Pacemaker hack may put malware directly on the device

The authors say that they’ve discovered a chain of vulnerabilities in pacemaker infrastructure that an attacker could exploit to control implanted pacemakers remotely, deliver shocks patients don’t need or withhold ones they do, and cause real harm.

The authors will demonstrate a series of vulnerabilities in how pacemaker programmers connect to Medtronic’s software delivery network. The attack also capitalizes on a lack of “digital code signing”—a way of cryptographically validating the legitimacy and integrity of software—to install tainted updates that let an attacker control the programmers, and then spread to implanted pacemakers.

“If you just code sign, all these issues go away, but for some reason they refuse to do that. We’ve proven that a competitor actually has these mitigations in place already. They make pacemakers as well, their programmer literally uses the same operating system [as Medtronic’s], and they have implemented code signing. So that’s what we recommend for Medtronic and we gave that data to the FDA.”

Meanwhile, Medtronic maintains that it has evaluated the concerns and has robust defenses in place to defend patients. “We’ll just demonstrate the exploits in action and let people decide for themselves,” Rios says.

Author(s) Source
WIRED, 08.09.18
This is a post of a scientific or business information. The information given here is checked thoroughly by “Implant-Register”. However we can´t be responsible for the content. Contact the publisher, if you have questions. You may inform us about changes of the information to improve the Register.
Comments: n/a
let us know