Exploiting medical devices (BlackHat 2018)

BlackHat Talk on YouTube

Insulin pumps

• Communicate with meter over plaintext radio protocol
• Authentication - the pump has a hard-coded serial number. It just checks if the incoming message has that serial message in its header
• Can brute force, capture, guess serial number and start/stop insulin delivery
• Vulnerable to spoofing and replay attacks

Pacemakers

• Pacemaker programmers can edit pacemaker settings over radio. At the hospital, for example
• So doctor doesn’t need to remove pacemaker from body to tune it
• Pacemaker programmer connects over VPN to Medtronic’s servers
• And downloads unsigned executable over HTTP
• Found directory traversal vulnerability in Medtronic’s servers. Can download old and experimental software versions