Medtronic, a maker of medical devices and implants, has pulled the plug on its internet-based software update system, which security researchers had found had a dangerous security vulnerability
The company said in a notice this week that it’s switching off the software distribution network after researchers found that a hacker could update the pacemaker’s software with malicious software that could manipulate the impulses that regulate a patient’s heartbeat. The researchers, Jonathan Butts and Billy Rios, revealed the vulnerability at the Black Hat conference in August, more than a year after first reporting the vulnerability to Medtronic.
The bug isn’t within the pacemaker itself but the devices that are used by doctors to connect to the pacemaker to check its battery and status. These “programmer” devices weren’t checking if downloaded software hadn’t been tampered with.
Medtronic issued several updates throughout the year to try to mitigate the vulnerability, but only this month shut down the internet updating feature, per a security advisory issued by the Federal Drug Administration.
Now, patients with one of the 34,000 CareLink affected programmers will have to receive the update over USB from their doctor when new software is released, according to Medtronic’s statement.
It’s a turnaround from how the medical device maker reacted when the flaws were first reported. Butts said at the time that the company “spent more time trying to twist the story than fixing it.”
Medtronic said that it’s not received any reports to date of anyone exploiting the vulnerabilities.
