back to article It's the real Heart Bleed: Medtronic locks out vulnerable pacemaker programmer kit

The US Food and Drug Administration (FDA) is advising health professionals to keep an eye on some of the equipment they use to monitor pacemakers and other heart implants. The watchdog's alert this week comes after Irish medical device maker Medtronic said it will lock some of its equipment out of its software update service, …

  1. Old Used Programmer

    Not the only issue...

    ...though the one(s) I have in mind relate to customer relations.

    After my wife had to have a pacemaker implanted late last year, I poked around Medronics website and then queried them about what software they're using and how good their device security. After they answer that "top people" had vetted their security, and I basically laughed at them (in the famous words of Dr. I. Jones, "Who?") I got stonewalled. On the software issue what I got was a link to a page with icons for every license that covers something they are using. Noting GPL in ther, I then asked for a link to the source code of the GPL modules they are using. Silence....

    Maybe I should try getting back to them, pointing out that their security is obviously crap and that if they won't supply the source code of the GPL modules, they don't have a valid license to use them.

    Or, some energetic type could go after them for refusing to supply or make available GPL'd code.

    1. Waseem Alkurdi

      Re: Not the only issue...

      Or, some energetic type could go after them for refusing to supply or make available GPL'd code.

      Nobody tried doing that yet, so they (Medtronics) might just end up winning.

      1. Doctor Syntax Silver badge

        Re: Not the only issue...

        "Nobody tried doing that yet"

        ??? Surely Old Used Programmer did just that.

  2. sanmigueelbeer
    Thumb Down

    So here's the thing ... If it requires an up-close-and-personal method to update the thing, everyone administering it will only have one thing on their mind: Why bother?

    The cost itself (to update the devices) will be give one a heart attack (pun intended). Might as well announce the end-of-support and be done with it.

    1. Korev Silver badge
      Thumb Down

      The cost itself (to update the devices) will be give one a heart attack (pun intended). Might as well announce the end-of-support and be done with it.

      Those implants and associated hardware are keeping people alive, they can't just announce the end of support and wash their hands of the product.

      1. onefang

        "Those implants and associated hardware are keeping people alive, they can't just announce the end of support and wash their hands of the product."

        That's not End Of Support, that's EOL.

  3. Wellyboot Silver badge

    No mention of other medical kit

    This feels like a simple beancounter 'Bin it or Fix it' choice. A quick lookup of the Medtronic Mkt cap. is $125Bn.

    Its another Irish success story /sarc.

    1. simonlb Silver badge

      Re: No mention of other medical kit

      That's not a surprising valuation for a company making equipment used in the US healthcare system. The devices probably only cost $20 to manufacture, but as soon as it goes into the healthcare system the price will be whatever a medical insurance company is prepared to pay for it.

      And almost certainly based in Ireland for tax reasons.

      1. Anonymous Coward
        Anonymous Coward

        Re: No mention of other medical kit

        The receiver / transmitter box might only cost $20 to manufacture, but surely not the complex pacemakers and cardiac monitors. They make some very impressive kit, it's surely not cheap to make.

        As for security, I doubt that those people trying their best to save and enance human lives could imagine that there would be some f*****g nutters intent on hacking their devices with the intent of snuffing out human life. Now they'll change, but don't be too harsh on them, not everyone thinks like you lot.

        By the way, I have no connection nor investment in the firm, otherthan being just a very happy and very grateful user of their amazing technology.

      2. Korev Silver badge

        Re: No mention of other medical kit

        The devices probably only cost $20 to manufacture, but as soon as it goes into the healthcare system the price will be whatever a medical insurance company is prepared to pay for it.

        There are the huge costs of clinical trails and then the time/effort/money of getting the devices approved by the regulators.

  4. Mikel

    I would like to tell about my hospital technology sales experience

    Regrettably, telling that tale involves losing all my worldly wealth.

    Suffice to say that the state of technology purchasing, maintenance and support is regrettable. I wouldn't tell my doctor anything I wouldn't post on Facebook.

  5. Anonymous Coward
    Anonymous Coward

    It goes "Boom, titty boom, titty boom, titty boom"

    You get the picture.

  6. onefang

    If I found out my heart was connected to the Internet, I'd have a heart attack.

    1. vincent himpe

      would that be considered

      a denial of service ?

    2. Sgt_Oddball

      That'd be once interesting trace route...

    3. Korev Silver badge
      Joke

      My computer keeps on connecting to valve, should I be worried?

  7. Anonymous Coward
    Anonymous Coward

    Humanity is doomed

    I simply cannot understand the mindset of those hackers who would like to cause damage to innocent people by hacking cardiac equipment, cars, anything else. We need a purge of these loons, hunt them down ruthlessly, lock them up for good.

    Same with those carrying knives, dangerous drivers....there won't be too many of us left when I've finished, but we'll be safe :)

    1. Rajesh Kanungo

      Re: Humanity is doomed

      Lack of empathy, narcissistic personalities, money.

    2. Fatman

      Re: Humanity is doomed

      <quote>We need a purge of these loons, hunt them down ruthlessly, lock them up for good put a bullet into the back of their head.</quote>

      There!!!

      FTFY!!

  8. Fungus Bob
    Facepalm

    This Irish company is headquartered in the Twin Cities. Right in the middle of the North American continent.

  9. Brian Scott

    Why didn't they do this in the first place?

    It seems to me that this is the sort of security that should have been baked into a product like this in the first place. All updates delivered personally by a verifiable representative of the company. The only extension might be a visual comparison of a locally produced secure hash and one published on the web to guard against rogue/compromised company reps. (a visual check because the device doing the updating shouldn't be capable of connecting to the net.)

    Sometimes the internet isn't the right answer. This is one of those times.

  10. Anonymous Coward
    Anonymous Coward

    But this doesn't really fix the issue?

    It sounds like they've changed their update service to refuse download attempts from vulnerable programmers. But the programmers themselves are still vulnerable to being redirected to a malicious download service ... the CERT advisory confirms they aren't issuing programmmer updates to fix the issue. https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01

    That said, I suppose this might get people out of the habit of attempting network updates. Unless of course a failed connection looks the same on the programer as no updates available?

  11. markrand
    Flame

    So, why didn't medtronic simply fix the software so it DOES check whether it's connected via the VPN before downloading?

    1. JWLong

      So, why didn't medtronic

      Because the fucking bean counters couldn't see the ROI for security.

      Nothing new here to see, now is there!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like