, 13 tweets, 8 min read Read on Twitter
Yesterday it was revealed that 750,000 @Medtronic pacemakers are potentially vulnerable to unauthenticated radio frequency attack, causing battery drain or alter how it works.

Don’t panic, it sounds worse than it is! fda.gov/MedicalDevices…
Mitigating factor 1: The attacker would have to be close to the victim. The RF spec says 20 feet, but we all know that can be extended with a directional antenna and a high power radio. That’s still way less bad than if it’s vulnerable across the Internet. Physical isolation.
Mitigating factor 2: The device is only vulnerable temporarily, when it tries to connect with the monitoring station. It’s unclear how frequent this is, but it’s not all the time. Time isolation.
Mitigating factor 3: Medtronic can monitor for unsuccessful attempts to tamper with the device.

Mitigating factor 4: Wireless shuts down when it is being tampered with, and the device continues working as programmed.
Make no mistake, this is a big deal. It’s likely what the FDA would call an “uncontrolled risk” and it needs to be addressed.

How bad is it? Ask a security researcher who discovered similar issues a decade ago. @br_ isn’t concerned about an attack in the wild right now.
And it turns out fixing the issue can be really safe. When Abbott recalled 500,000 devices, 25% took the update. Of those 125,000, NONE had serious adverse events from the update. This is great news, now we need higher adoption rates! ahajournals.org/doi/pdf/10.116…
If you are affected by either the Medtronic or Abbott issue:
- The monitoromg device can spot some attack attempts.
- Decide with your doctor if, when, & how to update.
- If you suspect an issue, report it to your doctor, the manufacturer, & the FDA. accessdata.fda.gov/scripts/medwat…
Excellent work by @dhalperi @benessa @drkevinfu @yoshi_kohno @williammaisel @br_ who wrote about similar issues in 2008. secure-medicine.org/hubfs/public/p…
Excellent work by @xssniper and Jonathan Butts, who have reported similar issues to manufacturers in the past, as well as the tram who discovered and coordinated on this one.
And props to @Medtronic and @Abbott, who have pledged to engage the security research community at @dc_bhv @defcon, to be safer, sooner, together. #Wehearthackers Wehearthackers.Org
These are defibrillators (hi-voltage, rarely triggered) not pacemakers (low-voltage, regular use).
Hearing that some of these devices may do both pacing and defibrillating. The thread and recommendations apply to both/either.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Beau Woods
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!