New FDA Alert Reveals these Heart Devices Are Hackable

I still remember my interview with Jason Witty at SecureWorld a couple of years ago. He's the former US Bank CISO who is now the CISO at JPMorgan Chase.

"Cybersecurity is no longer just about data security, it's now about life security," he told me, during a conversation on CISO priorities.

Perhaps that's never been more clear than it is right now.

A new FDA and US-CERT alert reveals that a number of implanted heart devices can be hacked—and their life-saving settings changed—from up to 20 feet away.

Internet of Things (IoT) cybersecurity actually is a matter of life and death in this case.

Alert over hackable heart devices: the specifics

Although we won't go into deep technical details, here are high-level facts on this heart device cybersecurity alert:

• Seriousness: US-CERT ranks the vulnerability a 9.3 out of 10.
• Impact: At least 20 Medtronic cardiac devices have the known vulnerabilities; see the list.
• Root cause: The signals between the implanted devices and those that control and monitor them are not encrypted.

"An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication."

The US-CERT alert says Medtronic is working on additional security controls, and in the meantime warns to be careful where you connect your implanted heart device with its base:

• Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.
• Only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments.