The DHS Issues Medical Advisory for Medtronic Cardiac Devices

Discussion in 'HardForum Tech News' started by cageymaru, Mar 22, 2019.

  1. cageymaru

    cageymaru [H]ard|News

    Messages:
    19,224
    Joined:
    Apr 10, 2003
    The Department of Homeland Security (DHS) has issued a cybersecurity warning that documents vulnerabilities in the Medtronic Conexus Radio Frequency Telemetry Protocol. Medtronic makes cardio-defibrillators that are planted into a patient's chest and can be read and programmed by trained medical personnel. This allows the devices to communicate with home monitoring devices and Carelink programmers found at doctor's offices. These vulnerabilities require a low level of skill to exploit as the proprietary Conexus telemetry protocol utilized within this ecosystem does not implement authentication or authorization. An attacker can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device. Because the devices also lack encryption, attackers can listen to communications, including the transmission of sensitive data. Medtronics is working on developing updates to fix the vulnerabilities.

    "It is possible with this attack to cause harm to a patient, either by erasing the firmware that is giving necessary therapy to the patient's heart, or by directly invoking shock related commands on the defibrillator," he said. "Since this protocol is unauthenticated, the ICD cannot discern if communications its receiving are coming from a trusted Medtronic device, or an attacker." A successful attacker could erase or reprogram the defibrillator's firmware, and run any command on the device.
     
  2. Twisted Kidney

    Twisted Kidney 2[H]4U

    Messages:
    3,551
    Joined:
    Mar 18, 2013
  3. dangerouseddy

    dangerouseddy Gawd

    Messages:
    603
    Joined:
    May 16, 2007
    i think the carelink programmers only work at very close range, i dont think a defib can be reprogrammed remotely from what i remember. did look into them when the doc thought i had brugada syndrome. im not too worried.
     
  4. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,631
    Joined:
    Oct 29, 2000
    Something like this was bound to happen sooner or later.

    I wonder why DHS is handling this rather than FDA.

    I also wonder if they were compliant with UL 2900
     
  5. maxz01

    maxz01 Limp Gawd

    Messages:
    166
    Joined:
    Aug 26, 2017
    Nihlism fixes this problem as you are indifferent to being killed
     
  6. Ranulfo

    Ranulfo [H]ard|Gawd

    Messages:
    1,392
    Joined:
    Feb 9, 2006
    Spy agencies, assassination squads and agent47, hardest hit.
     
  7. ol1bit

    ol1bit [H]ard|Gawd

    Messages:
    1,234
    Joined:
    Jan 15, 2007
    This just means I have to carry around a gun to shoot any would be hacker of my ICD. :)
     
    painintheworld likes this.
  8. Wiffle

    Wiffle Limp Gawd

    Messages:
    292
    Joined:
    Oct 2, 2011
    Any command huh?

    Guess which device is getting a Doom port created for it...
     
  9. dangerouseddy

    dangerouseddy Gawd

    Messages:
    603
    Joined:
    May 16, 2007
  10. DanHirschberg

    DanHirschberg n00b

    Messages:
    39
    Joined:
    Mar 16, 2019


    I have a St. Jude model defibrillator in my chest as of the past 15 years-never once having needed it for arrhythmia or the like. I am actively working to get it removed-this being at the forefront of my concern. Glad to see this posted here.
     
    painintheworld and cageymaru like this.
  11. DanHirschberg

    DanHirschberg n00b

    Messages:
    39
    Joined:
    Mar 16, 2019

    What about a strong enough interrogatory freq? That could conceivably at minimum pull out data, as opposed to write? This was an issue for Dick Cheney a few years back I recall.
     
  12. RealBeast

    RealBeast Gawd

    Messages:
    651
    Joined:
    Aug 4, 2010
    Sorry Grandma, but you just have all that money sitting in CDs that I could use for a real lifestyle. Muhahahahha! ;)
     
  13. WBurchnall

    WBurchnall 2[H]4U

    Messages:
    2,619
    Joined:
    Oct 10, 2009
    My guess is maybe a senator or a few rich congress men have one or more in their chest, so they are worried about politicians being remotely killed via e-terrorists/foreign hackers. As unlikely as it is....
     
  14. Zareek

    Zareek Limp Gawd

    Messages:
    181
    Joined:
    Sep 5, 2011
    I can see how this went at the manufacturer. I willing to bet someone mentioned it was insecure.

    Software Engineer: Okay the software is working properly now we just need to add some sort of encryption and authentication protocol to protect the device.
    Management: How long will that take?
    Software Engineer: A week or two to develop and debug at least.
    Management: Yeah that's not going to work, we need to make money on this now and we still have to get it though the FDA.
    Software Engineer: Without it protecting the device it could be targeted.
    Management: We are saving lives here, besides no one will know it's there. If the FDA says we need it, we will add it later.
    Software Engineer: Okay you're the boss.
     
  15. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,631
    Joined:
    Oct 29, 2000
    Nah. Something like this would likely need to be built into the architecture from day one. It's not just tacked on at the end.

    The hardware needs to have both the battery power and hardware to be able to support encryption.

    My view regarding how these things happens is usuay one of two ways:

    1.) Product was either designed or based on another product that was designed a really long time ago before encryption and security were the norm.

    2.) Ignorance. You'd be surprised how many firmware and software engineers work in a complete bubble inside organizations and haven't even thought about security.



    I've dealt with #1 in the past. It's the #1 reason why medical device companies get FDA warning letters. Even most new designs are not designed from scratch. You take the previous design and tweak a thing or two. Do proper modern designs and testing on the tweaks, but just assume the existing design is good, because it's on the market right? Do this 10+ generations in a row, and suddenly your core design dates back to the 70's even on your latest product.

    I'm dealing with #2 right now, working for a company that has a lot of long time employees (many for 30-40 years). There are a lot of good people who know their subject matter very well, who just haven't been exposed to any best practices from outside the company, because they have spent their entire working lives here. We are developing our first connected product, and I'm having to drag everyone kicking and screaming into the realization that we'll need private key/public key encryption, identification and authentication and am having to fight the "this is the way we've always done it" mindset every step of the way.

    It's sometimes amazing how change resistant organizational culture can become, even when management is on board with the change.
     
  16. wikidlad

    wikidlad Limp Gawd

    Messages:
    434
    Joined:
    Jul 7, 2005
    Great..I can be hacked.
     
    painintheworld likes this.
  17. painintheworld

    painintheworld [H]Lite

    Messages:
    118
    Joined:
    Jun 5, 2007
    Same here. Time to call and ask for a partial refund :)
     
    wikidlad likes this.
  18. DanHirschberg

    DanHirschberg n00b

    Messages:
    39
    Joined:
    Mar 16, 2019
    The electrophysiologist had models of ICDs dating back to the 1970s. (LAST CENTURY!) They went by order of size; the oldest ones had to be implanted in the abdomen as they were about the size of a pint flask...or rather the size of a "Dan" pint flask-which as the police in my hometown know is dang near a half gallon-the sucker was huge. Definitely old tech like Z said. My EP, and others I have talked to indicate that there is much that can be done to electrically stimulate the myocardium in the hear. In fact the doc stimulates it INTO having a ventricular arrythmia just so the device itself can be tested. I could conceive of a scenario where impulses at the right (wavelength?) could be executed via a malicious actor to cause a cardiac problem-the EP told me that there are myriad ways in which they can electrically stimulate the heart-with controls-and this is why I haven't run welding equipment for 20 years.
     
  19. DanHirschberg

    DanHirschberg n00b

    Messages:
    39
    Joined:
    Mar 16, 2019
    This is actually exactly what I plan to do. It appears that my "t-wave inversion" whatever the hell that is, was mis-identified many years ago, and I never needed the device. When i get this thing pulled out, I have to get on an airplane, fly back to Alaska where I am from-and my plan is to hand the device back to the doctor, who was truthfully, little more than a salesman in an era in which ICD's were over prescribed (which is why the VA and the US Govt successfully sued many different medical institutions over giving people ICDs when they didn't need them, albeit under the feel-good notion that it would be better for the patients to "have them and not need them") and hand that little hitchiker back to him in person. Likely will blow his mind.

    side note: first time I was having sex after the device was implanted, it fired off on me because my heart rate was at 218 for about 10 minutes. Turns out the EPs doing the surgery failed to take my device off "factory default" settings-wihch were calibrated for the heart specs of an average 60 year old male. I was 22. I can laugh about it now.
     
    bigthoughts likes this.
  20. wikidlad

    wikidlad Limp Gawd

    Messages:
    434
    Joined:
    Jul 7, 2005
    Yikes Dan. Did hurt when it went off? I’ve been told it’s like a punch to the chest.
    Had a cardiac arrest 2 years ago so I now live with the icd in my chest like a pack of cigarettes under the skin. Was healthy too. They don’t know why I died.
     
  21. DanHirschberg

    DanHirschberg n00b

    Messages:
    39
    Joined:
    Mar 16, 2019

    It hurt like hell. I didn't mention it but a month or so prior to that I had it fire @ 740v 8 or 9 times in less than a minute. It wsas terrifying. Another time it fired while I was driving down the road. I literally got a smidge of PTSD from the thing-it worried me alot.
    The girl at the time and I were not utilizing *ahem* insulation (see-rubber) and so the shock passed through me, out my, *ahem* and into her. She thought at the time i stuck my foot into the electrical outlet. The doctors thought it was hilarious. Thats why I have the intention of hand carrying the hitchiking little terrorist back to the personal residence of the man that put it in me.

    I believe the spec is 740v and 41 joules. It feels more like a horse kicked you in the chest as opposed to a simple punch. It's awful.

    I can laugh about it now. I think.
     
    the901 likes this.
  22. wikidlad

    wikidlad Limp Gawd

    Messages:
    434
    Joined:
    Jul 7, 2005
    You sexual Tyrannosaurus rex. Don’t mean to laugh but that’s a story to tell ya kids....if that happens. Hoping mine doesn’t go off at all.....I try to keep calm and nort let things get to me like I used too
     
  23. DanHirschberg

    DanHirschberg n00b

    Messages:
    39
    Joined:
    Mar 16, 2019
    stress can cause it. Are you ARVD/C?
     
  24. xorbe

    xorbe [H]ardness Supreme

    Messages:
    5,982
    Joined:
    Sep 26, 2008
    In this case, who cares about the leak of heart beat information. All this needs effectively is a unique-per-patient 16-char code to authenticate modification. It seems unlikely that snoopers will be hanging about the reprogramming station to steal the code or alter a modification in progress (you're a goner anyway if your enemies are going to that length). This would stop any sort of unexpected casual tampering.

    Did you know: good cameras can remotely read your heartbeat anyway, by the slight color change in your face each pulse.

    My uncle died a couple years ago, heavy smoker. Aunt beat the crap out of his chest, medics got him going and they cooled him for 48 hours. Brought him up, he was fine and has a pacemaker now.
     
  25. Verge

    Verge [H]ardness Supreme

    Messages:
    6,090
    Joined:
    May 27, 2001
    My ex wife has one, pretty scary somebody could potentially kill her.

    **we are on excellent terms, not me lol**
     
    babochee likes this.
  26. painintheworld

    painintheworld [H]Lite

    Messages:
    118
    Joined:
    Jun 5, 2007
    It hurts like a m'fer, but not as bad as the defibrillation unit with the paddles. I had issues after coming to directly after my last oncology surgery in '09. That was a wild ride.
     
  27. raz-0

    raz-0 [H]ardness Supreme

    Messages:
    4,491
    Joined:
    Mar 9, 2003
    At first I was like. hmm if it has to be that close that helps. Then I was like... nope. Actually if it only works form a very short distance, it probably makes it pretty easy to set op and ATM skimmer like exploit of the hardware. Check your doohickey closely before using it on yourself or a patient.
     
  28. DanHirschberg

    DanHirschberg n00b

    Messages:
    39
    Joined:
    Mar 16, 2019

    that is an interesting post.
    Back in the day when i first got the device, I had a PSTN-connected device that I would place over my chest, and the doctor's office would interrogate data out of the ICD over the phone. It was crazy as hell.
     
  29. Zareek

    Zareek Limp Gawd

    Messages:
    181
    Joined:
    Sep 5, 2011
    Interesting, I admittedly don't have any experience with this sort of embedded development. I have specifically seen basic authentication and encryption added to web applications a few years after their initial development. Authentication itself added to PLC ladders many years after their development but I'm sure something like this in particular would be much different. I've also seen cases of both your examples at my current job. Thankfully, I don't really have to worry about the outside world for most of those cases. My struggle is protecting our equipment and systems from our own employees. Making things dumb enough so they don't get confused but smart enough so they can't accidentally break things. My number one irritation is the statement "we've been doing it like this for 30 years". My response is "yes and our market share has been declining for 30 years too"!
     
    Zarathustra[H] likes this.