Article 4BJE9 Critical flaw lets hackers control lifesaving devices implanted inside patients

Critical flaw lets hackers control lifesaving devices implanted inside patients

by
Dan Goodin
from Ars Technica - All content on (#4BJE9)
icd-800x658.jpg

Enlarge / An X-ray showing an cardio defibrillator implanted in a patient. (credit: Sunzi99~commonswiki)

The federal government on Thursday warned of a serious flaw in Medtronic cardio defibrillators that allows attackers to use radio communications to surreptitiously take full control of the lifesaving devices after they are implanted in a patient.

Defibrillators are small, surgically implanted devices that deliver electrical shocks to treat potentially fatal irregular heart rhythms. In recent decades, doctors have increasingly used radios to monitor and adjust the devices once they're implanted rather than using older, costlier, and more invasive means. An array of implanted cardio defibrillators made by Medtronic rely on two types of radio-based consoles for initial setup, periodic maintenance, and regular monitoring. Doctors use the company's CareLink Programmer in clinics, while patients use the MyCareLink Monitor in homes to regularly ensure the defibrillators are working properly.

No encryption, no authentication, and a raft of other flaws

Researchers from security firm Clever Security discovered that the Conexus Radio Frequency Telemetry Protocol (Medtronic's proprietary means for the monitors to wirelessly connect to implanted devices) provides no encryption to secure communications. That makes it possible for attackers within radio range to eavesdrop on the communications. Even worse, the protocol has no means of authentication for legitimate devices to prove they are authorized to take control of the implanted devices. That lack of authentication, combined with a raft of other vulnerabilities, makes it possible for attackers within radio range to completely rewrite the defibrillator firmware, which is rarely seen in exploits that affect medical device vulnerabilities.

Read 12 remaining paragraphs | Comments

index?i=PJfn7ze_O48:Va1o8NGooZ8:V_sGLiPB index?i=PJfn7ze_O48:Va1o8NGooZ8:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments