'Cardiac pacemakers are hackable and are not yet dealt with,' security researchers warn

by Steven Fruitsmaak

If the heart does not work well, it will greatly affect our lives, but if we incorporate a " pacemaker " that supports the heart with electric pulses, we can live a life that is not different from usual. A researcher who pointed out that such a pacemaker "security vulnerability exists" actually reproduces the hacking to the pacemaker and critically criticizes medical device manufacturers who are not trying to take countermeasures easily.

Hack causes pacemakers to deliver life-threatening shocks | Ars Technica
https://arstechnica.com/information-technology/2018/08/lack-of-encryption-makes-hacks-on-life-saving-pacemakers-shockingly-easy/

Medtronic made of remote monitoring device " care link " is, by exchanging the pacemaker and the data embedded in the body, or to send the data acquired in the pacemaker to the server, to allow or to update the pacemaker of the firmware It is equipment. Normally, pacemakers need specialized technician's response, but doctors can view pacemaker's data directly by using care links.

Security researchers Billy Rios and Jonathan Batz said that they could theoretically invade the server for care links managed by Medtronic and furthermore the care links themselves are also used by second- I pointed out that hacking is possible using the adjustment tool. Even if a malicious firmware that forcibly carries out malfunctioning pacemaker's operation is forcibly executed, it will be difficult for a doctor who does not have technical knowledge, Mr. Lyos and Mr. Buttes said.

In addition, the two have pointed out in May 2018 that the insulin pump of the company also has security vulnerability and that anyone can freely change the amount of insulin secretion if abused. However, Medtronic did not disclose the vulnerability of pacemaker and insulin pump pointed out by Mr. Lyos and Mr. Buts, but left without giving concrete measures.

So on August 9, 2018, Lyos demonstrated hacking to pacemakers and insulin pumps using the second-hand adjustment tool purchased on eBay at the largest security event " Black Hat USA 2018 " in the United States. "We reported this vulnerability to Medtronic about a year and a half ago," criticized the slow response of Medtronic and other medical device manufacturers and the attitude to disregard the security vulnerability.

Up ... Vulnerabilities Next In AttoMedtronic Insulin Pump And Implantable Cardiac Defibrilator (ICD) Exploited By White Hat Legend Billy Rios ( AttoXSSniper ) And Attojonathanbutts -! A Double Header # BlackHat2018 #BlackHatUSA #Infosec #Medsec #Cybersecurity Pic.Twitter .com / ubq1ROZ0IK

- Dan Munro (@ DanMunro) August 9, 2018

On the other hand, Medtronic updated its security information on August 7, 2018, and published a document on the care issues and security issues of the insulin pump. Among them, Medtronic commented that the security problem of the care link pointed out in 2017 was dealt with, and insists that the risk is low because the insurance pump security hole occurs only in the limited type with the old type.

Mr. Lyos criticized that Medtronic took too much time to take specific measures and announce it after it pointed out security problems, "As a security researcher, the benefits of implantable medical devices exceed risks at the moment I believe that, if any medical manufacturers like Medtronic, the risks may be greater, "he commented.