Offensive Security

Critical vulnerability found in medical devices!

Critical vulnerability found in medical devices!

A security gap in medical devices can have serious consequences for the people who carry them. In contrast to conventional computers, smartphones or tablets, the implanted devices can sometimes only be upgraded to the latest state of the art with considerable effort.

Concrete cases show that the threat is not small. Live demonstrations make the problem tangible and can even lead to death. There have already been enough cases in the past.

Security hole in medical devices – more than 750,000 susceptible devices!

On March 21, 2019, the U.S. Food and Drug Administration (FDA) published a Safety Communication that Medtronic devices are susceptible to attack. More specifically, the following devices are susceptible:

  • A implantable defibrillator (ICDs)
  • Defibrillators for Cardiac Resynchronization Therapy (CRT-Ds)

The proprietary Conexus telemetry protocol of these medical devices is vulnerable to third party attacks. Possible attack scenarios are discharge of the devices or manipulation of the functionality. However, an attacker would have to be very close to the device, since the specification of the device specifies a transmission length of approximately six meters. The defibrillators must also be in listening mode. It is therefore not possible to attack the devices continuously.

Medtronic has been actively scanning for attacks on the telemetry functions of the devices since the gap was announced, using the transmitter stations in the homes of the affected patients. These are used for exactly such management functions, besides the transmission of data from the defibrillator to the attending physician.

How susceptible are medical devices

The first serious errors of a medical device involving a computer occurred between 1985-1987. Therac-25 was a linear accelerator used in radiation therapy. The computer was responsible for data acquisition and user interaction. Multitasking was used to perform these two processes.

However, synchronization was not tested extensively enough, so that errors occurred in certain sequences of user interactions and a significantly increased dose of radiation was mistakenly used. This programming error caused six critical accidents of which three were fatal.

Cross-linking in medical devices

The first really known incident with a networked medical device occurred in 2011 when Barnaby Jack and Jerome Radcliffe – who was diabetic and therefore had an insulin measuring device – were Barnaby href=”https://www.infosecurity-magazine.com/news/barnaby-jack-hacks-diabetes-insulin-pump-live-at/”> BlackHat 2011 presented their work. He could change the dose during his attack or switch off the device completely without Jerome Radcliffe noticing.

In 2012, Barnaby Jack showed at the Ruxcon Conference that he could get a pacemaker to induce a lethal shock. However, individual medical devices are rarely attacked. The attack vectors that can be found in other utilities are also found in the health sector. Ransomware, malware and data theft via unsecured systems or careless employees.

As AWARE7 we offer you solutions which train technical systems on security vulnerabilities and your employees, for example with Live-Hackings or Penetration tests. Become as convinced as the companies in our References

Photo of author

Vincent Reckendrees

Hallo, ich bin Vincent Reckendrees und leite das Team Offensive Services bei der AWARE7 GmbH. In meinem Bachelor und Master Studium habe ich mich auf IT-Sicherheit spezialisiert und BSI zertifizierter IS-Penetrationstester. Meine Leidenschaft gilt Reverse Engineering, Hardware- und Web-Sicherheit. Als Experte für Penetrationstests finde ich Schwachstellen in Systemen und Netzwerken und nutze sie, um realistische Cyberangriffe zu simulieren und Sicherheitsmaßnahmen zu verbessern. Durch Reverse Engineering entdecke ich Fehler und Verbesserungsmöglichkeiten in Software und Hardware. Meine Fähigkeiten in Hardware- und Web-Sicherheit ermöglichen es mir, physische Geräte und Online-Plattformen vor einer Vielzahl von Cyberbedrohungen zu schützen und ihre Integrität und Zuverlässigkeit zu gewährleisten.