meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Friday, August 10th 2018

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 10 August 2018

⏱️ 5 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Pacemaker/Insulin Pump Vuln; Panic Attacks; Process Doppleganging

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the August Friday 10th, 2018 edition of the San San Antonio Storm Center's

0:06.8

Stormcast. My name is Johannes Ulrich, and I'm recording from San Antonio, Texas.

0:13.2

Well, it's Blackhead and DefCon time again, and with that we got new exploits against

0:20.1

medical devices from Billy Rice and Jonathan Butts.

0:24.6

Their latest target is the Kerrink 2090 programmer. This is a device that doctors use in order

0:31.4

to program pacemakers. Now, the weakness they're exploiting here is an insecure update vulnerability. What this means

0:40.8

is that the update is downloaded via HTTP, not HTTP, and the download itself is also not

0:48.6

digitally signed, so it can easily be replaced with an arbitrary file.

0:59.5

The two researchers demonstrated that a malicious firmware can be uploaded and as a result, any pacemakers being programmed using the device that has this malicious firmware

1:07.4

loaded will then be able to deliver life-threatening shocks via the pacemaker.

1:13.9

So it is an exploit that will actually directly affect patient safety, and of course, the

1:19.7

firmware could be tailored to, for example, target-specific pacemakers, and it will also allow

1:25.5

for a wide range of possible attack scenarios here in how the pacemaker

1:30.6

is exactly set up to then endanger the patient. The other vulnerability that they're discussing

1:37.3

is sort of an old favorite and that's metronic insulin pumps. Now these insulin pumps are usually implanted into the patient, and they can be controlled

1:48.7

virulously.

1:50.0

In order to pull off this attack, they had to use a hack RF software-defined radio.

1:56.0

That's about a couple hundred dollar device, and it can be used to take control off the insulin pump and for

2:03.8

example set up the insulin pump to withhold the scheduled dose of insulin however a representative

2:10.2

of metronics states that typically this remote function is not enabled on these pumps, and also the particular pump that was tested

2:20.6

here is an older model. And researchers at IBM's X-Force have discovered a number of vulnerabilities in

2:30.8

systems commonly associated with smart cities.

...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.