back to article It's the real Heart Bleed: Medtronic locks out vulnerable pacemaker programmer kit

The US Food and Drug Administration (FDA) is advising health professionals to keep an eye on some of the equipment they use to monitor pacemakers and other heart implants. The watchdog's alert this week comes after Irish medical device maker Medtronic said it will lock some of its equipment out of its software update service, …

  1. Old Used Programmer

    Not the only issue...

    ...though the one(s) I have in mind relate to customer relations.

    After my wife had to have a pacemaker implanted late last year, I poked around Medronics website and then queried them about what software they're using and how good their device security. After they answer that "top people" had vetted their security, and I basically laughed at them (in the famous words of Dr. I. Jones, "Who?") I got stonewalled. On the software issue what I got was a link to a page with icons for every license that covers something they are using. Noting GPL in ther, I then asked for a link to the source code of the GPL modules they are using. Silence....

    Maybe I should try getting back to them, pointing out that their security is obviously crap and that if they won't supply the source code of the GPL modules, they don't have a valid license to use them.

    Or, some energetic type could go after them for refusing to supply or make available GPL'd code.

  2. Waseem Alkurdi

    Re: Not the only issue...

    Or, some energetic type could go after them for refusing to supply or make available GPL'd code.

    Nobody tried doing that yet, so they (Medtronics) might just end up winning.

  3. Doctor Syntax Silver badge

    Re: Not the only issue...

    "Nobody tried doing that yet"

    ??? Surely Old Used Programmer did just that.

  4. sanmigueelbeer Silver badge
    Thumb Down

    So here's the thing ... If it requires an up-close-and-personal method to update the thing, everyone administering it will only have one thing on their mind: Why bother?

    The cost itself (to update the devices) will be give one a heart attack (pun intended). Might as well announce the end-of-support and be done with it.

  5. Korev Silver badge
    Thumb Down

    The cost itself (to update the devices) will be give one a heart attack (pun intended). Might as well announce the end-of-support and be done with it.

    Those implants and associated hardware are keeping people alive, they can't just announce the end of support and wash their hands of the product.

  6. onefang

    "Those implants and associated hardware are keeping people alive, they can't just announce the end of support and wash their hands of the product."

    That's not End Of Support, that's EOL.

  7. Wellyboot Silver badge

    No mention of other medical kit

    This feels like a simple beancounter 'Bin it or Fix it' choice. A quick lookup of the Medtronic Mkt cap. is $125Bn.

    Its another Irish success story /sarc.

  8. simonlb

    Re: No mention of other medical kit

    That's not a surprising valuation for a company making equipment used in the US healthcare system. The devices probably only cost $20 to manufacture, but as soon as it goes into the healthcare system the price will be whatever a medical insurance company is prepared to pay for it.

    And almost certainly based in Ireland for tax reasons.

  9. Anonymous Coward
    Anonymous Coward

    Re: No mention of other medical kit

    The receiver / transmitter box might only cost $20 to manufacture, but surely not the complex pacemakers and cardiac monitors. They make some very impressive kit, it's surely not cheap to make.

    As for security, I doubt that those people trying their best to save and enance human lives could imagine that there would be some f*****g nutters intent on hacking their devices with the intent of snuffing out human life. Now they'll change, but don't be too harsh on them, not everyone thinks like you lot.

    By the way, I have no connection nor investment in the firm, otherthan being just a very happy and very grateful user of their amazing technology.

  10. Korev Silver badge

    Re: No mention of other medical kit

    The devices probably only cost $20 to manufacture, but as soon as it goes into the healthcare system the price will be whatever a medical insurance company is prepared to pay for it.

    There are the huge costs of clinical trails and then the time/effort/money of getting the devices approved by the regulators.

  11. Mikel

    I would like to tell about my hospital technology sales experience

    Regrettably, telling that tale involves losing all my worldly wealth.

    Suffice to say that the state of technology purchasing, maintenance and support is regrettable. I wouldn't tell my doctor anything I wouldn't post on Facebook.

  12. Anonymous Coward
    Anonymous Coward

    It goes "Boom, titty boom, titty boom, titty boom"

    You get the picture.

  13. onefang

    If I found out my heart was connected to the Internet, I'd have a heart attack.

  14. vincent himpe

    would that be considered

    a denial of service ?

  15. Sgt_Oddball Silver badge

    That'd be once interesting trace route...

  16. Korev Silver badge
    Joke

    My computer keeps on connecting to valve, should I be worried?

  17. Anonymous Coward
    Anonymous Coward

    Humanity is doomed

    I simply cannot understand the mindset of those hackers who would like to cause damage to innocent people by hacking cardiac equipment, cars, anything else. We need a purge of these loons, hunt them down ruthlessly, lock them up for good.

    Same with those carrying knives, dangerous drivers....there won't be too many of us left when I've finished, but we'll be safe :)

  18. Rajesh Kanungo

    Re: Humanity is doomed

    Lack of empathy, narcissistic personalities, money.

  19. Fatman

    Re: Humanity is doomed

    <quote>We need a purge of these loons, hunt them down ruthlessly, lock them up for good put a bullet into the back of their head.</quote>

    There!!!

    FTFY!!

  20. ATeal

    Re: Humanity is doomed

    You know the TV trope of "aliens that have never heard of lying" - this is *surely* linked to stupidity!

    All of this stuff simply stems from "consider your options" (lets ignore lying by omission et al) so with this device, consider your options? You have *the option* to explore it and potentially tamper with it.

    What you're arguing would lead to "why bother with laws if no one breaks them?" - again consider your options, you *can* (and *may*) pick up a big kitchen knife (I'd be torn between the serrated bread knife, and that big heavy pointy one) and go postal. It's an option you have that is very difficult to take away.

    Another option is that of hiring a van and buying loads of bricks and then ramming it into people - you *can* and *may* do this.

    I think there's something fundamental in us that makes it so we don't want to, even for terrorists (apparently there are loads) this technique is rare (and I've been wondering why they don't for years) it takes a special kind of person I think to look at people walking down a pathway - and turn into them.

    HOWEVER pressing enter at a virtual terminal to a device potentially the opposite side of the globe, for a person known only to us by the prompt with the make and model number of their pacemaker or something... you'd press enter and nothing would seem to happen, you'd have to be within a mile to (potentially) even hear the ambulance!

    I trust people far less when they're not looking at me.

    So unless you have a way to stop people from enumerating their options and then doing one that nothing actually inhibits them from doing (ideally still giving us the tools to rent a van and cut cucumber (not the big knife now)) - I want companies that should hire someone with a pessimistic "what *can* they do" mindset and really look into ways to want the software you get (which is a huge topic in and of itself that I love).

    Anyway I digress...

    Add to that "chances of getting caught" + Tor and do you really think you wont find someone who'd do this for a bit of money. Perhaps without knowing exactly what? (As in: told it's in a lab, or a virtual one)

    Hope this helps you realise that the world is not fit for purpose ;)

  21. Anonymous Coward
    Anonymous Coward

    Re: Humanity is doomed

    More to the point why would anyone in their right mind allow an internet connection for anything as vital as a pace maker?

    We already know the internet is not a secure medium, perhaps it should be but it isn't.

  22. ATeal

    Re: Humanity is doomed

    "Perhaps it should be secure" referring to the internet.

    You know the "evil bit" was a joke right?

  23. ibmalone Silver badge

    Re: Humanity is doomed

    More to the point why would anyone in their right mind allow an internet connection for anything as vital as a pace maker?

    The pacemakers aren't connected to the internet. The thing that is used to read and program them does, for updates. It's meant to do this over a VPN, the company have found an issue with the way that's done and disabled it.

  24. Fungus Bob Silver badge
    Facepalm

    This Irish company is headquartered in the Twin Cities. Right in the middle of the North American continent.

  25. Brian Scott

    Why didn't they do this in the first place?

    It seems to me that this is the sort of security that should have been baked into a product like this in the first place. All updates delivered personally by a verifiable representative of the company. The only extension might be a visual comparison of a locally produced secure hash and one published on the web to guard against rogue/compromised company reps. (a visual check because the device doing the updating shouldn't be capable of connecting to the net.)

    Sometimes the internet isn't the right answer. This is one of those times.

  26. ATeal

    Re: Why didn't they do this in the first place?

    Lol have you lived under a rock since .... oohh... 2010?

  27. ATeal

    Re: Why didn't they do this in the first place?

    WTF? "There" lack of security has been making headlines since at least 2010 frequently.

  28. Anonymous Coward
    Anonymous Coward

    But this doesn't really fix the issue?

    It sounds like they've changed their update service to refuse download attempts from vulnerable programmers. But the programmers themselves are still vulnerable to being redirected to a malicious download service ... the CERT advisory confirms they aren't issuing programmmer updates to fix the issue. https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01

    That said, I suppose this might get people out of the habit of attempting network updates. Unless of course a failed connection looks the same on the programer as no updates available?

  29. markrand
    Flame

    So, why didn't medtronic simply fix the software so it DOES check whether it's connected via the VPN before downloading?

  30. JWLong

    So, why didn't medtronic

    Because the fucking bean counters couldn't see the ROI for security.

    Nothing new here to see, now is there!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018