MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » Report: New hack could put malware directly on Medtronic pacers, allow full control

Report: New hack could put malware directly on Medtronic pacers, allow full control

By Leave a Comment

Share

Medtronic logo

Vulnerabilities within with Medtronic‘s (NYSE:MDT) pacemakers, its Carelink 2090 pacemaker programmer and associated infrastructure could allow an outside agent to plant malware on the pacers that would allow them to control all shocks delivered by the device, according to a new Wired report.

The vulnerabilities were discovered by security firm Whitescope’s Billy Rios and QED Secure Solutions’ Jonathan Butts, according to the report. Both researchers claim to have been in discussions with Medtronic about the issues, which have also caught the attention of the FDA and the Dept. of Homeland Security.

Rios and Butts said that a chain of vulnerabilities in Medtronic’s infrastructure could allow full control of implanted pacers. The team found the vulnerabilities by assessing Medtronic’s software delivery platform which is designed to deliver updates to the company’s existing devices, according to Wired.

The pair built their own proof-of-concept network after examining the Fridley, Minn.-based medtech giant’s proprietary cloud infrastructure to test for issues without illegally accessing the actual network, according to the report.

Medtronic took 10 months to analyze the submission, after which the company reportedly opted to not act on it, Wired reports.

“Medtronic has assessed the vulnerabilities per our internal process. These findings revealed no new potential safety risks based on the existing product security risk assessment. The risks are controlled, and residual risk is acceptable,” the company wrote, according to the report.

The researchers continue to investigate, and plan to publically show how vulnerabilities in the pacemaker programmer’s connection to Medtronic’s software delivery network could allow such an attack to occur at the Black Hat security conference this week, according to the report.

“We were talking about bringing a live pig because we have an app where you could kill it from your iPhone remotely and that would really demonstrate these major implications. We obviously decided against it, but it’s just a mass scale concern. Almost anybody with the implantable device in them is subject to the potential implications of exploitation,” Butts said, according to the report.

“We’ll just demonstrate the exploits in action and let people decide for themselves,” Rios told Wired.

The researchers suggested that merely releasing advisories related to the vulnerabilities may not be enough, and insinuated that such an exploit could have real life-or-death consequences. They added that the addition of digital code signing could alleviate some of the issues and pointed out that competitors are already using such safety measures in their pacers, according to Wired.

Though Medtronic has not announced plans to release protective measures to eliminate the vulnerabilities, the company said it has acted on vulnerabilities brought to light by Rios and Butts in the past, according to Wired.

Earlier this month, the US Dept. of Homeland Security’s Industrial Control Systems Computer Emergency Response Team flagged two Medtronic devices for cybersecurity vulnerabilities that could allow attackers to obtain sensitive information, according to a HealthITSecurity report.

In case you missed it

RSS From Medical Design & Outsourcing

  • Canfield Scientific acquires Visiomed
    Canfield Scientific recently acquired Germany-based dermoscopy company Visiomed. The financial details of the deal were not disclosed. “The addition of Visiomed’s best-in-class optical and digital dermatoscopes are a perfect extension to our imaging portfolio,” Doug Canfield, president of Canfield Scientific, said in a press release. “Furthermore, their commitment to excellence and organizational culture was a… […]
  • How to use digital health in clinical trials to improve patient engagement
    Digital health technology can improve reporting of patient data during clinical trials, but it can also lead patients to drop out.  By Vicki Anastasi and Matthew McCarty, ICON Plc Digital health technologies are changing the way companies design and implement clinical trials, shifting responsibility from investigator to patient. Adding multiple digital health technologies into trial… […]
  • Hancock Jaffe inks CoreoGraft development deal with Texas Heart Institute
    Hancock Jaffe Laboratories has entered a sponsored research agreement with the Texas Heart Institute to develop the company’s CoreoGraft. CoreoGraft is an off-the-shelf conduit that is designed to be used for coronary artery bypass surgery. “We are fortunate to be in a position to be highly selective of the projects we accept at Texas Heart… […]
  • FDA launches pilot to expand special 510(k) market pathway
    By Stewart Eisenhart, Emergo Group Medical device regulators at the US Food and Drug Administration has initiated a new pilot program for expanded eligibility in the agency’s Special 510(k) pathway, potentially easing market compliance requirements for more manufacturers whose devices have undergone modifications. Get the full story here at the Emergo Group’s blog. The opinions… […]
  • Eximo Medical receives FDA clearance for laser system
    Eximo Medical recently announced that it has received FDA 510(k) clearance for its B-Laser Atherectomy System that is designed for peripheral artery disease. The B-Laser system is a 355nm wavelength laser that is designed to treat multiple vascular issues. The system has been cleared for use in the treatment, including atherectomy, of infrainguinal stenoses and… […]
  • 7 electronic design problems that boost medical device costs
    When developing electronic devices, design for manufacturing (DFM) often takes a back seat without regard for the long-term consequences. Even if the manufacturing cost is within the target, companies should consider and address the device’s manufacturability.  Mike Labbe, Valtronic Products that are challenging to build typically result in longer lead times, lower margins, and possibly… […]
  • FDA clears SpineEx’s Sagittae spinal fusion device
    SpineEX recently received FDA 510(k) clearance for its Sagittae lateral lumbar interbody fusion (LLIF) device. Sagittae is a personalized, adjustable and expandable LLIF device that is designed to minimize impaction while maximizing indirect decompression. It also offers a large graft space that is useful for lumbar fusion procedures. The Sagittae is designed for up to… […]
  • Your device design looks great. Now how do you get reimbursement?
    Until recently, the main focuses of medical device companies were designing devices and earning regulatory clearance for their new technologies. How times have changed. While innovative design and FDA approval are important for market entry, reimbursement is now a top concern for medical device CEOs, their investors and other stakeholders. Tom Hughes, Regulatory and Clinical Research… […]
  • What “no-deal” Brexit means for medical devices
    By Ronald Boumans, Emergo Group The UK will leave the European Union on March 29, 2019 – Brexit day. On that day the EU will lose an important Member State, and the UK will no longer have direct access to the 27 remaining Member States. Therefore both the EU and the UK want to work… […]
  • Medtech issues again take center stage in Minn. Congressional races
    The medical device industry is yet again positioned to play a major role in Minnesota congressional races. Incumbent Rep. Erik Paulsen (R-Minn.), who has been a longtime supporter of the medtech industry and led numerous attempts to repeal the medical device tax, is facing a tough re-election campaign. Paulsen is facing off against 48-year-old liquor… […]
  • These 10 medtech companies care a lot about research
    These 10 medical device companies spent the largest portion of their budgets on research and development. Here’s a look at what they produced. Each year, Medical Design & Outsourcing compiles a list of the top 100 medical device companies across the globe and ranks the companies based on annual revenue for the most recent fiscal… […]

Leave a Reply

MASSDEVICE MEDICAL NETWORK

DeviceTalks
Drug Delivery Business News
Medical Design & Outsourcing

MASSDEVICE

Subscribe to MassDevice
Advertise with us
About
Contact us
Privacy
Add us on FacebookMassDevice Network
Follow us on Twitter@MassDevice
Connect with us on LinkedInLinkedIn