Pacemaker controllers still vulnerable 18 months after flaws reported

A popular brand of heart pacemaker is still vulnerable to compromise more than a year and a half after the company that makes them was told of weaknesses in its security, researchers have claimed during a Black Hat presentation.

The product in question is the Medtronic CareLink 2090 monitor, used by doctors to control pacemaker settings, and the researchers are Billy Rios of QED Secure Solutions and Jonathan Butts of WhiteScope, both of whom have an impressive track record at finding flaws in unexpected places.

Last year the pair used a show session to highlight flaws that might allow an attacker to gain control of poorly-secured car washes, while Rios has also co-researched weaknesses in diverse devices such as electronic door security and X-ray machines.

This year’s session on pacemaker hacking sounded a lot more dangerous, however. A medical theme the pair underscored by demonstrating a separate attack on Medronic’s MiniMed insulin pump.

As reported by journalists who attended the demo, the vulnerability that makes it possible for an attacker to run malware on the CareLink 2090 is down to poor software design, primarily that software updates aren’t signed or encrypted.

This is far from an unknown issue on IoT devices, but the session wasn’t simply about what is possible so much as how the manufacturer had responded after being told of the weakness.

As of 9 August, the issue had first been reported to Medtronic 570 days ago, with a proof-of-concept 155 days ago, they said.

As the Black Hat session notes observe:

The researchers followed coordinated disclosure policies in an attempt to help mitigate the security concerns. What followed was an 18-month roller coaster of unresponsiveness, technical inefficiencies and misleading reactions.

Medtronic responded to the presentation with this statement:

While the advisory process took longer than all parties desired, this process was necessary to coordinate with WhiteScope, ICS-CERT, and FDA to determine whether this should result in a public disclosure or advisory.

An ICS-CERT advisory for the CareLink 2090 appeared in February, after the issue was reported to them presumably after direct communications with Medtronic did not have the desired effect.

This mentions mitigations such as turning off the device when not in use and connecting to it via VPN, recommendations echoed by Medtronic. The company followed this up last week by publishing a warning regarding the MyCareLink Patient Monitor models 24950 and 24952.

Security by obscurity

None of this does much for the patients, many of whom will remain blissfully unaware that the products used to manage their health conditions might have hidden problems.

This “bliss” often remains even after public disclosures are made by medical companies. As Rios said during the demo:

When someone gets this advisory and they’re reading this language, it’s almost impossible for them to understand what the risks are.

It’s good when problems are brought into the open but sometimes simply being out in the open isn’t always enough on its own.