Don't have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead)

US govt sounds alarm over wireless comms, caveats apply


Medical gear maker Medtronic is once again at the center of a hacker panic storm. This time, a number of its heart defibrillators, implanted in patients' chests, can, in certain circumstances, be wirelessly hijacked and reprogrammed, perhaps to lethal effect.

On Thursday, the US government's Dept of Homeland Security issued an alert over two CVE-listed vulnerabilities in Medtronic's wireless communications system Conexus, which is used by some of its heart defibrillators and their control units. Conexus exchanges data between implanted devices and their control units over the air using radio-waves, with a range of roughly 25 feet without any signal boosting.

Read-write access

The more serious of the flaws, CVE-2019-6538, can be potentially exploited by an attacker to meddle with data flying between the device and its controller. The Conexus protocol does not include any checks for this kind of tampering, nor performs any form of authentication. This means transmissions can be intercepted, spoofed, and modified by hackers and their nearby equipment, which can also masquerade as a control unit, in certain circumstances that we'll come to describe.

Here's where it gets serious: the protocol allows a nearby miscreant, with the right radio gear and in the right circumstances, to send commands to the implanted cardiac device that reads or writes memory in the gadget. That means someone can, at the right moment, maliciously manipulate the operation of the vulnerable implant over the airwaves, potentially harming or perhaps even ultimately killing the patient.

Pete Morgan, one of the researchers who discovered and reported the flaw, told The Register that while a successful exploit could indeed lead to an attacker changing how the defibrillator operates – for example, making it fire randomly – there are some mitigating factors. Most notably, the device has to be in so-called listen mode, in which is awaits commands, a state that is not active the vast majority of the day.

The implanted device typically wakes up to pick up transmissions when it is activated by an inductive wand waved over the patient's chest, usually during an appointment or checkup with a doctor, or it wakes up automatically and briefly to exchange telemetry with a control unit in the patient's home.

"They enter listen mode through either of two states," Morgan, the founder of Clever Security, explained.

"One, inductive wake up through a wand or puck with the programmer or Carelink home monitor. Two, during intervals usually configured by the physician, the implanted cardiac device will wake up and begin RF communication with the Carelink home monitor to check in and report on status."

A spokesperson for Medtronic noted to El Reg that, in addition to being in range and having the device in listen mode, the attacker would need to know the specific model of device in the victim, and have reverse-engineered its design to know which commands to send to write the necessary data into memory to cause harm.

Thus, someone really needs to be out to get you if pull this off; it's not like miscreants can go war-driving through town zapping people dead.

The second vulnerability, CVE-2019-6540, addresses the lack of encryption with Conexus wireless transmissions. This means an attacker within range can listen in on the data being sent and received, and spy on the patient's condition over the air.

Arnie Total Recall

Pain in the brain! Kaspersky warns of hackable brain implants

READ MORE

Medtronic said it is working on a fix for both issues, and in the meantime urged doctors and patients to use the implants and controllers as usual.

"Medtronic recommends that patients and physicians continue to use these devices as prescribed and intended," the med-tech giant said in its advisory [PDF].

"The benefits of remote monitoring outweigh the practical risk that these vulnerabilities could be exploited. These benefits include earlier detection of arrhythmias, fewer hospital visits and improved survival rates."

Medtronic noted that its line of implanted pacemakers are not vulnerable to either of the flaws, just some of its heart defibrillators.

This isn't the first time Medtronic has made headlines for its lapses in security. Last year, researchers reported a similar issue when the programming units for pacemakers were found to be using insecure channels to download their firmware updates. ®

Similar topics

Broader topics


Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022