Life-saving devices manufactured by Medtronic do not rely on encryption to protect firmware updates, a failure that makes it possible for hackers to remotely install malicious products that threaten patients’ lives, security researchers said Wednesday.
At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device manufacturer Medtronic to hacking vulnerabilities in January 2017. So far, they say, the attacks- the concept they developed still works. The duo on Thursday showed off a viral cut CareLink 2090 programmera device that doctors use to control implantable devices after they are implanted in patients.
Because updates for the programmer are not delivered over an encrypted HTTPS connection and the firmware is not digitally registered, the researchers were able to force it to run malicious firmware that would be difficult for most doctors to detect. From there, the researchers said, the vulnerable device could prompt implanted detectors to make life-affirming changes in therapies, such as increasing the number of shocks delivered to patients.
This is patient safety
“The response from the manufacturer was not good,” Rios told Ars. “This is not some online video game where high scores can be thrown. This is patient safety. ” In an email, a Medtronic representative said existing controls mitigated the issues. Rios and Butts disagree and say that the hacks they describe are real.
There are two ways to hack the CareLink 2090, both of which depend on the chain of operations to run. The hack was revealed Thursday in exploiting vulnerabilities in the way the developer receives updates from Medtronic.
A separate hack exploits vulnerabilities in the software delivery servers Medtronic uses on its internal network. By analyzing the way the programmer communicates with it, Rios and Butts were able to understand how a hacker could join a virtual private network and enter the update process. Because that hack affected servers used in manufacturing and owned by Medtronic, researchers didn’t try to extract it. Thursday’s featured hack, by contrast, compromises the device’s functionality that was purchased on eBay, so it doesn’t threaten patient safety or damage equipment that others own.
Rios, of security firm WhiteScope, and Butts, of QED Secure Solutions, presented a separate crackdown Thursday against an insulin pump made by Medtronic. A $200 spend HackRF software defined radio, they send pump instructions to release the set insulin dose.
A Medtronic representative said the insulin-pump hack only works against an older version of the insulin pump and then only when the default setting is changed to enable remote functions. The representative also said that the cuts against the designers have been addressed. This page lists the security measures that Medtronic has implemented.
Full details are:
Last year, security research firm WhiteScope informed Medtronic of potential vulnerabilities in the CareLink 2090 Operator and its accompanying software activation network. We assessed the vulnerabilities and issued an ICS-CERT advisory in February, which was reviewed and approved by the FDA, ICS-CERT, and WhiteScope.
In the following Medtronic security bulletin, it is said that there are security controls that mitigate the issue. Since that time, we have also made technical updates where we host these services to further strengthen security controls.
Medtronic recommends that customers continue to follow the information security guidance in the Medtronic 2090 CareLink Programmer manual. This guidance includes maintaining good physical controls on the processor and having a secure physical environment that prevents access to the 2090 processor. Additionally, the 2090 processor should be connected to a well-managed, secure computer network. If this is not possible, the 2090 processor should be disconnected from the network (without impact to functionality), and updates can be obtained directly from a Medtronic representative.
While the advisory process takes longer than all parties would like, this process is important to coordinate with WhiteScope, ICS-CERT, and the FDA to determine if this should result in a public disclosure or advisory. Medtronic issued an advisory on this vulnerability because we are committed to collaboration and transparency with industry partners and the regulatory community, and we support the FDA’s guidance on these issues. With subsequent security issues, we have been quick to coordinate between ICS-CERT, FDA, and the investigator and be more efficient with our public disclosures.
MiniMed Paradigm Insulin Pumps
In June 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and the corresponding remote controller. We assessed the vulnerability and today issued a recommendation, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.
This vulnerability affects the proportion of users who use the remote controller to deliver Easy Bolus™ to their insulin pump. In the advice, and through notifications to health professionals and patients, we communicate some precautions that users of remote control can take to reduce the risk and protect the safety of their pump.
As part of our commitment to customer safety and device security, Medtronic works closely with industry regulators and researchers to anticipate and respond to potential threats. In addition to our ongoing work with the security community, Medtronic has taken several concrete actions to enhance device security and will continue to make significant investments to improve device security.
Rios and Butts, however, continued to criticize Medtronic for the amount of time it has taken to address the vulnerabilities and the complete lack of those updates.
“At this time, as security researchers, we believe that the benefits for implantable medical devices outweigh the risks,” Rios told Ars. “However, when you have manufacturers operating the way Medtronic does, it’s hard to trust them.”