Hacking pacemakers, insulin pumps and patient’s vital signs in real-time

Medical device insecurity was covered at the security conferences in Las Vegas. One set of researchers showed off hacks to pacemakers and insulin pumps which could potentially prove lethal, while another researcher explained how hospital patients’ vital signs could be falsified in real-time.

Pacemaker and insulin pumps hacks at Black Hat USA

A decade has passed since we learned about pacemaker hacks, but still implantable medical devices that can save patients’ lives can be hacked to potentially kill them. Even now, as was highlighted at Black Hat USA, attackers can cause pacemakers to deliver a deadly shock to the heart or deny a life-saving shock as well as prevent insulin pumps from delivering needed insulin.

After asking attendees with implanted medical devices to leave the room, researchers Billy Rios of WhiteScope and Jonathan Butts of QED Secure Solutions demonstrated how attackers could remotely install malicious firmware on a device used by doctors to control their patients’ pacemakers. That’s due to the lack of encryption in Medtronic’s firmware update process. The duo also discussed vulnerabilities in Medtronic’s network infrastructure for software deliveries.