| Developers: | Medtronic (Medtronik) |
| Branches: | Pharmaceutics, medicine, health care |
Content |
2018
Pacemakers of Medtronic can be cracked far off due to the lack of verification of digital signatures
On November 22, 2018 there was information that the duet of hackers was successfully cracked by the artificial driver of a warm rhythm from Medtronic company. Simple vulnerability allows to stop remotely heart of the owner of a pacemaker while the manufacturing company does not hurry to react to threat and to eliminate defects, Ars Technica write.
Researchers of security systems Billy Rayos and Johnathan Bats disclosed details about vulnerability on the presentation at the conference of Black Hat devoted to information security. Hackers notified Medtronic on the find in January, 2017, but the company did not make due efforts on liquidation of a defect. Then hackers decided to draw public attention to a problem of cracking of pacemakers.
Researchers showed to public process of cracking of a programmator of CareLink 2090 which is used by doctors for diagnostics, setup and a software update of electropacemakers. Programmator who actually is the special version notebook works under control of outdate operating system Windows XP with set program and the hardware of Medtronic. As experts explained, it was succeeded to attack a security system successfully for the reason that the company did not implement digital signatures in the software — the programmator could execute any code, without checking authorship of the program in any way.
Moreover, Billy Rayos and Johnathan Bats found out that software updates which were loaded from servers of Medtronic were delivered not on the ciphered HTTPS connection, and on HTTP. HTTP channels easily are exposed to redirection when attacking is implemented on the connection way, for example, at the level of the router in the local area network. Updates on network received two programmator: CareLink 2090 and CareLink Encore 29901, all such devices worldwide, including the CIS countries, is over 34 thousand pieces.
The Medtronic company reacted to the publication of a method of cracking with shutdown of servers with updates and the recommendation to update software of programmator only in the presence of the specialist of the company using connection on the USB connector. Researchers insist that it is not enough, and Medtronic should enter, at least, practice of verification of digital signatures of the software.[1]
Medtronic turned off updating on the Internet because of risk of cybercracking
In October, 2018 Medtronic disconnected a software update of pacemakers on the Internet because of risk of cybercracking. The company notified on it in the letter sent to doctors and medical institutions and entitled as "Urgent correction of the medical equipment".
The possibility of installation of a new firmware is blocked in 34 thousand programmator of CareLink and CareLink Encore at model numbers 2090 and 29901 which are used by doctors worldwide for updating of program settings of work of a pacemaker.
Medtronic made such decision because of the detected vulnerability which "can do harm to the patient depending on scale and the purposes of harmful cyber attacks and also primary disease of the patient", transfers Reuters news agency, referring to the message of the American producer.
Clinics and hospitals can use further CareLink programmator, however they categorically are not recommended to try to update software on the Internet — only at connection to the computer via the USB connector. And patients the producer asked not to take any actions for vulnerability elimination.
At the same time assure of Medtronic that any case when this lack of operation of the medical equipment would be used by hackers for illegal acts is unknown. By October 12, 2018 the company develops updating which should eliminate all dangerous errors in devices. Before an exit of an update regulating authorities should approve it.
The management on sanitary inspection behind product quality of a power supply and medicines of the USA (FDA) studied a problem and approved the solution of producer to disconnect upgradeability of devices on the Internet.
The key part of the problem is that pacemakers do not use the ciphered connection when updating a firmware that allows malefactors to load far off on the implanted device a malicious code. It poses real threat for health and life of patients. As the proof researchers in the field of cyber security Billy Rios and Jonathan Butts in August, 2018 at the hacker Black Hat conference showed to public cracking of the CareLink 2090 device.
During that demonstration specialists loaded a harmful firmware on a programmator, and the device after that infected had an opportunity to influence work of a pacemaker.
Then experts noted that they notified Medtronic on existence of vulnerability in 2017, however the company reacted to the message of happy faded. Now Medtronic decided to take measures.
As notes Reuters in the publication of October 11, 2018, in recent years producers of the medical equipment activated the efforts on decrease in amount of vulnerabilities in the devices after numerous warnings of security experts which indicated to the companies existence of dangerous shortcomings of operation of the equipment.
Though information that hackers used these vulnerabilities for cyber attacks did not pass in the press, researchers warn that the health care industry strongly lags behind the computer industry regarding cyber defense.
 | As security researchers, we consider that advantages of the implanted medical devices outweigh risks. However, when producers behave as it did Medtronic, it is difficult for them to trust — Bill Rios at the Black Hat 2018 conference said. |  |
Then in Medtronic reminded that the instruction to CareLink 2090 orders to use the device in the safe environment and to connect it only to the protected networks.[2]
Hackers can disconnect pacemakers of Medtronic thanks to vulnerability
On August 13, 2018 it became known that hackers can disconnect pacemakers of Medtronic thanks to the available vulnerabilities in a security system. Programmator CareLink 2090 allows to load the malware from an external source using which hackers can control completely operation of the device including to disconnect it.
Vulnerabilities were detected by programmers of Whitescope and Secure Solutions companies which analyzed the platform of delivery of software updates Medtronic. The revealed problems already drew attention of FDA and Department of internal security. Specialists claim that they provided all data of Medtronic, however the company within ten months conducted own research and rejected claims. Representatives of Medtronic say what at assessment of vulnerabilities is not revealed new potential security concerns, and control measures of risk and a residual risk are acceptable.
The programmers who revealed problems continue the analysis and are going to show publicly on animal model as vulnerabilities in the system of updates of a pacemaker of Medtronic can become a basis for the hacker attack, at a conference on security of Black Hat.
Some notifications on vulnerabilities in a security system are not enough, programmers as abuse of pacemakers can have serious effects for the patient consider. They note that adding of the digital signature can lower rice partly. It is worth noticing that competitors of Medtronic already use similar security measures in the devices.
Though Medtronic did not announce that it is going to eliminate the revealed vulnerabilities, representatives of the company say that they already took some steps in this direction.[3]
Notes
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |