Hackers can install malware on pacemakers to shock patients, researchers show

A number of critical pacemaker vulnerabilities could enable hackers to easily install malicious code on the already implanted device and manipulate it, from a remote location, to give shocks to patients, as demonstrated by two researchers at the Black Hat 2018 event last week.

Billy Rios of Whitescope and Jonathan Butts of QED Secure Solutions detected life-threatening vulnerabilities in a pacemaker controller, the CareLink 2090 programmer, produced by Medtronic and used by doctors to control the devices after an implant. Although the two have been communicating with the company for about two years now, it seems the manufacturer still hasn’t patched all the security bugs because the hack can still be carried out.

As explained by Rios and Butts, the firmware is not encrypted, nor is the connection used to deliver updates is not encrypted (no HTTPS), the servers have vulnerabilities that can be easily exploited, among others, allowing hackers to manipulate the software updates and infrastructure. The hack also works on an insulin pump.

“The time period Medtronic spent discussing this with us, if they had just put that time into making a fix they could have solved a lot of these issues,” Butts says. “Now we’re two years down the road and there are patients still susceptible to this risk of altering therapy, which means we could do a shock when we wanted to or we could deny shocks from happening. It’s very frustrating.”

Cyberattacks against IoT devices are growing in complexity, as shown by the research conducted by the two specialists. The US Department of Homeland Security and the Food and Drug Administration have been informed about the security vulnerabilities and that the devices could still put patients’ lives at risk.

“Medtronic has not developed a product update to address these vulnerabilities but has identified compensating controls within this bulletin to help reduce the risk associated with these vulnerabilities,” reads a statement released on their website.

“Medtronic recommends that customers continue to follow the security guidance detailed in the Medtronic 2090 CareLink Programmer reference manual. This guidance includes maintaining good physical controls over the programmer and having a secure physical environment that prevents access to the 2090 programmer.”

One comment

  • By Sonia Maksou - Reply

    I had a biotronik pacemaker for 3 years! The lead malfunctioned and shocked me over 52 times within an hour! Called the company with no response !!! Now I have a Boston scientific !!

  • Add Comment

    Your email address will not be published. Required fields are marked *