-Source-Wired-
THE FIRST PACEMAKER hacks emerged about a decade ago. But the latest variation on the terrifying theme depends not on manipulating radio commands, as many previous attacks have, but on malware installed directly on an implanted pacemaker.
For nearly two years, researchers Billy Rios of the security firm Whitescope and Jonathan Butts of QED Secure Solutions have gone back and forth with pacemaker manufacturer Medtronic, which makes Carelink 2090 pacemaker programmers and other relevant equipment that the researchers say contain potentially life-threatening vulnerabilities. The Department of Homeland Security and the Food and Drug Administration have gotten involved as well. And while Medtronic has remediated some of the issues the researchers discovered, Rios and Butts say that too much remains unresolved, and that the risk remains very real for pacemaker patients. The pair will walk through their findings Thursday at the Black Hat security conference.
Rios and Butts say that they've discovered a chain of vulnerabilities in Medtronic's infrastructure that an attacker could exploit to control implanted pacemakers remotely, deliver shocks patients don't need or withhold ones they do, and cause real harm.
"The time period Medtronic spent discussing this with us, if they had just put that time into making a fix they could have solved a lot of these issues," Butts says. "Now we’re two years down the road and there are patients still susceptible to this risk of altering therapy, which means we could do a shock when we wanted to or we could deny shocks from happening. It’s very frustrating." Read more
Comments