There has been significant attention recently surrounding the risks associated with cyber vulnerabilities in critical medical devices. Understandably, people are concerned that an attacker may exploit a vulnerability to modify the delivery of patient therapy, such as altering the dosage of medicine, delivering insulin therapy, or administering a shock via a pacemaker. These concerns raise several questions, such as: How do these devices work? What does the typical attack surface for implanted medical device look like? What do exploits against these systems look like? How do manufacturers respond to potentially life-threatening security issues? This presentation will address all these questions.
This presentation is the culmination of an 18-month independent case study in implanted medical devices. The presenters will provide detailed technical findings on remote exploitation of a pacemaker systems, pacemaker infrastructure, and a neurostimulator system. Exploitation of these vulnerabilities allow for the disruption of therapy as well as the ability to execute shocks to a patient.
The researchers followed coordinated disclosure policies in an attempt to help mitigate the security concerns. What followed was an 18-month roller coaster of unresponsiveness, technical inefficiencies and misleading reactions. The researchers will walk the audience through the details of disclosure and discuss the responses from the manufacturer and coordination associated with DHS ICS-CERT and the FDA. How did the manufacturer initially respond? What tactics did the manufacturer use to attempt to dismiss the independent researchers? Was the response by the manufacturer adequate from a patient responsibility standpoint? Has the actual technical vulnerability even been addressed?