Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Are pacemakers and defibrillators remotely hackable?

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

September 1, 2016

Medical researchers at the University of Michigan have demonstrated some doubt on a new claim made by MedSec that St Jude Medical's implanted pacemakers and defibrillators are remotely hackable by potential miscreants.

In all started last week when MedSec (The Mediterranean Center for Sustainable Development and Food Security) went public with a new report claiming that life-giving devices sold by St Jude Medical could be wirelessly compromised by hackers who could either break the vital equipment or empty their batteries of charge by sending malicious signals from a remote location.

Rather than trying to get the problem fixed with the manufacturer, MedSec partnered with investment firm Muddy Waters Capital to short St Jude's stock.

This allowed the two groups to cash in when they made their security vulnerability findings public and the healthcare company's share price fell.

St Jude Medical then called the whole MedSec file "false and misleading." Now the University of Michigan says some of the security shortcomings detailed in the MedSec report aren't as serious as first described.

The university researchers attempted to recreate MedSec's attacks and found that in one case so far, the evidence the security firm presented is flawed.

"We're not saying the report is false. We're saying it's inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security problem," said Kevin Fu, University of Michigan associate professor of computer science and engineering, and director of the Archimedes Center for Medical Device Security.

"To the armchair engineer it may look startling, but to a clinician it just means you didn't plug it in. In layman's terms, it's like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard," he asserted.

MedSec's report includes a photo of a few error messages on a wireless monitoring station for a defibrillator as evidence that a radio-based attack successfully crashed the implanted widget.

When the station's wand is waved over the defibrillator, fault alerts are shown that suggest the gadget has died because there's no live information coming from it. The dossier reads: "In many cases, the Crash Attack made the Cardiac Device completely unresponsive to interrogations from Merlin@home devices and Merlin programmers. It was therefore impossible to tell whether, and how the Cardiac Devices, are functioning. MedSec strongly suspects they were in many cases “bricked” – i.e., made to be non-functional. It is likely physicians would explant a device that did not respond to the programmer."

In some cases, a Cardiac Device subjected to a Crash Attack was still able to communicate with the programmer, and the information displayed was alarming.

However, according to the university's research team, the implanted pacemaker or defibrillators can and will continue operating as normal even if readings to the monitoring station are disrupted.

In other words, there's no conclusive evidence that the pacemaker or defibrillator actually stopped working after the radio communications were jammed. It's more of an annoyance for whoever is using the monitoring terminal than a potentially lethal and deadly situation.

"We believe the pacemaker is acting correctly," Fu asserted. "It's obviously not an attempt to recreate the attack," a Muddy Waters spokesperson told us today. MedSec declined to comment on the matter.

If the communications are temporarily disrupted, it's rather difficult to see how this could be a very serious issue. On the other hand, if the radio jamming stops all further communication from the implant to a monitoring terminal, that's going to potentially require surgery to fix, which is not optimal. But keep in mind there is no hard evidence that a device is "bricked" – merely MedSec's misleading perception that this has happened.

That's what all of last week's screaming headlines were based on. "While medical device manufacturers must greatly improve the overall security of all their products, claiming that the end of the world is here is counterproductive," Fu added.

"Healthcare cybersecurity is all about safety and risk management, and patients who are prescribed a medical device are far safer with the device than without it," he asserted.

The university researchers are still going through the MedSec report, so there's more room for more discoveries or revisions to their conclusions. In the meantime, the whole case has raised concerns among many in the computer security industry that the startup's unorthodox tactics may have needlessly terrified patients using St Jude's products.

"It's my personal view that ethically, it's really difficult to understand why people would have to go through this," Sam Rehman, CTO of application security vendor Arxan Technologies, told us. "The whole point of the security industry is to build trust by protecting systems."

We can conclude in all of this it appears that some people have invented such a story for personal gain is what seems to be at issue here, and that's what's really disturbing.

Source: The University of Michigan.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer