It's been ten years since the first warnings about the security defects in pacemakers, which made them vulnerable to lethal attacks over their wireless links, and since then the news has only gotten worse: one researcher found a way to make wireless pacemaker viruses that spread from patient to patient in cardiac care centers, and the medical device makers responded to all this risk by doubling down on secrecy and the use of proprietary code.
Now, a decade later, Billy Rios (Whitescope) and Jonathan Butts (QED Secure Solutions) are about to present a new range of deadly attacks on medical implants at the Black Hat conference in Las Vegas.
For years, Rios and Butts have targeted Medtronic's pacemakers and pacemaker programming tools, devices that the pair have been probing for years, making a string of disclosures over that Medtronic has denied and ignored as much as they've remediated.
The new research is some of the most chilling to date. Rios and Butts have found vulnerabilities in Medtronic's infrastructure for programming and updating the pacemakers and their programming terminals (which run Windows XP!) (Windows XP!!). By attacking Medtronic's cloud infrastructure, the pair can poison all the devices as they leave the factory, or corrupt them once they're in the field.
True to form, Medtronic denies this defect. As Butts points out, Medtronic has spent more energy and time denying the defects he's told them about than they would have had to spend to simply fix them.
Medtronic's systems are particularly vulnerable because they have failed to implement industry-standard measures like code-signing (which their competitors, whose devices run the same operating systems as Medtronic, are already using).
Rios and Butts have also published defects in Medtronic's insulin pump, which allow attackers to poison people with diabetes by dumping extra insulin into their bloodstreams.
Medtronic told Wired that everything is fine and Rios and Butts were exaggerating. Rios says that once they presents the pair's work at Black Hat, everyone will know who's telling the truth.
This is a pretty fantastic and pointed demonstration of why companies shouldn't be in charge of who gets to disclose defects in their products. Defects in Medtronic's products can kill people. They have a short term interest in downplaying those defects, lest their customers be tempted to sue them into oblivion, so they lie and stall and deflect when they're warned about defects.
Without actual disclosures, including proof-of-concept code and demos, it would be Medtronic's word against these two random security researchers. Medtronic's argument, that they know a lot about this subject and these two randos are just glory-hogging liars, would be pretty compelling — without a demo, it would be easy to dismiss Rios and Butts. That means that more and more people end up with Medtronic's lethally defective devices sewn into their bodies and wired up to their internal organs.
Butts and Rios say, though, that many of the advisories are vaguely worded, and seem to downplay the potential severity of the attacks. For example, all of them say that the "vulnerabilities are not exploitable remotely," even when possible attacks hinge on things like connecting to HTTP web servers over the internet, or manipulating wireless radio signals. "We were talking about bringing a live pig because we have an app where you could kill it from your iPhone remotely and that would really demonstrate these major implications," Butts says. "We obviously decided against it, but it’s just a mass scale concern. Almost anybody with the implantable device in them is subject to the potential implications of exploitation."
A New Pacemaker Hack Puts Malware Directly on the Device [Lily Hay Newman/Wired]