Of all the things that we think of getting hacked, pacemakers are probably very low on the list. Yet, the idea that they could be compromised by outside sources is not exactly crazy or even new.
In fact, there is an instance of issues or potential problems being discovered here and here. The fact that some could be vulnerable to hacks is not in dispute, though the speed at which manufacturers try to make things right is.
That’s especially true for at least one brand, who a year and a half after being notified of the problem still has not done anything to correct it. Therefore, their pacemakers are still quite vulnerable.
Think this is bad? Sure seems like it
At the center of this story is the Medtronic CareLink 2090 monitor, which is used to control pacemaker settings. Researchers Billy Rios and Jonathan Butts of QED Secure Solutions and WhiteScope, respectively, alerted Medtronic to the fact that they could be hacked back in January 2017.
At a Black Hat conference in Las Vegas they showed how a flaw in the device could allow for an attacker to run malware on it, with the proof-of-concept attacks developed back then still able to work now.
They surmised the issue is poor software design, in that updates are neither signed nor encrypted. Doctors would have a difficult time detecting something was amiss, and an affected pacemaker could be altered in many ways, such as the number of shocks that is delivered to patients.
As bad as this could be, it’s a good thing Medtronic was made aware so that they could fix the issue. Except, in this case Medtronic has apparently ignored the warnings.
It has been nearly 600 days since the company was first made aware of the findings, and about 160 days since they were presented with a proof-of-concept of the hack. In a Black Hat presentation, it was noted that the researchers followed all the disclosure policies regarding what they found, only to be led on an 18-month stretch filled with a non-responsive company with inefficiencies and misleading reactions.
Responding to the presentation, Medtronic released a statement that read:
“While the advisory process took longer than all parties desired, this process was necessary to coordinate with WhiteScope, ICS-CERT, and FDA to determine whether this should result in a public disclosure or advisory.”
So what happens next?
With Medtronic unwilling to act, an ICS-CERT advisory for the CareLink 2090 occurred in February. It mentioned fixes such as turning the device off when it was not in use as well as connecting it to a VPN, which are both ideas Medtronic ultimately offered.
Last week, Medtronic also published a warning about model numbers 24950 and 24952. But while this may be helpful to some, it’s unlikely most people who have the pacemakers will ever learn of the fixes or the problems they are meant to combat.
And even if they somehow come across the memo, it’s very likely they won’t actually understand what is happening or needs to be done.