Five months after the FDA and DHS launched probes into claims that its pacemakers and cardiac monitoring technology were vulnerable to potentially life-threatening hacks, St Jude Medical has issued security fixes.
Without the security update, the devices are vulnerable to tampering that could cause implanted pacemakers to pace at potentially dangerous rates or cause them to fail by rapidly draining their batteries.
Cyber-tampering with medical devices such as insulin pumps or pacemakers can seem far-fetched – the product of researchers’ theoretical scenarios and probably not very likely to happen in the real world.
But back in 2013, former US vice-president Dick Cheney made the threat feel a bit more tangible when he told CBS’s 60 Minutes programme that doctors had disabled his pacemaker’s wireless capabilities in order to thwart possible assassination attempts.
This week, the reality of security vulnerabilities in medical devices and the potential harm they entail was made more vivid still when St Jude finally released security updates for the implantable devices.
On Monday, St Jude announced the immediate release of security updates for its Merlin remote monitoring system, which is used with implantable pacemakers and defibrillator devices.
The fixes will reduce what’s already “extremely low cyber-security risks,” said St Jude.
The pacemaker company said it’s unaware of any security incidents related to, nor any attacks explicitly targeting, its devices. Granted, “all medical devices using remote monitoring are exposed to the risk of a potential cyber security attack,” it said.
It was a begrudging acknowledgement, making mention of “the increased public attention on highly unlikely medical device cyber risks”. The tone was hardly surprising, given that the company sued IoT security firm MedSec for defamation after it published what St Jude said was bogus information about bugs in its equipment.
Legal dispute or no, St Jude has in fact now patched those same bugs, MedSec said on Monday.
The bugs were confirmed in advisories released by both the US Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) on the same day that St Jude announced the security updates.
According to the advisories, the software update addresses some, but not all, known cyber-security problems in the heart devices.
The impartial nature of the fix was backed up by cryptographic expert Matthew Green, an assistant professor at John Hopkins University, who described the pacemaker vulnerability scenario as the fuel of nightmares.
He put out a series of tweets on the matter, including these messages:
The summary of the problem is that critical commands: shocks, device firmware updates etc. should only come from hospital programmer 5/
Unfortunately SJM didn’t use strong authentication. Result: any device that knows the protocol (including home devices) can send these 6/
And worse, they can send these (potentially dangerous) commands via RF from a distance. Leaving no trace. 7/
Specifically, the devices use 24-bit RSA authentication, he said: “No, that’s not a typo.” Beyond the weak authentication, St Jude also included a hard-coded 3-byte fixed override code, Green said.
I’m crying now.
Green added that the vulnerabilities are in the implantable devices themselves and the only fix is to update the firmware.
How, exactly, do you do that to a device implanted in somebody’s chest? The security advisories from St Jude, the DHS and the FDA don’t mention that, Green points out.
I don’t even know what that would entail. Maybe bringing patients into doctor’s offices. A logistical frigging nightmare. 12/
But this is the worst part, Green hypothesized: the “nightmare fuel” that “should be keeping SJM and the FDA up at night until they can rule it out”:
Compromising one box at a time is very time consuming and unlikely. But what if you could push harmful code to ALL OF THEM AT ONCE. 15/
Scary, eh? One respondent suggested that this could be a money machine in the wrong hands:
@matthew_d_green Forget public transit systems, this seems like a way better way to hold lives ransom for BTC 😳
— Nick 🖤 (@Sneakyness) January 10 2017
Nightmare fuel, indeed. Let’s just hope these attacks stay esoteric, far-fetched and as unlikely as St Jude is insisting.
Any other possibility could prove fatal.
foo
People keep bringing attention to this problem, and Sophos keeps refusing to address it.
Why do you use a nearly invisible font on sections to which you wish to draw readers’ attention?
You indent them, and you use an italics font — isn’t that enough for readers to notice them?
Paul Ducklin
I think “nearly invisible” is a bit of an overstatement (I’ve viewed the site from dozens of different phones and laptops, eachbin various light conditions, to compare legibility and not had any problem).
Ironically, it’s not that we are trying to draw attention to the text (for that we use reversed-out text that is black on light grey), but simply that we want to differentiate it – usually we do this to denote something that is a quote of someone else’s words. Technically, it’s text inside blockquote tags in the HTML.
Nevertheless, I hear you and will pass your comments onto the design people…let’s see if we can persuade them this time.
FreedomISaMYTH
it looks fine on all my devices unless i crank the brightness on my led mon to 6000… but then i cant see anything anyway.
Larry M
I’m with foo. Unreadable. Especially with an older laptop or flat-panel monitor which has CCFL backlight, not LED backlight.
Larry M
No, Duck, it’s not really just a blockquote. Sophos (or WordPress) has some off-the-wall CSS stylesheet which defines as
A quick test of blockquote (Windows 10 X64, Chrome & Edge & IE) with no CSS styles showed that in all three cases, the font used for paragraphs and bllockquotes was identical. The only difference is that the blockquote was indented. Takes only about five lines of HTML to test this.
Paul Ducklin
Yes, *it’s really just a blockquote*, or at least that’s how we mark it up when we write our articles, but as you point out, it’s subjected to our stylesheet, which not only indents blockquotes and italicises them (the typeface is the same), but makes them a lighter shade of pale, too.
I raised this again with our designers last week. I will raise it again tomorrow, but I am sorry to have to say that’s about as much as I can do. If I could edit the CSS myself I’d have done so ages ago – there just doesn’t seem to be any reason for us not to change it, for all that I can’t really see what the problem is myself, unless perhaps you have a CRT that’s well past its best or a very early LCD screen with a poor contrast ratio.
Simply put, I’m on your side and will bring it up again.
Jim
This kind of analysis makes me think companies are thinking of their medical devices with security last. Just like any other IoT device, except lives are on the line with this one.
James
the only fix is to update the firmware.
Would you like to update your pacemaker to Windows 10?
As a part of modernizing the interface, closing the window offering the update will now mean that you do want the update.
Bryan
Your pacemaker may go offline for several minutes to a few hours. Please be patient as it installs the latest updates. It’s probably best if you also refrain from operating heavy equipment.