Thursday, August 1, 2013

It's a bad day when your company gets mentioned at Black Hat

But these guys have earned it:
Web-enabled portable medical device
US Patent 20080091175 A1 
Abstract
A portable personal medical device, e.g., a wearable insulin pump, is provided with a web server and is controllable over a network by a browser equipped client, thereby enabling comprehensive and comfortable control, operation and/or configuration of the device.
"Comprehensive" control?  Boy howdy.  What's especially bad about this is that every medical device manufacturer says that they're not allowed to provide security patches, per the FDA.  That seems not to be true, but they say it anyway (because they don't want to incur the expense of testing the patch).

Explaining it to them in simple terms, web servers need lots of patches or they get pwned.

Someone is going to die from this.

3 comments:

Spike said...

"This business will get out of control. It will get out of control and we'll be lucky to live through it."

Who in the devil thought this was a good idea?

Unless its a hard-wired system, and even then, there could be viruses written to search out this exact hardware.

My grandfather has an implanted pace-maker/monitor that uses a form of NFC to download data from the device. In implantable devices, direct connect isn't do-able, but its still pushing the boundary of security. Imagine a very powerful NFC device that reprograms every pacemaker to go into overdrive.

Bluetooth is only meant to have a range of 10m, but there are hacks that allow you to use it from miles away.

Borepatch said...

Spike, that is the perfect quote for this.

AnarchAngel said...

Although it's never been officially acknowledged, it's a near certainty that at least a few folks with external remote controlled/remote programmable pacemakers, have died because of security compromise.

It's also HIGHLY likely that wirelessly adjustable/monitorable medical devices in hospitals have also killed because of compromise.