Hackable Medical Implants and Somebody Else's Fault
In previous briefings, we have talked about the security risks created by insecure medical implants. At this week’s Black Hat conference, security researchers Billy Rios and Jonathan Butts demonstrated yet another attack against medical implants and their control infrastructure. Since the vendor response is illustrative to understand the motivators at play in this field we will have a closer look at both the specific attack and the vendor’s response.
The talk covers a vulnerability that the researchers discovered and reported to the affected vendor in early 2017. Medtronic - the vendor in question - has released several statements covering the vulnerability but it appears that attacks were still possible during the Black Hat presentation. According to the researchers, updates for the Carelink 2090 programmer - a device used to manage, set and monitor pacemakers after implantation - are not delivered over an encrypted channel or otherwise verified. Using very common hacking techniques, it was thus possible to develop a malicious firmware for the device and deliver it as a supposed update. Once the control device is infected, malicious attackers could ostensibly abuse the access to send life threatening instructions such as an increase or decrease in shock frequency to nearby patients.
Other people’s problem
Since we have previously covered why it is difficult to develop and maintain secure implants, this briefing will focus on Medtronic’s reaction. While the high regulatory overhead found in the medical industry leads to long product development cycles, a potentially life threatening vulnerability going unmitigated for 18 months is problematic. What is more worrying is that instead of a technical fix, the company chose to attempt to mitigate the issue in legal terms. A statement released by Medtronic reads in part:
In the accompanying Medtronic security bulletin, we communicated that our existing security controls mitigate the issue. Since that time, we also have made technical updates where these services are hosted to further strengthen security controls.
Medtronic recommends that customers continue to follow the security guidance detailed in the Medtronic 2090 CareLink Programmer reference manual. This guidance includes maintaining good physical controls over the programmer and having a secure physical environment that prevents access to the 2090 programmer. In addition, the 2090 programmer should be connected to a well-managed, secured computer network. If this is not possible, the 2090 programmer should be disconnected from the network (with no impact to functionality), and updates may be received directly from a Medtronic representative.
In short, since the recommended usage guidelines for the Carelink 2090 programmer state that it should only be used in a secure environment and only be connected to a secure network, the vulnerability shouldn’t matter. From a legal perspective, this is likely to hold up as a response. Since a hack of the device would require a network that has been at least partially breached, Medtronic is unlikely to be found liable if a patient is injured by a hack.
From an information security perspective however, this approach is counter productive. While hospital networks are usually relatively well secured and monitored, they are by no means hard targets. Attackers with enough funding, time or inside contacts can reasonably be expected to gain access to any given hospital network. This in turn means that all that’s stopping attackers is the lack of a sufficiently high value target.
However with many political leaders and other people of interest depending on pacemakers, it is not hard to come up with a reasonable scenario in which either a criminal group or state actor sees enough value in killing or harming an individual to merit the cost of the attack.
Medical devices continue to suffer from hard to fix information security vulnerabilities. While defenses shifting the responsibility for security to hospitals or other third parties might make sense from a legal perspective, they are not acceptable from an information security standpoint. Neither are they acceptable from a PR standpoint: If a patient with one of Medtronic’s pacemakers dies from a targeted hack, it might survive the legal fallout. But the negative press attention and sharp loss of customer confidence resulting from such an attack is likely to drive it out of business nonetheless.