The latest variation of pacemaker hacks rely not on manipulating radio commands, as many previous attacks have, but on malware installed directly on the implanted device.
Security researchers claim that Medtronic’s Carelink 2090 pacemaker programmers and other relevant equipment contain potentially life-threatening vulnerabilities.
Researchers say that they’ve discovered a chain of vulnerabilities in Medtronic’s infrastructure that an attacker could exploit to control implanted pacemakers remotely, deliver shocks patients don’t need or withhold ones they do, and cause real harm.
The researchers originally disclosed bugs in Medtronic’s software delivery network, a platform that doesn’t communicate directly with pacemakers, but rather brings updates to supporting equipment like home monitors and pacemaker programmers, which health care professionals use to tune implanted pacemakers
The attack also capitalizes on a lack of “digital code signing”—a way of cryptographically validating the legitimacy and integrity of software—to install tainted updates that let an attacker control the programmers, and then spread to implanted pacemakers.