Insecure medical implant company Medtronic finally plugs one of its worst vulnerabilities


#1

Originally published at: https://boingboing.net/2018/10/16/carelink-2090-2091.html


#2

I started thinking about how difficult it would be to murder someone with one of these pacemakers by compromising it. But then you’d probably have to be within touching distance to do anything like that, and at that point it’s easier to just stab them. Might be a decent scenario for a film perhaps?


#3

Medibot?


#4

Medtronic. Worst company I spent 6 months working for.

I called them “Merdetronic.”


#5


#6

To hack the pacemaker you need to be within stabbing distance. To hack the ‘updater wand’, and thus indirectly hack all subsequently updated pacemakers, you only needed to be within the same network/wifi.


#7

If someone dies indict and try the C level for murder.


#8

Good call. USB is famously secure and not at all prone to being used as an easy attack vector.


#9

The problem is you can record a person’s heart and play it back on another person’s. And that’s how you get Communism!


#10

The only vulnerability they were attempting to plug was a possible reduction of cash income. Companies tend to care more about their shareholders than their customers or end users.


#11

Wait… an “insecure” company? Like, they have low self-esteem? " Hey, Medtronic, your mother wears combat boots, and the source code for your electronic devices is garbage."


#12

#13

There’s also the option of not hacking all subsequent pacemakers.

If(as is likely, if only because manufacturing medical widgets to FDA-level quality standards tends to involve tracking things a lot less sophisticated than pacemakers to at least the lot number level) they are uniquely serialized you could deliver targeted updates.

Compromise the programmer any time before the person of interest’s next appointment; sit back and innocently observe.


#14

You got that, too! “Unsecure” would have been better.


#15

Come now. Exploits only cross air gaps among the sloppy operators of low value targets. Like nuclear programs or semiconductor foundries.


#16

This topic was automatically closed after 5 days. New replies are no longer allowed.