The US Food and Drug Administration recalled hundreds of thousands of pacemakers in 2017 due to doubts about their security against hacking, according to Reader’s Digest. Pacemakers regulate the heart rate, keeping it normal and controlling abnormal heart rhythms, so the dangers associated with these critical devices being susceptible to malicious interference are quite apparent, even without going into too many technical details. To avert such a catastrophe, Wired reports that security researcher Jonathan Butts has spent years hounding a prominent maker of pacemakers Medtronic, trying to remedy flaws in its security and clinch an agreement on encryption protocols.
“The time period Medtronic spent discussing this with us, if they had just put that time into making a fix they could have solved a lot of these issues,” Butts said. “Now we’re two years down the road and there are patients still susceptible to this risk of altering therapy, which means we could do a shock when we wanted to or we could deny shocks from happening. It’s very frustrating.”
Unfortunately, Butts’ plaintive warnings were dismissed by Medtronic as hot air. The company came to the conclusion that its products were fine as is.
“Medtronic has assessed the vulnerabilities per our internal process,” the company wrote. “These findings revealed no new potential safety risks based on the existing product security risk assessment. The risks are controlled, and residual risk is acceptable.”
Medtronic spokesperson Erika Winkels gave the following statement to Wired: “Medtronic deploys a robust, coordinated disclosure process and takes seriously all potential cybersecurity vulnerabilities in our products and systems.”
Winkels also brushed off warnings from security researchers, noting that “All devices carry some associated risk, and, like the regulators, we continuously strive to balance the risks against the benefits our devices provide”—a sentiment which likely roiled Butts on a visceral level.
Given the dire nature of the risks, it’s surprising that Winkels dismissed the valid concerns raised by security researchers with such a tersely worded statement, suggesting that she is likely not paid by the word.
Mired as he was in the bowels of frustration by corporate stonewalling, Butts even contemplated using an iPhone app to kill a pig remotely in order drive home the severity of the situation, but ultimately decided against it for reasons that Wired was not made privy to.
“We were talking about bringing a live pig because we have an app where you could kill it from your iPhone remotely and that would really demonstrate these major implications,” Butts recounted to Wired. “We obviously decided against it, but it’s just a mass scale concern. Almost anybody with the implantable device in them is subject to the potential implications of exploitation.”