Medical device insecurity was covered at the recent Black Hat and Def Con security conferences in Las Vegas. One set of researchers showed off hacks to pacemakers and insulin pumps that could potentially prove lethal, while another researcher explained how hospital patients\u2019 vital signs could be falsified in real time.Pacemaker and insulin pump hacks at Black Hat USAA decade has passed since we learned about pacemaker hacks, but still implantable medical devices that can save patients\u2019 lives can be hacked to potentially kill them. Even now, as was highlighted at Black Hat USA, attackers can cause pacemakers to deliver a deadly shock to the heart or deny a life-saving shock, as well as prevent insulin pumps from delivering needed insulin.After asking attendees with implanted medical devices to leave the room, researchers Billy Rios of WhiteScope and Jonathan Butts of QED Secure Solutions demonstrated how attackers could remotely install malicious firmware on a device used by doctors to control their patients\u2019 pacemakers. That\u2019s due to the lack of encryption in Medtronic\u2019s firmware update process. The duo also discussed vulnerabilities in Medtronic\u2019s network infrastructure for software deliveries.They showed how it was possible to compromise Medtronic\u2019s CareLink 2090 programmer, a programming device that runs on Windows XP and is used by doctors to control patients\u2019 implanted pacemakers. They demonstrated two hacks that ultimately changed the programming so it would harm patients with pacemakers. Butts explained, \u201cYou can obviously issue a shock, but you can also deny a shock.\u201dThe firmware is not digitally signed, and updates sent to the programmers are not delivered via an encrypted HTTPS connection. Medtronic basically blew off the malicious reprogramming threat as being a \u201clow risk\u201d and impractical attack. Making sure there is no hack is something doctors can allegedly do. If it weren\u2019t so sad, that response would be funny considering how many patients have been affected by data breaches or hospitals slammed with ransomware.Rios and Butts are critical of Medtronic\u2019s responses, pointing out how far it would go to safeguard patients if only Medtronic would digitally sign their code.But wait, there\u2019s more because the researchers also showed off a hack against a Medtronic insulin pump. Using software-defined radio, they demonstrated how to stop a scheduled dose of insulin from being delivered. Conversely, as pointed out by ICS-CERT, \u201cAn attacker can capture the wireless transmissions between the remote controller and the pump and replay them to cause an insulin (bolus) delivery.\u201dICS-CERT posted advisories about all the following Medtronic devices: MiniMed 508 insulin pump, MyCareLink 24950 and 24952 patient monitor, Carelink 2090 programmer and N'Vision clinician programmer, and here is the list of Medtronic security bulletins. The really long, full statement issued by Medtronic can be seen here.Def Con researcher explains how to falsify a patient\u2019s vitals in real timeNo embedded medical devices, no worries? That\u2019s not necessarily true if you are a patient in a hospital, as a researcher showed how a patient\u2019s vitals could be falsified in real time, leading to medication or treatments that patients don\u2019t need.Before coming up with real-world attack scenarios, Doug McKee, senior security researcher at McAfee\u2019s Advanced Threat Research team, consulted Dr. Shaun Nordeck to determine how important the accuracy of patients\u2019 vital signs is to doctors. Dr. Nordeck said, \u201cVital signs are integral to clinical decision making.\u201d Not all medical professions go running into every one of their patients\u2019 hospital rooms to verify monitored vitals before making critical decisions about treatment.At Def Con, McKee discussed a \u201cweakness in the RWHAT protocol, one of the networking protocols used by medical devices to monitor a patient's condition. This protocol is utilized in some of the most critical systems used in hospitals.\u201d He demonstrated how the weakness could be exploited by an attacker in real time to modify the communications in-transit to provide false information. \u201cLack of authentication also allows rogue devices to be placed onto the network and mimic patient monitors,\u201d he said.McAfee has posted two videos showing vitals being modified in real time. One shows spoofing a patient\u2019s heartbeat to flatline, and the other shows modifying a normal heartbeat to an extremely high level, which could influence medical decisions.Explaining the impact of the attack, Dr. Nordeck said, \u201cFictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing, and side effects from medications prescribed to control heart rhythm and\/or prevent clots. The hospital could also suffer resource consumption.\u201dMcKee suggested that vendors encrypt network traffic between devices and add authentication, as it would add levels of difficulty to successfully pulling off attacks that can falsify patient data.