Hackers can install malware on pacemakers to shock patients, researchers show
A number of critical pacemaker vulnerabilities could enable hackers to easily install malicious code on the already implanted device and manipulate it, from a remote location, to give shocks to patients, as demonstrated by two researchers at the Black Hat 2018 event last week.
Billy Rios of Whitescope and Jonathan Butts of QED Secure Solutions detected life-threatening vulnerabilities in a pacemaker controller, the CareLink 2090 programmer, produced by Medtronic and used by doctors to control the devices after an implant. Although the two have been communicating with the company for about two years now, it seems the manufacturer still hasn’t patched all the security bugs because the hack can still be carried out.
As explained by Rios and Butts, the firmware is not encrypted, nor is the connection used to deliver updates is not encrypted (no HTTPS), the servers have vulnerabilities that can be easily exploited, among others, allowing hackers to manipulate the software updates and infrastructure. The hack also works on an insulin pump.
“The time period Medtronic spent discussing this with us, if they had just put that time into making a fix they could have solved a lot of these issues,” Butts says. “Now we’re two years down the road and there are patients still susceptible to this risk of altering therapy, which means we could do a shock when we wanted to or we could deny shocks from happening. It’s very frustrating.”
Cyberattacks against IoT devices are growing in complexity, as shown by the research conducted by the two specialists. The US Department of Homeland Security and the Food and Drug Administration have been informed about the security vulnerabilities and that the devices could still put patients’ lives at risk.
“Medtronic has not developed a product update to address these vulnerabilities but has identified compensating controls within this bulletin to help reduce the risk associated with these vulnerabilities,” reads a statement released on their website.
“Medtronic recommends that customers continue to follow the security guidance detailed in the Medtronic 2090 CareLink Programmer reference manual. This guidance includes maintaining good physical controls over the programmer and having a secure physical environment that prevents access to the 2090 programmer.”
Ultimate Privacy Guide for Your Facebook Account
August 31, 2021
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices
August 27, 2021
Your Netflix Account May Be on Sale on Darkweb. Protect It
August 13, 2021
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US
July 16, 2021
How to protect yourself against cyberstalking
July 06, 2021
FOLLOW US ON
You might also like
September 20, 2021
September 20, 2021
September 17, 2021