The DHS Issues Medical Advisory for Medtronic Cardiac Devices

cageymaru

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,694
The Department of Homeland Security (DHS) has issued a cybersecurity warning that documents vulnerabilities in the Medtronic Conexus Radio Frequency Telemetry Protocol. Medtronic makes cardio-defibrillators that are planted into a patient's chest and can be read and programmed by trained medical personnel. This allows the devices to communicate with home monitoring devices and Carelink programmers found at doctor's offices. These vulnerabilities require a low level of skill to exploit as the proprietary Conexus telemetry protocol utilized within this ecosystem does not implement authentication or authorization. An attacker can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device. Because the devices also lack encryption, attackers can listen to communications, including the transmission of sensitive data. Medtronics is working on developing updates to fix the vulnerabilities.

"It is possible with this attack to cause harm to a patient, either by erasing the firmware that is giving necessary therapy to the patient's heart, or by directly invoking shock related commands on the defibrillator," he said. "Since this protocol is unauthenticated, the ICD cannot discern if communications its receiving are coming from a trusted Medtronic device, or an attacker." A successful attacker could erase or reprogram the defibrillator's firmware, and run any command on the device.
 
i think the carelink programmers only work at very close range, i dont think a defib can be reprogrammed remotely from what i remember. did look into them when the doc thought i had brugada syndrome. im not too worried.
 
Something like this was bound to happen sooner or later.

I wonder why DHS is handling this rather than FDA.

I also wonder if they were compliant with UL 2900
 
cageymaru said:
The Department of Homeland Security (DHS) has issued a cybersecurity warning that documents vulnerabilities in the Medtronic Conexus Radio Frequency Telemetry Protocol. Medtronic makes cardio-defibrillators that are planted into a patient's chest and can be read and programmed by trained medical personnel. This allows the devices to communicate with home monitoring devices and Carelink programmers found at doctor's offices. These vulnerabilities require a low level of skill to exploit as the proprietary Conexus telemetry protocol utilized within this ecosystem does not implement authentication or authorization. An attacker can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device. Because the devices also lack encryption, attackers can listen to communications, including the transmission of sensitive data. Medtronics is working on developing updates to fix the vulnerabilities.

"It is possible with this attack to cause harm to a patient, either by erasing the firmware that is giving necessary therapy to the patient's heart, or by directly invoking shock related commands on the defibrillator," he said. "Since this protocol is unauthenticated, the ICD cannot discern if communications its receiving are coming from a trusted Medtronic device, or an attacker." A successful attacker could erase or reprogram the defibrillator's firmware, and run any command on the device.
Click to expand...



I have a St. Jude model defibrillator in my chest as of the past 15 years-never once having needed it for arrhythmia or the like. I am actively working to get it removed-this being at the forefront of my concern. Glad to see this posted here.
 
Zarathustra[H] said:
I wonder why DHS is handling this rather than FDA.
Click to expand...
My guess is maybe a senator or a few rich congress men have one or more in their chest, so they are worried about politicians being remotely killed via e-terrorists/foreign hackers. As unlikely as it is....
 
I can see how this went at the manufacturer. I willing to bet someone mentioned it was insecure.

Software Engineer: Okay the software is working properly now we just need to add some sort of encryption and authentication protocol to protect the device.
Management: How long will that take?
Software Engineer: A week or two to develop and debug at least.
Management: Yeah that's not going to work, we need to make money on this now and we still have to get it though the FDA.
Software Engineer: Without it protecting the device it could be targeted.
Management: We are saving lives here, besides no one will know it's there. If the FDA says we need it, we will add it later.
Software Engineer: Okay you're the boss.
 
Zareek said:
I can see how this went at the manufacturer. I willing to bet someone mentioned it was insecure.

Software Engineer: Okay the software is working properly now we just need to add some sort of encryption and authentication protocol to protect the device.
Management: How long will that take?
Software Engineer: A week or two to develop and debug at least.
Management: Yeah that's not going to work, we need to make money on this now and we still have to get it though the FDA.
Software Engineer: Without it protecting the device it could be targeted.
Management: We are saving lives here, besides no one will know it's there. If the FDA says we need it, we will add it later.
Software Engineer: Okay you're the boss.
Click to expand...

Nah. Something like this would likely need to be built into the architecture from day one. It's not just tacked on at the end.

The hardware needs to have both the battery power and hardware to be able to support encryption.

My view regarding how these things happens is usuay one of two ways:

1.) Product was either designed or based on another product that was designed a really long time ago before encryption and security were the norm.

2.) Ignorance. You'd be surprised how many firmware and software engineers work in a complete bubble inside organizations and haven't even thought about security.



I've dealt with #1 in the past. It's the #1 reason why medical device companies get FDA warning letters. Even most new designs are not designed from scratch. You take the previous design and tweak a thing or two. Do proper modern designs and testing on the tweaks, but just assume the existing design is good, because it's on the market right? Do this 10+ generations in a row, and suddenly your core design dates back to the 70's even on your latest product.

I'm dealing with #2 right now, working for a company that has a lot of long time employees (many for 30-40 years). There are a lot of good people who know their subject matter very well, who just haven't been exposed to any best practices from outside the company, because they have spent their entire working lives here. We are developing our first connected product, and I'm having to drag everyone kicking and screaming into the realization that we'll need private key/public key encryption, identification and authentication and am having to fight the "this is the way we've always done it" mindset every step of the way.

It's sometimes amazing how change resistant organizational culture can become, even when management is on board with the change.
 
The electrophysiologist had models of ICDs dating back to the 1970s. (LAST CENTURY!) They went by order of size; the oldest ones had to be implanted in the abdomen as they were about the size of a pint flask...or rather the size of a "Dan" pint flask-which as the police in my hometown know is dang near a half gallon-the sucker was huge. Definitely old tech like Z said. My EP, and others I have talked to indicate that there is much that can be done to electrically stimulate the myocardium in the hear. In fact the doc stimulates it INTO having a ventricular arrythmia just so the device itself can be tested. I could conceive of a scenario where impulses at the right (wavelength?) could be executed via a malicious actor to cause a cardiac problem-the EP told me that there are myriad ways in which they can electrically stimulate the heart-with controls-and this is why I haven't run welding equipment for 20 years.
 
This is actually exactly what I plan to do. It appears that my "t-wave inversion" whatever the hell that is, was mis-identified many years ago, and I never needed the device. When i get this thing pulled out, I have to get on an airplane, fly back to Alaska where I am from-and my plan is to hand the device back to the doctor, who was truthfully, little more than a salesman in an era in which ICD's were over prescribed (which is why the VA and the US Govt successfully sued many different medical institutions over giving people ICDs when they didn't need them, albeit under the feel-good notion that it would be better for the patients to "have them and not need them") and hand that little hitchiker back to him in person. Likely will blow his mind.

side note: first time I was having sex after the device was implanted, it fired off on me because my heart rate was at 218 for about 10 minutes. Turns out the EPs doing the surgery failed to take my device off "factory default" settings-wihch were calibrated for the heart specs of an average 60 year old male. I was 22. I can laugh about it now.
 
Yikes Dan. Did hurt when it went off? I’ve been told it’s like a punch to the chest.
Had a cardiac arrest 2 years ago so I now live with the icd in my chest like a pack of cigarettes under the skin. Was healthy too. They don’t know why I died.
 
wikidlad said:
Yikes Dan. Did hurt when it went off? I’ve been told it’s like a punch to the chest.
Had a cardiac arrest 2 years ago so I now live with the icd in my chest like a pack of cigarettes under the skin. Was healthy too. They don’t know why I died.
Click to expand...


It hurt like hell. I didn't mention it but a month or so prior to that I had it fire @ 740v 8 or 9 times in less than a minute. It wsas terrifying. Another time it fired while I was driving down the road. I literally got a smidge of PTSD from the thing-it worried me alot.
The girl at the time and I were not utilizing *ahem* insulation (see-rubber) and so the shock passed through me, out my, *ahem* and into her. She thought at the time i stuck my foot into the electrical outlet. The doctors thought it was hilarious. Thats why I have the intention of hand carrying the hitchiking little terrorist back to the personal residence of the man that put it in me.

I believe the spec is 740v and 41 joules. It feels more like a horse kicked you in the chest as opposed to a simple punch. It's awful.

I can laugh about it now. I think.
 
You sexual Tyrannosaurus rex. Don’t mean to laugh but that’s a story to tell ya kids....if that happens. Hoping mine doesn’t go off at all.....I try to keep calm and nort let things get to me like I used too
 
wikidlad said:
You sexual Tyrannosaurus rex. Don’t mean to laugh but that’s a story to tell ya kids....if that happens. Hoping mine doesn’t go off at all.....I try to keep calm and nort let things get to me like I used too
Click to expand...

stress can cause it. Are you ARVD/C?
 
In this case, who cares about the leak of heart beat information. All this needs effectively is a unique-per-patient 16-char code to authenticate modification. It seems unlikely that snoopers will be hanging about the reprogramming station to steal the code or alter a modification in progress (you're a goner anyway if your enemies are going to that length). This would stop any sort of unexpected casual tampering.

Did you know: good cameras can remotely read your heartbeat anyway, by the slight color change in your face each pulse.

My uncle died a couple years ago, heavy smoker. Aunt beat the crap out of his chest, medics got him going and they cooled him for 48 hours. Brought him up, he was fine and has a pacemaker now.
 
My ex wife has one, pretty scary somebody could potentially kill her.

**we are on excellent terms, not me lol**
 
wikidlad said:
Yikes Dan. Did hurt when it went off? I’ve been told it’s like a punch to the chest.
Had a cardiac arrest 2 years ago so I now live with the icd in my chest like a pack of cigarettes under the skin. Was healthy too. They don’t know why I died.
Click to expand...

It hurts like a m'fer, but not as bad as the defibrillation unit with the paddles. I had issues after coming to directly after my last oncology surgery in '09. That was a wild ride.
 
dangerouseddy said:
https://www.medtronic.com/us-en/hea...-rhythm/managing-patients/accessing-data.html


you can see in the video the blue receiver/transmitter they have to place right over the icd to get a connection with it.
Click to expand...

At first I was like. hmm if it has to be that close that helps. Then I was like... nope. Actually if it only works form a very short distance, it probably makes it pretty easy to set op and ATM skimmer like exploit of the hardware. Check your doohickey closely before using it on yourself or a patient.
 
raz-0 said:
At first I was like. hmm if it has to be that close that helps. Then I was like... nope. Actually if it only works form a very short distance, it probably makes it pretty easy to set op and ATM skimmer like exploit of the hardware. Check your doohickey closely before using it on yourself or a patient.
Click to expand...


that is an interesting post.
Back in the day when i first got the device, I had a PSTN-connected device that I would place over my chest, and the doctor's office would interrogate data out of the ICD over the phone. It was crazy as hell.
 
Zarathustra[H] said:
Nah. Something like this would likely need to be built into the architecture from day one. It's not just tacked on at the end.

The hardware needs to have both the battery power and hardware to be able to support encryption.

My view regarding how these things happens is usuay one of two ways:

1.) Product was either designed or based on another product that was designed a really long time ago before encryption and security were the norm.

2.) Ignorance. You'd be surprised how many firmware and software engineers work in a complete bubble inside organizations and haven't even thought about security.



I've dealt with #1 in the past. It's the #1 reason why medical device companies get FDA warning letters. Even most new designs are not designed from scratch. You take the previous design and tweak a thing or two. Do proper modern designs and testing on the tweaks, but just assume the existing design is good, because it's on the market right? Do this 10+ generations in a row, and suddenly your core design dates back to the 70's even on your latest product.

I'm dealing with #2 right now, working for a company that has a lot of long time employees (many for 30-40 years). There are a lot of good people who know their subject matter very well, who just haven't been exposed to any best practices from outside the company, because they have spent their entire working lives here. We are developing our first connected product, and I'm having to drag everyone kicking and screaming into the realization that we'll need private key/public key encryption, identification and authentication and am having to fight the "this is the way we've always done it" mindset every step of the way.

It's sometimes amazing how change resistant organizational culture can become, even when management is on board with the change.
Click to expand...

Interesting, I admittedly don't have any experience with this sort of embedded development. I have specifically seen basic authentication and encryption added to web applications a few years after their initial development. Authentication itself added to PLC ladders many years after their development but I'm sure something like this in particular would be much different. I've also seen cases of both your examples at my current job. Thankfully, I don't really have to worry about the outside world for most of those cases. My struggle is protecting our equipment and systems from our own employees. Making things dumb enough so they don't get confused but smart enough so they can't accidentally break things. My number one irritation is the statement "we've been doing it like this for 30 years". My response is "yes and our market share has been declining for 30 years too"!
 
You must log in or register to reply here.
Back
Top