back to article Don't have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead)

Medical gear maker Medtronic is once again at the center of a hacker panic storm. This time, a number of its heart defibrillators, implanted in patients' chests, can, in certain circumstances, be wirelessly hijacked and reprogrammed, perhaps to lethal effect. On Thursday, the US government's Dept of Homeland Security issued an …

  1. paulll

    " the attacker would need to know the specific model of device in the victim, and have reverse-engineered its design to know which commands to send to write the necessary data into memory to cause harm."

    Ah, so they're secure because they're obscure. Very good, then.

    1. Anonymous Coward
      Anonymous Coward

      I mean it's not as if computers can scan for differing indicators and then look up references of the data it gets back and then select the right previously reverse engineered tool. Nobody would ever make something like that.

  2. Smoking Man

    It's all in the software.

    You're save.

    Sincerely, Medtronics.

    A Boeing Division.

  3. Anonymous Coward
    Anonymous Coward

    And the other end?

    Anything known about how hackable the Control Unit is?

  4. The Oncoming Scorn Silver badge
    Boffin

    The Age Of Plastic

    They send the heart police to put you under Cardiac arrest

    and as they drag you the door

    They tell you that you've failed the test

    Icon TH Glasses.

  5. Anonymous Coward
    Anonymous Coward

    This was just recently an episode of the Blacklist, life continues to imitate art.

    1. MiguelC Silver badge

      Prior art

      It was used in an episode of Homeland in 2012....

  6. Anonymous Coward
    Anonymous Coward

    Nobody gives a shit about quality, security or reliabilty

    The dickheads in charge want cheap outsourced morons, to maximise their bonuses.

    All execs are parasites leeching off the company for their own worth. Their mindset is fuck the users of the software, even if its so bad it can kill you.

    1. Yet Another Anonymous coward Silver badge

      Re: Nobody gives a shit about quality, security or reliabilty

      Tricky, it's necessary to change parameters especially when the pacemaker is first installed. Typically the programming unit needed to be very close - on the chest.

      Yes they could have done better key management - but you don't want the doctor to be locked out of the pacemaker because they didn't have access to your key pair in the ER and so have to open up the chest to replace it.

      It's a balance of risk: what's the chance of a deliberate attacker building a high power controller and lurking next to your bedroom to reprogram your pacemaker (vs just shooting you with an AR15 like a real American) vs you dying because the hospital couldn't adjust the profile when you had an angina attack.

  7. Horridbloke
    Unhappy

    The workaround...

    ... is to not get sick.

    1. Steve Foster
      Facepalm

      Re: The workaround...

      ...is a *really* big tinfoil hat (think burka-sized).

      1. bombastic bob Silver badge
        Devil

        Re: The workaround...

        how about a tinfoil T shirt? (I suspect the antenna is in the chest, and not the head).

        As for this: "with a range of roughly 25 feet without any signal boosting"

        An extremely high gain antenna, low noise receiver, and higher than normal power transmitter, could [in theory] extend that range for MILES... (you'd probably need 40db gain, which is not impossible, but would be really really cool and innovative to 'get there')

        [think sophisticated satellite communications equipment, and that's what I mean]

  8. Anonymous Coward
    Anonymous Coward

    Retrofitting strong crypto is likely impossible, the implanted device won’t have the CPU or memory for it, and even if it did, what about the increase in power usage and generated heat? It would need to be surgically replaced.

  9. robertsgt40

    I remember several years ago (at least 10), a tech whiz was scheduled to give a talk about the hackable pacemaker. He was there to prove his thesis. Unfortunately he mysteriously croaked just before his presentation. I think he was about 30yrs old. Now who would do such a thing?

    1. This post has been deleted by its author

    2. WmK

      Yeah that was Barnaby Jack, and an OD. RIP. :(

      1. Michael Wojcik Silver badge

        Barnaby Jack is most famous for demonstrating jackpotting ATMs at Black Hat 2010, of course. Video is available online and is worth watching; he was a great presenter.

        His OD might have been self-inflicted - no one's yet shown strong evidence otherwise. It looks suspicious, though. He had powerful enemies; the cocktail of drugs found in his system is ... ambitious, shall we say; and I think the last time I read up on his death, there weren't any public claims of prior drug abuse from anyone who knew him. Maybe new information has since come to light.

  10. Chairman of the Bored

    'Recommend continued use...'

    Well, no ship, Sherlock! I'd say if you've got that kit wedged in your chest you're kind of committed to completing the therapy. Just swapping the unit seems a little tough.

  11. Anonymous Coward
    Anonymous Coward

    Security ? They've heard of it.

    The Conexus protocol does not include any checks, authentication or encryption of data flowing between defibrillator and controller.

    Listen mode is sometimes initiated by the device, sometimes by inductive pickup.

    Talk about cutting corners, these fuggers need some cattle-prod / BOFH type re-education right now.

    1. Michael Wojcik Silver badge

      Re: Security ? They've heard of it.

      Unfortunately medical IT security is largely abysmal across the board, despite a number of prominent vulnerability disclosures like this one. Someone needs to start putting together class-action HIPPA lawsuits and the like.

  12. Anonymous Coward
    Anonymous Coward

    Homeland TV series, Season 2, Episode 10, "Broken Hearts", 2013

    There is nothing new about these vulnerabilities.

    But it is deeply disappointing to see that its 2019, and the technology is *still* open for abuse.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like