The critical vulnerability of implanted life-support devices gives attackers the ability to control them
The fact that manufacturers of various kinds of devices focus on design and ease of use, leaving information security issues overboard, was written many times on Habré. This applies to both companies that produce smartphones, IoT gadgets, plus it turned out that the developers of medical gadgets are also not too worried about protecting their devices from outside interference.
And we are talking about such vital devices as pacemakers and defibrillators (not the ones that are shown in the series about doctors, others). These are miniature devices that are implanted in the human body so that when the heart is working with problems, it receives an electrical signal that allows you to "turn on" the normal mode of operation of the heart muscle.
If something happens to such a gadget, then its owner will face inevitable problems, even death. Worst of all, defibrillators are becoming increasingly “smart.” Those from Medtronic were also vulnerable to external interference.
To service and verify the operation of devices, specialized devices are used. In hospitals, a model called CareLink Programmer is used, at home - MyCareLink Monitor.
And everything would be fine, but, as researchers at Clever Security showed, the communication protocol used by these devices is not secure. When transmitting data, encryption is not used - none at all, information is transmitted, in fact, in the clear. In addition, there is no protection against external connections, which can be used by attackers.
Thus, a cybercriminal can connect to the gadget and change the mode of its operation or reflash altogether using custom software.
Experts rated the severity of the problem at 9.3 points on a 10-point scale. The situation is really very difficult, since it is impossible to change anything in the direction of strengthening the information security of the device in the online mode. And the attackers may well use the problem for their own purposes.
So far, the researchers have carried out only a proof-of-concept attack, just to demonstrate the capabilities mentioned in the study. True, this requires physical access to the control device - MyCareLink or CareLink. If there is access, then the most innocent action may be to obtain user data stored on the device. If desired, you can reflash the device, as mentioned above.
But there is another possibility - attackers, if they have the appropriate experience, can create a custom device that, being within the range of the defibrillator, can set a specific mode of operation for any of the devices manufactured by Medtronic.
Of course, cybersecurity experts posted information about the problem in the public domain after they sent everything necessary to the developers of medical devices. They strengthened their systems by making access to MyCareLink and CareLink more difficult. But the connection remained unprotected - there is no encryption and authentication.
By the way, both control devices are running a custom version of Linux. Passwords that allow root access to these gadgets are stored as an MD5 hash, which can be decrypted without any difficulty. According to the researchers, the 8-digit password that gives access to this system can be cracked even using a regular laptop and the base of passwords / logins from the RockYou service, shared 10 years ago.
True, in order for an attack of attackers to be successful, the defibrillator must be in the state of listening to the "radio". Gadgets enter this mode at the time when doctors perform special service work, as well as during a defibrillator test using Carelink.
Problems with medical devices do not end there, because only the problem inherent in a certain type of gadget from one of the manufacturers is shown. But there are many medical “smart” implants, and no one can guarantee that other gadgets are safer than systems manufactured by Medtronic.