2 min read

Hackers can install malware on pacemakers to shock patients, researchers show

Luana PASCU

August 13, 2018

Hackers can install malware on pacemakers to shock patients, researchers show

A number of critical pacemaker vulnerabilities could enable hackers to easily install malicious code on the already implanted device and manipulate it, from a remote location, to give shocks to patients, as demonstrated by two researchers at the Black Hat 2018 event last week.

Billy Rios of Whitescope and Jonathan Butts of QED Secure Solutions detected life-threatening vulnerabilities in a pacemaker controller, the CareLink 2090 programmer, produced by Medtronic and used by doctors to control the devices after an implant. Although the two have been communicating with the company for about two years now, it seems the manufacturer still hasn’t patched all the security bugs because the hack can still be carried out.

As explained by Rios and Butts, the firmware is not encrypted, nor is the connection used to deliver updates is not encrypted (no HTTPS), the servers have vulnerabilities that can be easily exploited, among others, allowing hackers to manipulate the software updates and infrastructure. The hack also works on an insulin pump.

“The time period Medtronic spent discussing this with us, if they had just put that time into making a fix they could have solved a lot of these issues,” Butts says. “Now we’re two years down the road and there are patients still susceptible to this risk of altering therapy, which means we could do a shock when we wanted to or we could deny shocks from happening. It’s very frustrating.”

Cyberattacks against IoT devices are growing in complexity, as shown by the research conducted by the two specialists. The US Department of Homeland Security and the Food and Drug Administration have been informed about the security vulnerabilities and that the devices could still put patients’ lives at risk.

“Medtronic has not developed a product update to address these vulnerabilities but has identified compensating controls within this bulletin to help reduce the risk associated with these vulnerabilities,” reads a statement released on their website.

“Medtronic recommends that customers continue to follow the security guidance detailed in the Medtronic 2090 CareLink Programmer reference manual. This guidance includes maintaining good physical controls over the programmer and having a secure physical environment that prevents access to the 2090 programmer.”

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Google Prepares to Reset App Permissions on Billions of Devices Google Prepares to Reset App Permissions on Billions of Devices
Silviu STAHIE

September 20, 2021

1 min read
Sideloading Android Apps - Bane or Blessing for Android Users Sideloading Android Apps - Bane or Blessing for Android Users
Silviu STAHIE

September 20, 2021

2 min read
FTC Says Companies Operating Health Apps and Connected Devices Must Inform Users of Data Breaches FTC Says Companies Operating Health Apps and Connected Devices Must Inform Users of Data Breaches
Silviu STAHIE

September 17, 2021

1 min read