Hack causes pacemakers to deliver life-threatening shocks

Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday.

At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.

Because updates for the programmer aren’t delivered over an encrypted HTTPS connection and firmware isn’t digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.

This is patient safety

“The response from the manufacturer is so poor,” Rios told Ars. “This is not some online video game where high scores can get dumped. This is patient safety.” In an email, a Medtronic representative said existing controls mitigate the issues. Rios and Butts disagreed and said the hacks they describe remain viable.

There are two ways to hack the CareLink 2090, both of which rely on a chain of exploits to work. The hack demonstrated Thursday exploited vulnerabilities in the way the programmer receives updates from Medtronic.

A separate hack exploits vulnerabilities in the software-delivery servers Medtronic uses inside its internal network. By examining the way the programmer communicates with it, Rios and Butts were able to understand how a hacker could join the virtual private network and tamper with the update process. Because that hack compromises servers used in production and are owned by Medtronic, the researchers never attempted to carry it out. Thursday’s demonstration hack, by contrast, compromised a programmer they bought on eBay, so it didn’t threaten patient safety or damage equipment owned by others.

Rios, of security firm WhiteScope, and Butts, of QED Secure Solutions, demonstrated a separate hack on Thursday against a Medtronic-made insulin pump. Using a $200 HackRF software-defined radio, they sent the pump instructions to withhold a scheduled dose of insulin.

The Medtronic representative said the insulin-pump hack works only against an older version of the insulin pump and then only when a default setting is changed to enable remote functions. The representative further said the hacks against the pacemakers had been addressed. This page lists the security advisories Medtronic has issued.

The full statement is:

Last year, security research firm WhiteScope notified Medtronic of potential vulnerabilities in the CareLink 2090 Programmer and its accompanying software-deployment network. We assessed the vulnerabilities and issued an ICS-CERT advisory in February, which was reviewed and approved by the FDA, ICS-CERT, and WhiteScope.

In the accompanying Medtronic security bulletin, we communicated that our existing security controls mitigate the issue. Since that time, we also have made technical updates where these services are hosted to further strengthen security controls.

Medtronic recommends that customers continue to follow the security guidance detailed in the Medtronic 2090 CareLink Programmer reference manual. This guidance includes maintaining good physical controls over the programmer and having a secure physical environment that prevents access to the 2090 programmer. In addition, the 2090 programmer should be connected to a well-managed, secured computer network. If this is not possible, the 2090 programmer should be disconnected from the network (with no impact to functionality), and updates may be received directly from a Medtronic representative.

While the advisory process took longer than all parties desired, this process was necessary to coordinate with WhiteScope, ICS-CERT, and FDA to determine whether this should result in a public disclosure or advisory. Medtronic issued an advisory on this vulnerability because we are committed to collaboration and transparency with industry partners and the regulatory community, and we support the FDA guidance on these matters. With subsequent security matters, we’ve been quicker to coordinate between ICS-CERT, FDA, and the researcher and more efficient with our public disclosures.

MiniMed Paradigm Insulin Pumps

In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.

This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.

As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.

Rios and Butts, however, continued to criticize Medtronic for the amount of time it has taken to address the vulnerabilities and the lack of comprehensiveness of those updates.