Medtronic is the most notorious maker of insecure medical implants in America, with a long history of inserting computers into people’s bodies with insecure wireless interfaces, toolchains and update paths, and nothing has changed.
In a new CERT advisory — scoring 9.3/10 for severity! — we learn that remote attackers can hijack a Medtronic implanted defibrillator and administer potentially lethal shocks, shut down lifesaving features, and put the device into a high power-consumption mode that drains the battery. A separate attack allows attackers to steal sensitive patient data from the device.
Medtronic (predictably) downplayed the severity of the vulnerability and advised patients to do take no meaningful preventative measures to avoid these attacks, confining its advice to using “only bedside monitors obtained from a doctor or from Medtronic directly, to keep them plugged in so they can receive software updates” and to “maintain good physical control over the monitor.” Medtronic insists that patients should not switch off the wireless feature in their implants.
But Ransford did say it was surprising that issues like the ones in Thursday’s advisory continue to crop up in Medtronic defibrillators, since this variety of vulnerability has been known since 2008.
A decade ago Ransford was part of a team of researchers that tested a bacon-wrapped Medtronic Maximo defibrillator and came to the surprising conclusion that it could be hacked.
In the groundbreaking paper, the researchers reported that they could cause their compromised device to issue shocks on command, shut down its lifesaving features and change functionality so the battery would wear out.
“It looks like a manufacturer still has some work to do,” Ransford said.
Ransford said the effects of the attack appeared to be essentially the same, regardless of the specific route used to attack the device. Medtronic officials said the vulnerabilities described in the 2008 paper involved a different communications protocol.
750,000 Medtronic defibrillators vulnerable to hacking [Joe Carlson/Star Tribune]
But her emails.
Investigative tech journalist Joseph Menn’s (previously) next book is a history of the Cult of the Dead Cow (previously) the legendary hacker/prankster group that is considered to be “America’s oldest hacking group.”
Using software-defined radios, researchers from Trend Micro were able to reverse-engineer the commands used to control massive industrial machines, including cranes, excavators and scrapers; most of these commands were unencrypted, but even the encrypted systems were vulnerable to “replay attacks” that allowed the researchers to bypass the encryption.
Despite government legislation and improving caller ID technology, robocalls and scam artists are rampant on the phone lines – up to 35 billion a year in the US alone. They can be annoying at best and a financial threat at worst, but there’s a way to take security into your own hands. One good example […]
If you’re a Mac user, you thrive on simplicity. Everything in its place and a place for everything. Unsurprisingly, there’s a ton of great organizational apps out there for Mac, and now someone’s had the great idea to bundle them all together. Whether you’re running a demanding business or just getting through the day to […]
Seems like drones are doing a lot of jobs these days, from reconnaissance to delivery. Now, we can add “keeping the Death Star safe” to that list. Whether you’re a drone enthusiast or a Star Wars fan, these Star Wars Propel Drones are undeniably the coolest toy around. Yes, that’s a fully functional drone replica […]