Safety researchers say that cardiac pacemaker manufacturer Medtronic does not use encryption to protect firmware updates, allowing hackers to install malicious firmware to endanger the lives of patients remotely. At the Black Hat Security Conference in Las Vegas, USA, Billy Rios and Jonathan Butts stated that they reported the vulnerability to Medtronic as early as January 2017, but the proof-of-concept attacks they have developed so far remain valid.
They demonstrated an attack on the CareLink 2090 programmer, a device that controls the pacemaker. Because Medtronic does not use HTTPS encrypted connections and digitally signed firmware, researchers can force devices to install malicious firmware and use this control device to change treatments to endanger patient life, such as increasing the number of shocks.
Medtronic subsequently issued a statement stating that the attack was only valid for the old model and that the remote feature needs to be changed by changing the default settings.