Hacking pacemakers, insulin pumps and patients’ vital signs in real time

Medical device insecurity was covered at the recent Black Hat and Def Con security conferences in Las Vegas. One set of researchers showed off hacks to pacemakers and insulin pumps that could potentially prove lethal, while another researcher explained how hospital patients’ vital signs could be falsified in real time.

Pacemaker and insulin pump hacks at Black Hat USA

A decade has passed since we learned about pacemaker hacks, but still implantable medical devices that can save patients’ lives can be hacked to potentially kill them. Even now, as was highlighted at Black Hat USA, attackers can cause pacemakers to deliver a deadly shock to the heart or deny a life-saving shock, as well as prevent insulin pumps from delivering needed insulin.

After asking attendees with implanted medical devices to leave the room, researchers Billy Rios of WhiteScope and Jonathan Butts of QED Secure Solutions demonstrated how attackers could remotely install malicious firmware on a device used by doctors to control their patients’ pacemakers. That’s due to the lack of encryption in Medtronic’s firmware update process. The duo also discussed vulnerabilities in Medtronic’s network infrastructure for software deliveries.

They showed how it was possible to compromise Medtronic’s CareLink 2090 programmer, a programming device that runs on Windows XP and is used by doctors to control patients’ implanted pacemakers. They demonstrated two hacks that ultimately changed the programming so it would harm patients with pacemakers. Butts explained, “You can obviously issue a shock, but you can also deny a shock.”

The firmware is not digitally signed, and updates sent to the programmers are not delivered via an encrypted HTTPS connection. Medtronic basically blew off the malicious reprogramming threat as being a “low risk” and impractical attack. Making sure there is no hack is something doctors can allegedly do. If it weren’t so sad, that response would be funny considering how many patients have been affected by data breaches or hospitals slammed with ransomware.

Rios and Butts are critical of Medtronic’s responses, pointing out how far it would go to safeguard patients if only Medtronic would digitally sign their code.

But wait, there’s more because the researchers also showed off a hack against a Medtronic insulin pump. Using software-defined radio, they demonstrated how to stop a scheduled dose of insulin from being delivered. Conversely, as pointed out by ICS-CERT, “An attacker can capture the wireless transmissions between the remote controller and the pump and replay them to cause an insulin (bolus) delivery.”

ICS-CERT posted advisories about all the following Medtronic devices: MiniMed 508 insulin pump, MyCareLink 24950 and 24952 patient monitor, Carelink 2090 programmer and N’Vision clinician programmer, and here is the list of Medtronic security bulletins. The really long, full statement issued by Medtronic can be seen here.

Def Con researcher explains how to falsify a patient’s vitals in real time

No embedded medical devices, no worries? That’s not necessarily true if you are a patient in a hospital, as a researcher showed how a patient’s vitals could be falsified in real time, leading to medication or treatments that patients don’t need.

Before coming up with real-world attack scenarios, Doug McKee, senior security researcher at McAfee’s Advanced Threat Research team, consulted Dr. Shaun Nordeck to determine how important the accuracy of patients’ vital signs is to doctors. Dr. Nordeck said, “Vital signs are integral to clinical decision making.” Not all medical professions go running into every one of their patients’ hospital rooms to verify monitored vitals before making critical decisions about treatment.

At Def Con, McKee discussed a “weakness in the RWHAT protocol, one of the networking protocols used by medical devices to monitor a patient’s condition. This protocol is utilized in some of the most critical systems used in hospitals.” He demonstrated how the weakness could be exploited by an attacker in real time to modify the communications in-transit to provide false information. “Lack of authentication also allows rogue devices to be placed onto the network and mimic patient monitors,” he said.

McAfee has posted two videos showing vitals being modified in real time. One shows spoofing a patient’s heartbeat to flatline, and the other shows modifying a normal heartbeat to an extremely high level, which could influence medical decisions.

Explaining the impact of the attack, Dr. Nordeck said, “Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing, and side effects from medications prescribed to control heart rhythm and/or prevent clots. The hospital could also suffer resource consumption.”

McKee suggested that vendors encrypt network traffic between devices and add authentication, as it would add levels of difficulty to successfully pulling off attacks that can falsify patient data.