Critical vulnerability found in medical devices!

M.Sc. Chris Wojzechowski

Critical vulnerability found in medical devices!

A security gap in medical devices can have serious consequences for the people who carry them. In contrast to conventional computers, smartphones or tablets, the implanted devices can sometimes only be upgraded to the latest state of the art with considerable effort.

Concrete cases show that the threat is not small. Live demonstrations make the problem tangible and can even lead to death. There have already been enough cases in the past.

Security hole in medical devices – more than 750,000 susceptible devices!

On March 21, 2019, the U.S. Food and Drug Administration (FDA) published a Safety Communication that Medtronic devices are susceptible to attack. More specifically, the following devices are susceptible:

  • A implantable defibrillator (ICDs)
  • Defibrillators for Cardiac Resynchronization Therapy (CRT-Ds)

The proprietary Conexus telemetry protocol of these medical devices is vulnerable to third party attacks. Possible attack scenarios are discharge of the devices or manipulation of the functionality. However, an attacker would have to be very close to the device, since the specification of the device specifies a transmission length of approximately six meters. The defibrillators must also be in listening mode. It is therefore not possible to attack the devices continuously.

Medtronic has been actively scanning for attacks on the telemetry functions of the devices since the gap was announced, using the transmitter stations in the homes of the affected patients. These are used for exactly such management functions, besides the transmission of data from the defibrillator to the attending physician.

How susceptible are medical devices

The first serious errors of a medical device involving a computer occurred between 1985-1987. Therac-25 was a linear accelerator used in radiation therapy. The computer was responsible for data acquisition and user interaction. Multitasking was used to perform these two processes.

However, synchronization was not tested extensively enough, so that errors occurred in certain sequences of user interactions and a significantly increased dose of radiation was mistakenly used. This programming error caused six critical accidents of which three were fatal.

Cross-linking in medical devices

The first really known incident with a networked medical device occurred in 2011 when Barnaby Jack and Jerome Radcliffe – who was diabetic and therefore had an insulin measuring device – were Barnaby href=”https://www.infosecurity-magazine.com/news/barnaby-jack-hacks-diabetes-insulin-pump-live-at/”> BlackHat 2011 presented their work. He could change the dose during his attack or switch off the device completely without Jerome Radcliffe noticing.

In 2012, Barnaby Jack showed at the Ruxcon Conference that he could get a pacemaker to induce a lethal shock. However, individual medical devices are rarely attacked. The attack vectors that can be found in other utilities are also found in the health sector. Ransomware, malware and data theft via unsecured systems or careless employees.

As AWARE7 we offer you solutions which train technical systems on security vulnerabilities and your employees, for example with Live-Hackings or Penetration tests. Become as convinced as the companies in our References

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.