Medtronic is the most notorious maker of insecure medical implants in America, with a long history of inserting computers into people's bodies with insecure wireless interfaces, toolchains and update paths, and nothing has changed.
In a new CERT advisory — scoring 9.3/10 for severity! — we learn that remote attackers can hijack a Medtronic implanted defibrillator and administer potentially lethal shocks, shut down lifesaving features, and put the device into a high power-consumption mode that drains the battery. A separate attack allows attackers to steal sensitive patient data from the device.
Medtronic (predictably) downplayed the severity of the vulnerability and advised patients to do take no meaningful preventative measures to avoid these attacks, confining its advice to using "only bedside monitors obtained from a doctor or from Medtronic directly, to keep them plugged in so they can receive software updates" and to "maintain good physical control over the monitor." Medtronic insists that patients should not switch off the wireless feature in their implants.
But Ransford did say it was surprising that issues like the ones in Thursday's advisory continue to crop up in Medtronic defibrillators, since this variety of vulnerability has been known since 2008.
A decade ago Ransford was part of a team of researchers that tested a bacon-wrapped Medtronic Maximo defibrillator and came to the surprising conclusion that it could be hacked.
In the groundbreaking paper, the researchers reported that they could cause their compromised device to issue shocks on command, shut down its lifesaving features and change functionality so the battery would wear out.
"It looks like a manufacturer still has some work to do," Ransford said.
Ransford said the effects of the attack appeared to be essentially the same, regardless of the specific route used to attack the device. Medtronic officials said the vulnerabilities described in the 2008 paper involved a different communications protocol.
750,000 Medtronic defibrillators vulnerable to hacking [Joe Carlson/Star Tribune]