MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » Report: New hack could put malware directly on Medtronic pacers, allow full control

Report: New hack could put malware directly on Medtronic pacers, allow full control

By

Medtronic logo

Vulnerabilities within with Medtronic‘s (NYSE:MDT) pacemakers, its Carelink 2090 pacemaker programmer and associated infrastructure could allow an outside agent to plant malware on the pacers that would allow them to control all shocks delivered by the device, according to a new Wired report.

The vulnerabilities were discovered by security firm Whitescope’s Billy Rios and QED Secure Solutions’ Jonathan Butts, according to the report. Both researchers claim to have been in discussions with Medtronic about the issues, which have also caught the attention of the FDA and the Dept. of Homeland Security.

Rios and Butts said that a chain of vulnerabilities in Medtronic’s infrastructure could allow full control of implanted pacers. The team found the vulnerabilities by assessing Medtronic’s software delivery platform which is designed to deliver updates to the company’s existing devices, according to Wired.

The pair built their own proof-of-concept network after examining the Fridley, Minn.-based medtech giant’s proprietary cloud infrastructure to test for issues without illegally accessing the actual network, according to the report.

Medtronic took 10 months to analyze the submission, after which the company reportedly opted to not act on it, Wired reports.

“Medtronic has assessed the vulnerabilities per our internal process. These findings revealed no new potential safety risks based on the existing product security risk assessment. The risks are controlled, and residual risk is acceptable,” the company wrote, according to the report.

The researchers continue to investigate, and plan to publically show how vulnerabilities in the pacemaker programmer’s connection to Medtronic’s software delivery network could allow such an attack to occur at the Black Hat security conference this week, according to the report.

“We were talking about bringing a live pig because we have an app where you could kill it from your iPhone remotely and that would really demonstrate these major implications. We obviously decided against it, but it’s just a mass scale concern. Almost anybody with the implantable device in them is subject to the potential implications of exploitation,” Butts said, according to the report.

“We’ll just demonstrate the exploits in action and let people decide for themselves,” Rios told Wired.

The researchers suggested that merely releasing advisories related to the vulnerabilities may not be enough, and insinuated that such an exploit could have real life-or-death consequences. They added that the addition of digital code signing could alleviate some of the issues and pointed out that competitors are already using such safety measures in their pacers, according to Wired.

Though Medtronic has not announced plans to release protective measures to eliminate the vulnerabilities, the company said it has acted on vulnerabilities brought to light by Rios and Butts in the past, according to Wired.

Earlier this month, the US Dept. of Homeland Security’s Industrial Control Systems Computer Emergency Response Team flagged two Medtronic devices for cybersecurity vulnerabilities that could allow attackers to obtain sensitive information, according to a HealthITSecurity report.

In case you missed it

RSS From Medical Design & Outsourcing

  • FDA authorizes Q-Collar to help protect athletes’ brains
    The FDA announced today that it authorized the Q-Collar made by Q30 Sports Science for protecting the brain during sports activities. Q30 Sports Science’s Q-Collar is a C-shaped collar worn around the neck designed to apply compressive force to the neck and increase blood volume to help reduce movement of the brain within the cranial… […]
  • The top 7 medtech CEO quotes on COVID-19, one year later
    The latest earnings season has provided insights into the future of medtech in the COVID-19 landscape and what certain sectors are seeing as vaccines start to roll out. Since the start of the pandemic, 113.1 million COVID-19 cases have been reported worldwide, according to Johns Hopkins University School of Medicine. The U.S. leads the world… […]
  • Pfizer wins FDA nod to store COVID vaccine at normal freezer temps
    The FDA announced today that it is allowing undiluted, frozen vials of the Pfizer-BioNTech COVID-19 vaccine to be transported and stored for up to two weeks at conventional temperatures commonly found in pharmaceutical freezers. The decision should allow for wider distribution of the vaccine to sites that do not have ultra-low temperature freezers. Pfizer asked… […]
  • 8 drug delivery innovations you need to know
    The drug delivery space has seen plenty of innovation over the years, and there are no signs of that slowing down any time soon. Improvements upon established technologies like insulin delivery devices and inhalers have been presented by some, while others have unlocked new ways of delivering drugs through a variety of means. Among the… […]
  • Hoffer Plastics gains MedAccred certification again
    Injection molding company Hoffer Plastics (South Elgin, Ill.) announced that it has received the MedAccred re-certification from not-for-profit medtech audit provider MedAccred. MedAccred is a supply-chain oversight program of the Performance Review Institute. It conducts critical-process audits for its member OEMs to ensure their suppliers adhere to global regulations and requirements, and helps reduce the number… […]
  • UK passes post-Brexit medical device regulation
    The U.K. has enacted a new law governing medical devices and drugs, with a focus on patient safety. The Medicines and Medical Devices Act, introduced in July 2020, establishes the position of commissioner for patient safety to respond to public and patient complaints and concerns about drugs and medical devices. The law was necessitated by… […]
  • Integrated Polymer Solutions acquires IRP Group
    Integrated Polymer Solutions (“IPS”), a portfolio company of Arcline Investment Management, announced this week that it has acquired IRP Group. IRP designs and manufacturers elastomeric sealing components from its facilities in Southern California. Founded in 1999, the company is focused on the Class I and II medical device market as well as the aerospace &… […]
  • Interpower debuts plugs in new colors
    Interpower announced that its NEMA 5-20 hospital-grade plugs for use in North America now come in molded colors of clear, black or gray on 10-foot lengths of flexible cord. These molded plugs complement the company’s NEMA 5-20 hand-wired hospital-grade plugs. The North American 18A hospital-grade power cord on 14 AWG SJT cable and North American… […]
  • Portescap motors gain certification
    Portescap announced that its slotless brushless DC motors for respirators have received ISO 13485:2016 certification. Expanding on ISO 9001, this standard contains specific requirements for parts traceability and risk management activities throughout the design and development stages. It also requires process and software validations at defined intervals. Independent risk management and quality compliance firm DNV… […]
  • Instron launches update to product testing system
    Materials testing equipment and software developer Instron announced the launch of the Torsion Add-On 3.0 for universal testing systems. Recently redesigned to take advantage of the latest functionality offered by the new Instron 6800 series, this system offers a simpler, safer, and more intuitive user experience, according to Norwood, Mass.-based Instron. Instron introduced the Torsion… […]
  • Abiomed CEO Michael Minogue appointed as AdvaMed chairperson
    Medtech trade group AdvaMed today said it has appointed Abiomed (NSDQ:ABMD) president and CEO Michael Minogue as chairperson of the AdvaMed board of directors, effective immediately. Minogue will serve as chairperson of the trade association’s board of directors for two years. He has been a member of the board since 2007 and a member of the board… […]