Let’s Hack Medical Equipment!

I’m an information technology professional by trade. My work mantra is that “no matter how bad it goes, no one dies”. It have saved me from a lot of stress, and helped me keep my cool in times of crisis. The point is that even if all the IT systems are down, the data center is on fire, and the entire development team has been abducted by aliens, no one dies. At least if the aliens are of the good, not-anal-probing kind. Sure, it’s annoying that people can’t do their work, and we might lose some money during the downtime. But people can drink coffee, chat about the incompetent IT department while the problem is being fixed. And we’ll eventually cover the financial loss, because we learn from our mistakes, and become even better at what we do1.

Since IT is an important part of every industry these days, I have many choices when it comes to what domain I want to work with. Because of my work mantra, however, there are some businesses I will not to get involved with. One is control systems of any kind where a simple software bug may have disastrous consequences. Think ATC, nuclear power plants, and the like. I’d prefer not to kill scores of people because if (x > 1) had somehow turned into if (x > 1);. Many winters ago, I spent the better part of a workday trying to figure out a baffling bug, and the ; above was the cause2. Thankfully, I wasn’t responsible for making sure airplanes don’t crash into each-other. That would have been a bad day to fly.

Another industry I gladly stay away from is medical equipment. But I would have fit right in because it turns out that many of the people working in the medical IT industry are incompetent dimwits.

Controlling The Ticker

The annual Black Hat conference has just wrapped up, and as usual, medical equipment is among the participant’s favorite targets. You might think that it’s bad karma to disclose security vulnerabilities in medical equipment. After all, it’s the kind of stuff we don’t want anyone to tinker with. But if there are vulnerabilities, someone will eventually find them. It’s better that they are found by some of the good guys than the bad guys, isn’t it? Then the vulnerabilities can be fixed instead of exploited. And in the case of medical equipment vulnerabilities, the result can be quite bad if they are exploited.

In a talk during this year’s Black Hat conference, two security researchers showed how you could hack pacemakers. Using a compromised Medtronic CareLink 2090 programmer, they could upload malicious firmware to Medtronic’s pacemakers. The CareLink programmer is used by doctors to control pacemakers after they are implanted in patients. You’d think that process was as secure as Fort Knox, but no.

HTTP And Unsigned Firmware

Medtronic has made some really basics mistakes when handling firmware updates.

First of all, the updates are not delivered to the CareLink programmer in a secure way. Instead of using HTTPS to transmit the firmware update from Medtronic’s servers to the programmer, HTTP is used. This means that the connection is not encrypted. Someone can act as a man-in-the-middle, and replace the firmware that is sent from Medtronic with a malicious one. The connection between your browser, and Kim Kardashian West’s Instagram profile is more secure than that.

In addition, the CareLink programmer doesn’t check if the firmware it has downloaded actually comes from Medtronic. The firmware file is not digitally signed, which means that any bozo can write firmware for Medtronic’s pacemakers. A digital signature could potentially have mitigated the man-in-the-middle attack.

Oh, and it turns out it’s also possible to hack Medtronic’s insulin pumps in such a way that they don’t administer insulin as scheduled.

Shocked Not Shocked

Medtronic is just one of many medical equipment suppliers that have found themselves at the short end of the stick recently. And that makes it even more disturbing. Doesn’t the medical industry care about security? Or is it just that they are grossly incompetent. Using HTTP and signed firmware is Basic Security 101.

I’d be very surprised if exploiting medical equipment security flaws hasn’t been used in targeted assassinations already. Or perhaps in blackmail. This would be my approach for the latter “business case”: First, get the contact details of Medtronic users from one of the many healthcare breaches that have happened in recent years. Then send them an e-mail saying that their pacemaker is compromised. Tell them to pay a couple of bitcoins to stay alive. Profit!

The health care business should be regulated, and fined heavily when they screw up like this.

(Just as as side-note: Another area I won’t touch with a ten foot pole is the weapons industry. Interestingly, their entire business model is the complete opposite of my work mantra; a good day is a day when someone actually died. Sure, your friendly, next-door weapons manufacturer is only making weapons for “defensive purposes”, and the weapons are only sold to “the good guys.” But suddenly the good guys turn into the bad guys, and the defensive weapons you made somehow find their way to Syria, where they are used to kill children. Yeah, sorry, I think I’ll pass.)


  1. Read more about blameless post-mortems↩︎

  2. if (x > 1); is perfectly legal in Java. The ; terminates the line, and all the code inside the if-statement’s body will execute, not matter what the value of x might be. Good times. ↩︎


Feedback

This post has no feedback yet.

Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.


Caution

It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.