Researchers have found life-threatening vulnerabilities in technology developed by Medtronic, one of the biggest medical equipment and health service providers in the world.
With a presence in more than 160 countries and a 2017 revenue of about US$27 billion, it’s very probable you or your loved ones have at one point or another used Medtronic’s technology.
Jonathan Butts from QED Secure Solutions and Billy Rios from security firm White scope have been studying Medtronic’s solutions for two years now and have found their products are susceptible to remote attacks via wireless radio signals and the internet.
The pair walked through their findings last Thursday at the Black Hat security conference.
“We were talking about bringing a live pig because we have an app where you could kill it from your iPhone remotely and that would really demonstrate these major implications,” Butts told Wired.
“We obviously decided against it, but it’s just a mass scale concern. Almost anybody with the implantable device in them is subject to the potential implications of exploitation.”
The medical equipment giant has claimed on various occasions that they have effectively addressed the issues spotlighted by the Rios/Butt investigation, assuring the public they have already dealt with the problem.
“All devices carry some associated risk, and, like the regulators, we continuously strive to balance the risks against the benefits our devices provide,” said in a statement Medtronic spokesperson Erika Winkels.
“Medtronic deploys a robust, coordinated disclosure process and takes seriously all potential cybersecurity vulnerabilities in our products and systems.
“In the past, WhiteScope, LLC has identified potential vulnerabilities which we have assessed independently and also issued related notifications, and we are not aware of any additional vulnerabilities they have identified at this time.”
But Rios and Butts say Medtronic has not done enough, claiming there are still many risks – particularly for pacemaker patients.
They say existing vulnerabilities in Medtronic’s infrastructure can allow an attacker to remotely control implanted pacemakers, sending shocks to patients who don’t need them or withhold shocks to those who do. Another bug permits attackers to hack insulin pumps, remotely dosing a patient with extra insulin.
“The time period Medtronic spent discussing this with us, if they had just put that time into making a fix they could have solved a lot of these issues,” Butts said.
“Now we’re two years down the road and there are patients still susceptible to this risk of altering therapy, which means we could do a shock when we wanted to or we could deny shocks from happening. It’s very frustrating.”
One of the ways to validate the integrity of a software update is via a cryptographically protected signature. Rios and Butt discovered that Medtronic’s software lacks “digital code signing”, opening the door to hackers to find ways to install bugged updates.
“If you just code sign, all these issues go away, but for some reason they refuse to do that,” Rios told Wired.
“We’ve proven that a competitor actually has these mitigations in place already. They make pacemakers as well, their programmer literally uses the same operating system (as Medtronic’s), and they have implemented code signing.”
In April, the US Food and Drug Administration (FDA) said it was considering establishing a cybersecurity expert board specifically to deal with cases like this.