A New Pacemaker Hack Puts Malware Directly on the Device
36 replies, posted
https://www.wired.com/story/pacemaker-hack-malware-black-hat/
There are so many reasons that this story is so alarming, and one of them is that because the software delivery network is proprietary, it would have been illegal for the researchers to actually break in to confirm their suspicions ( in the US ).
Why is it even possible to remotely access a pacemaker
Telemetry such as battery voltage, and to adjust (or disable) dosage frequency.
Well, that's just fucking evil
I find it bizarre that, even though the producers are aware, these two can't do anything because its proprietary software. Hell, this itself is kinda spooky:
Medtronic took 10 months to vet the submission, at which point it opted
not to take action to secure the network. "Medtronic has assessed the
vulnerabilities per our internal process," the company wrote
in February. "These findings revealed no new potential safety risks
based on the existing product security risk assessment. The risks are
controlled, and residual risk is acceptable." The company did acknowledge to the Minnesota Star Tribune in March that it took too long to assess Rios and Butts' findings.
The attack also capitalizes on a lack of "digital code signing"—a way
of cryptographically validating the legitimacy and integrity of
software—to install tainted updates that let an attacker control the
programmers, and then spread to implanted pacemakers.
This is just what the fuck.
Internet of shit etc
Install bitcoin miner on pacemakers
god damnit grandpa i told you to stop downloading all those links for hot asian women in your area, now your pacemaker has a fucking trojan and keeps screaming about viagra ads
People are going to die because of this shit some day.
and they'll lobby for protection from liability because they could be facing an untold sum of payouts.
Good. This means I can easily upload a virus to someone and possess them to make them do my bidding
Send 1 BTC to the following wallet in the next 72h or you FUCKING DIE
Cost doubles after the first 24h so keep that in mind
Send an email to WannaDie@india.com for an example arrhythmia
WannaCryptor meet WannaEndanger (or WannaEnd)
Man and to think that I am going to need to have one of these things at some point in my life.
The thing is, this is just going to get worse as we try to make things work in tandem because we can't be arsed to actually understand how this works.
Deus Ex was right about everything.
The first internet assassination via pacemaker is gonna be cyberpunk as fuck though
A pacemaker should only read out data, never should it be firmware upgradeable after implantation/assembly. Hell it shouldn't have internet access at all built in, only leave life critical electronics and the basic diagnostic data out inductive transmitter.
Boogles my fucking mind that some people think this is a good idea. If you want the doctor to know what their patient's health records are and/or the history of the pacemaker, just leave the logging information and UI out of the fucking implanted bit.
Man, that one mission in Hacknet really called it.
Honestly it was only a matter of time before this was achieved. It still boggles my mind how anyone though it would be a good idea to connect a pacemaker to the internet.
These findings revealed no new potential safety risks based on the existing product security risk assessment. The risks are controlled, and residual risk is acceptable
So they already knew about the possibility of attacks like this and have previously decided that its fine? What the fuck.
Makes you wonder what would happen if a company like this decided to update their Terms of service or something, if you disagree does your pacemaker just stop working and you die?
Ghost in the Shell is becoming real. Soon it will be possible to hack people.
i wish somebody would hack me and download carribean rhythms into my heart so i can become a bionic dance machine
That's unfortunately way more realistic than you think:
"Feel that? I control your pacemaker. Now do exactly what I say or you're dead."
a new type of heart worm?
That pacemaker needs a 1080
I assume the reasoning behind remote updates, it saves money for everyone involved. Patient all the way up through the manufacturer. Really the only downside is the security implications, which unfortunately are a big problem.
However, its borderline criminal negligence to not even have digital code signing. Fucking Nintendo takes security more seriously. And not only that, refusing to do so. That is a special kind of stupid.
People seem to think risk in IT is the same as any other risk, and it isn't, because it can be easily automated.
I can somewhat understand that but I wouldn't trust OTA updates, MiTM is all too easy with how garbage most IoT is. I'd rather have the inconvenience of going to my Doctor for a quick upgrade and check (akin to updating a prescription) than trust OTA.
Totally agree. But if they insist on OTA, ffs actually do something to secure your patches.
And jesus christ stop using Windows XP machines to program them. For how much we get bent over for healthcare in the US, you think they would actually bother trying to keep shit secure.
Sorry, you need to Log In to post a reply to this thread.