Hackers from all over the world flocked to the Black Hat 2018 security conference that was held in Las Vegas this week. There, two researchers revealed a pacemaker hack that makes it possible for attackers to remotely install malicious updates. It causes the device to malfunction by delivering additional shocks or denying it which can threaten patients’ lives.
The researchers, Billy Rios and Jonathan Butts said that they had already informed the medical device Medtronic about these vulnerabilities in January 2017. However, the attack methods they found out, still works.
How does the hack works?
The duo demonstrated two hacks that compromised CareLink 2090 programmer – the medical device used by doctors to control pacemakers once they are implanted in a body.
The first hack exploits the method in which the programmer receives updates from Medtronic. Apparently, the updates that are delivered to the device aren’t secured by HTTPS connection and firmware isn’t digitally signed. So they were able to forcefully run a malicious update that cannot be discovered by doctors easily.
The other hack takes advantage of the vulnerabilities in the servers used by Medtronic inside its internal network to deliver software updates.
On examining the method through which the programmer communicates with the servers, they were able to find out how a hacker can join the VPN to interfere with the update process. Since this method would compromise the servers owned by Medtronic, so Rios and Butts never attempted to hack it.
Similarly, they presented another hack that worked against a Medtronic-made insulin pump. Using a software-defined radio, they managed to instruct the pump to stop scheduled doses of insulin.
Meanwhile, the response from Medtronic has been quite “poor” according to the researchers as the company has not taken any good measures to secure the devices.