Critical vulnerability of implanted life support devices allows attackers to control them.

The fact that manufacturers of various devices focus on design and usability, leaving the issues of information security behind, on Habré wrote many times. This applies to companies that produce smartphones, IoT gadgets, plus it turned out that the developers of medical gadgets also do not care much about protecting their devices from outside interference.

And we are talking about such vital devices as pacemakers and defibrillators (not the ones that are shown in the series about doctors, others). These are miniature devices that are implanted into the human body so that during the moments when the heart is working with problems, it receives an electrical signal that allows you to "turn on" the normal mode of operation of the heart muscle.

If something happens to such a gadget, then its owner will face imminent problems, up to a fatal outcome. Worst of all, defibrillators are becoming more “smart.” Those of them that are produced by Medtronic, were also vulnerable to external interference.
')
Special devices are used for maintenance and testing of devices. In hospitals, a model called CareLink Programmer is used, at home - MyCareLink Monitor.

And everything is good, but, as shown by researchers from the company Clever Security, the communication protocol used by these devices is unsafe. When transferring data, no encryption is used - none at all, information is transmitted, in fact, in the clear. In addition, there is no protection against external connection, which attackers can use.

Thus, a cybercriminal can connect to the gadget and change its mode of operation or even reflash using custom software.

Experts rated the severity of the problem at 9.3 points on a 10-point scale. The situation is really very complicated, since it is impossible to change anything in the direction of enhancing the information protection of the device online. And attackers may well use the problem for some of their own purposes.

So far, researchers have only carried out a proof-of-concept attack, just to demonstrate the capabilities mentioned in the study. True, this requires physical access to the control device - MyCareLink or CareLink. If there is access, then the most innocent action may be retrieving user data stored on the device. If you wish, you can reflash the device, as mentioned above.

But there is another possibility - with the right experience, attackers can create a custom device, which, while within the defibrillator's range, can set a specific mode of operation to any of the devices released by Medtronic.

Of course, cybersecurity experts laid out information about the problem in a public domain after they sent everything they needed to medical device developers. Those strengthened the protection of their systems, complicating access to MyCareLink and CareLink. But the connection remained unprotected - there is no encryption and authentication.

By the way, both control devices are running a custom version of Linux. Passwords that allow root access to these gadgets are stored as MD5 hash, which can be decrypted without any difficulty. According to researchers, an 8-digit password giving access to this system can be cracked even with the help of a regular laptop and a database of password / login passwords from the RockYou service that was shared 10 years ago.

However, in order for an attack of attackers to be successful, the defibrillator must be in a state of listening to the "radio". Gadgets enter this mode at the time when the doctors are doing special service work, as well as during a defibrillator check with Carelink.

Problems with medical devices do not end there, because only a problem is shown that is inherent to a certain type of gadget from one of the manufacturers. But there are a lot of medical “smart” implants, and no one can guarantee that other gadgets are safer than systems produced by Medtronic.