    https://store.steampowered.com... [steampowered.com]

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...