Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday.
At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.
Because updates for the programmer aren’t delivered over an encrypted HTTPS connection and firmware isn’t digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.
This is patient safety
“The response from the manufacturer is so poor,” Rios told Ars. “This is not some online video game where high scores can get dumped. This is patient safety.” In an email, a Medtronic representative said existing controls mitigate the issues. Rios and Butts disagreed and said the hacks they describe remain viable.
There are two ways to hack the CareLink 2090, both of which rely on a chain of exploits to work. The hack demonstrated Thursday exploited vulnerabilities in the way the programmer receives updates from Medtronic.
A separate hack exploits vulnerabilities in the software-delivery servers Medtronic uses inside its internal network. By examining the way the programmer communicates with it, Rios and Butts were able to understand how a hacker could join the virtual private network and tamper with the update process. Because that hack compromises servers used in production and are owned by Medtronic, the researchers never attempted to carry it out. Thursday’s demonstration hack, by contrast, compromised a programmer they bought on eBay, so it didn’t threaten patient safety or damage equipment owned by others.