Speaking at the Black Hat USA 2018 security conference in Las Vegas, Nevada this week, security researchers Billy Rios and Jonathan Butts criticized medical device manufacturing giant Medtronic for its slow response to a potentially life-threatening vulnerabilities to hacking.
The pair said they first alerted the company about the lack of encryption in the firmware update process of one of its major products back in January 2017, complaining that Medtronic has yet to implement measures to fix the vulnerabilities.
"The response from the manufacturer is so poor," Rios said, speaking to Ars Technica. "This is not some online video game where high scores can get dumped. This is patient safety," the security specialist complained.
A Medtronic representative insisted that the latest versions of their products aren't affected, but Rios and Butts disagreed. A separate hack, which the digital security experts never actually implemented for legal reasons, involves tampering with the cloud-based software-delivery servers the company uses to update software.
Ultimately, Rios emphasized that while generally speaking, the "benefits for implanted medical devices outweigh the risks…when you have manufacturers acting the way Medtronic did, it's hard to trust them."