Medical device insecurity was covered at the recent Black Hat and Def Con security conferences in Las Vegas. One set of researchers showed off hacks to pacemakers and insulin pumps that could potentially prove lethal, while another researcher explained how hospital patients’ vital signs could be falsified in real time.
A decade has passed since we learned about pacemaker hacks, but still implantable medical devices that can save patients’ lives can be hacked to potentially kill them. Even now, as was highlighted at Black Hat USA, attackers can cause pacemakers to deliver a deadly shock to the heart or deny a life-saving shock, as well as prevent insulin pumps from delivering needed insulin.
After asking attendees with implanted medical devices to leave the room, researchers Billy Rios of WhiteScope and Jonathan Butts of QED Secure Solutions demonstrated how attackers could remotely install malicious firmware on a device used by doctors to control their patients’ pacemakers. That’s due to the lack of encryption in Medtronic’s firmware update process. The duo also discussed vulnerabilities in Medtronic’s network infrastructure for software deliveries.
They showed how it was possible to compromise Medtronic’s CareLink 2090 programmer, a programming device that runs on Windows XP and is used by doctors to control patients’ implanted pacemakers. They demonstrated two hacks that ultimately changed the programming so it would harm patients with pacemakers.
The firmware is not digitally signed, and updates sent to the programmers are not delivered via an encrypted HTTPS connection. Medtronic basically dismissed the malicious reprogramming threat as being a “low risk” and impractical attack.
Rios and Butts are critical of Medtronic’s responses, pointing out how far it would go to safeguard patients if only Medtronic would digitally sign their code.
Researchers also showed off a hack against a Medtronic insulin pump. Using software-defined radio, they demonstrated how to stop a scheduled dose of insulin from being delivered.
ICS-CERT posted advisories about all the following Medtronic devices: MiniMed 508 insulin pump, MyCareLink 24950 and 24952 patient monitor, Carelink 2090 programmer and N’Vision clinician programmer, and here is the list of Medtronic security bulletins.