The Department of Homeland Security is warning against a critical flaw in Medtronic defibrillators which can be hacked by malicious actors. If a hacker were to exploit this flaw, they could gain control of the machine and rewrite commands — actions which could have fatal consequences. At the time of this reporting, there have been no documented incidents involving patients harmed by hacked devices. Medtronic is currently working on a fix for the bug in their defibrillators, but in the meantime, some 750,000 of their devices are impacted by the flaw.
When you hear the word “defibrillator,” you may think of the automated external defibrillator (AED), which a healthcare professional may use during the instance of sudden cardiac arrest. But there are other types of defibrillators, such as implantable or wearable cardioverter-defibrillators. These devices are attached to the patient in some capacity and are used to prevent sudden death in people with life-threatening arrythmias.
Medtronic produces implantable defibrillators — which means that the gaping security flaw in their devices puts many thousands of patients’ lives at risk.
As Daily Mail reports, security researchers from the Clever Security firm discovered the vulnerability in Medtronic implantable defibrillators earlier this year. Flaws in how they communicate with the radios doctors use to track and adjust the devices after implantation could be exploited by hackers. Specifically, the Conexus communications protocol used by Medtronic is not encrypted and does not require user authentication — two big missteps in the world of cybersecurity.
If these vulnerabilities were to be exploited, attackers could interrupt communications and change information on the device — potentially weaponizing the defibrillator and harming the patient. In addition to interfering with device functionality, attackers could gain access to any sensitive information stored on it.
DHS has given this threat a rating of 9.3 out of 10, noting that it requires “low skill to exploit.” However, a malicious actor would have to be in close proximity to the patient in order to carry out their attack.
As Threatpost reports, 20 different products made by Medtronic are affected by these flaws — and an estimated total of 750,000 devices may be vulnerable.
A Medtronic spokesperson told Threatpost that the company is “conducting security checks to look for unauthorized or unusual activity that could be related to these issues.” The company reports that there have been no attacks on vulnerable devices so far, and that there will be a series of software updates to resolve these security issues. The spokesperson told Threatpost that the first update will come in late 2019, pending regulatory approval.
However, there is still a greater problem at hand: Many medical devices are vulnerable to being attacked and exploited.
Cybersecurity experts have been warning about potential vulnerabilities in medical devices for quite some time. In 2018, CBS News reported that the federal government was investigating potential risks in devices such as pacemakers, insulin pumps and defibrillators.
At the time, government agencies said there were no reported incidents of medical devices being hacked and used to harm patients — but a pair of cybersecurity experts contends that the threat of exploitation is imminent. Security researchers Billy Rios and Johnathan Butts said they were able to hack every device they examined. And as the Medtronic flaws show, in many cases, you don’t need much skill to exploit the flaws seen in medical devices.
Many devices that are used to keep people alive — from drug infusion pumps to pacemakers — can be easily infiltrated. While data breaches can be devastating, hacking a medical device could kill a targeted patient.
It is no wonder security experts are now calling on medical device makers to take the security of their devices more seriously.
Learn more about hacking and cybersecurity at Glitch.news.
Sources for this article include: