Heart Hack Attack: Programmers Discover Life-Threatening Pacemaker Hack

Speaking at the Black Hat USA 2018 security conference in Las Vegas, Nevada this week, security researchers Billy Rios and Jonathan Butts criticized medical device manufacturing giant Medtronic for its slow response to a potentially life-threatening vulnerabilities to hacking.

The pair said they first alerted the company about the lack of encryption in the firmware update process of one of its major products back in January 2017, complaining that Medtronic has yet to implement measures to fix the vulnerabilities.

At the conference, the security experts demonstrated the same proof-of-concept hack attack they developed last year, showing that it still works. The hack involved the use of a CareLink 2090 programmer device, which has no HTTPS encryption or digital signature, allowing the hackers to introduce malicious code which most doctors would not be able to detect to create dangerous commands, such as an increase in the number of shocks to a pacemaker.

"The response from the manufacturer is so poor," Rios said, speaking to Ars Technica. "This is not some online video game where high scores can get dumped. This is patient safety," the security specialist complained.

A Medtronic representative insisted that the latest versions of their products aren't affected, but Rios and Butts disagreed. A separate hack, which the digital security experts never actually implemented for legal reasons, involves tampering with the cloud-based software-delivery servers the company uses to update software.

The pair also demonstrated vulnerabilities in several other Medtronic products, including the use of an inexpensive HackRF software-defined radio device  to remotely control an insulin pump.

Ultimately, Rios emphasized that while generally speaking, the "benefits for implanted medical devices outweigh the risks…when you have manufacturers acting the way Medtronic did, it's hard to trust them."