Medtronic's Implantable Defibrillators Vulnerable to Life-Threatening Hacks

hacking medtronic implantable defibrillators

The U.S. Department of Homeland Security Thursday issued an advisory warning people of severe vulnerabilities in over a dozen heart defibrillators that could allow attackers to fully hijack them remotely, potentially putting lives of millions of patients at risk.

Cardioverter Defibrillator is a small surgically implanted device (in patients’ chests) that gives a patient’s heart an electric shock (often called a countershock) to re-establish a normal heartbeat.

While the device has been designed to prevent sudden death, several implanted cardiac defibrillators made by one of the world’s largest medical device companies Medtronic have been found vulnerable to two serious vulnerabilities.

Discovered by researchers from security firm Clever Security, the vulnerabilities could allow threat actors with knowledge of medical devices to intercept and potentially impact the functionality of these life-saving devices.

“Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,” warns the advisory released by DHS.

The vulnerabilities reside in the Conexus Radio Frequency Telemetry Protocol—a wireless communication system used by some of Medtronic defibrillators and their control units to wirelessly connect to implanted devices over the air using radio-waves.

Flaw 1: Lack of Authentication in Medtronic’s Implantable Defibrillators

According to an advisory [PDF] published by Medtronic, these flaws affect more than 20 products, 16 of which are implantable defibrillators and rest are the defibrillators’ bedside monitors and programmers.

The more critical flaw of the two is CVE-2019-6538 which occurs because the Conexus telemetry protocol does not include any checks for data tampering, nor performs any form of authentication or authorization.

The successful exploitation of this vulnerability could allow an attacker within the radio range of the affected device and right radio gear to intercept, spoof, or modify data transmitting between the device and its controller, which could potentially harm or perhaps even kill the patient.

“This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,” the DHS says.

Flaw 2: Lack of Encryption in Medtronic’s Implantable Defibrillators

The Conexus telemetry protocol also provides no encryption to secure the telemetry communications, making it possible for attackers within the range to eavesdrop on the communication. This issue has been assigned CVE-2019-6540.

However, Medtronic said the vulnerabilities would be hard to take advantage of and harm patients since it requires the following conditions to be met:

  • An unauthorized individual would need to be in close proximity of up to 6 meters (20 feet) to the targeted device or clinic programmer.
  • Conexus telemetry must be activated by a healthcare professional who is in the same room as the patient.
  • Outside of the hospital activation times of devices are limited, which vary patient to patient and are difficult to be predicted by an unauthorized user.

The medical technology giant also assures its users that “neither a cyberattack nor patient harm has been observed or associated with these vulnerabilities” to this date.

Medtronic also noted that its line of implanted pacemakers, including those with Bluetooth wireless functionality, as well as its CareLink Express monitors and CareLink Encore programmers (Model 29901) used by some hospitals and clinics are not vulnerable to either of these flaws.

Medtronic has already applied additional controls for monitoring and responding to the abuse of the Conexus protocol by the affected implanted cardiac devices and is working on a fix to address the reported vulnerabilities.

The security fix will soon become available, and in the meantime, Medtronic urged “patients and physicians continue to use these devices as prescribed and intended.”

Let’s block ads! (Why?)

Link to original source

Get 4 Essential CyberSecurity Software For Less Than $10 Per Month

best cyber security software

Major data breaches and cyber attacks are occurring at an alarming rate, and if you are still not using a VPN and password manager app, you are seriously out of excuses.

Not just VPN software and a password manager, cybersecurity experts also recommend using antivirus and backup solutions to protect your computers and precious data stored on them. Unfortunately, to cover these bases, one would typically have to spend at least $30 per month.

However, here we have great news for millions of The Hacker News readers.

Cybersecurity companies partnered with THN Deal Store have exclusively launched a new subscription package called — The Vault — that slashes the price for top security apps everyone needs to use.

At just $9.99 monthly subscription, you can now get licenses for four award-winning cybersecurity apps:

Dashlane — usual price: $4.99 per month — is one of the most popular and secure password manager software. It makes it easy for users to sync their usernames and passwords between their devices.

Dashlane stores users’ data in a military-grade vault with two-factor security. Besides, Dashlane allows users to generate new secure passwords and fill checkout forms with just one click.

NordVPN — usual price: $12.95 per month — is a highly-rated service that helps users stay secure online, with double 2048-bit encryption and a built-in kill switch. You can connect to 3,521 worldwide servers in 61 different countries, and the company keeps no logs, to preserve your privacy.

Whether from accidental deletion, ransomware attack or hard drive failure, data loss occurs more often than you might think.

So, backing up your important data is always essential. Vault package also includes a 2TB of cloud storage from Degoo backup service provider that will keep your files secure.

Degoo — usual price: $9.99 per month – is a the cloud storage platform that uses 256-bit AES encryption with automatic syncing and secure file sharing.

Finally, Panda Antivirus — usual price: $4.99 per month — helps avoid both malware and online fraud. Available on Windows, Mac, and Android, Panda uses artificial intelligence to detect threats.

That means it can block even brand new malware. The service also provides parental controls and can help locate missing devices.

All these subscription-based cybersecurity apps would typically cost you around $31.92 per month if purchased separately from their official websites.

However, with Vault, you can get all four cybersecurity apps for just $9.99 per month — that’s a saving of about $264 per year.

Order now to get an instant security upgrade. Stay hidden. Stay secure. Stay safe. Stay prepared.

Let’s block ads! (Why?)

Link to original source

Microsoft Announces Windows Defender ATP Antivirus for Mac

microsoft windows defender antivirus for macos

Brace yourself guys.

Microsoft is going to release its Windows Defender ATP antivirus software for Mac computers.

Sounds crazy, right? But it’s true.

Microsoft Thursday announced that the company is bringing its anti-malware software to Apple’s macOS operating system as well—and to more platforms soon, like Linux.

As a result, the technology giant renamed its Windows Defender Advanced Threat Protection (ATP) to Microsoft Defender Advanced Threat Protection (ATP) in an attempt to minimize name-confusion and reflect the cross-platform nature of the software suite.

But wait, does your Macbook need antivirus protection? Of course!

For all those wondering if Mac even gets viruses—macOS is generally more secure than Windows, but in recent years cybercriminals have started paying attention to the Mac platform, making it a new target for viruses, Trojans, spyware, adware, ransomware, backdoors, and other nefarious applications.

Moreover, hackers have been successful many times. Remember the dangerous FruitFly malware that infected thousands of Mac computers, the recently discovered cryptocurrency-stealing malware CookieMiner and DarthMiner, and .EXE malware discovered last month?

Microsoft Defender ATP Antivirus for Mac

Microsoft has now come up with a dedicated Defender ATP client for Mac, offering full anti-virus and threat protection with the ability to perform full, quick, and custom scans, giving macOS users “next-generation protection and endpoint detection and response coverage” as its Windows counterpart.

“We’ve been working closely with industry partners to enable Windows Defender Advanced Threat Protection (ATP) customers to protect their non-Windows devices while keeping a centralized “single pane of glass” experience,” Microsoft says in a blog post.

Microsoft also promised to add Endpoint Detection and Response, and Defender ATP’s new Threat and Vulnerability Management (TVM) capabilities in public preview next month.

TVM uses a risk-based approach to help security teams discovery, prioritize, and remediate known vulnerabilities and misconfigurations using a mixture of real-time insights, added context during incident investigations and built-in remediation processes through Microsoft’s Intune and System Center Configuration Manager.

For now, the tech giant has released Microsoft Defender ATP for Mac (compatible with macOS Mojave, macOS High Sierra, or macOS Sierra) in limited preview for businesses that have both Windows and Mac computer systems.

[embedded content]

Like MS Office for Mac, Defender for Mac will also use Microsoft AutoUpdate software to get the latest features and fixes on time.

While Microsoft has announced its plans to launch Defender ATP for more platforms in the future, the company has not explicitly named those platforms.

Also, it is not clear if Microsoft is also planning to launch a consumer version of Microsoft Defender for Mac users in the future.

Microsoft’s business customers can sign up here for the limited preview.

In the attempt to make its security software available to more people, Microsoft just last week released Windows Defender extensions for Mozilla Firefox and Google Chrome as well.

Let’s block ads! (Why?)

Link to original source

New MageCart Attacks Target Bedding Retailers My Pillow and Amerisleep

Magecart ecommerce hackers

Cybersecurity researchers today disclosed details of two newly identified Magecart attacks targeting online shoppers of bedding retailers MyPillow and Amerisleep.

Magecart is an umbrella term researchers gave to at least 11 different hacking groups that are specialized in implanting malware code on e-commerce websites with an intent to steal payment card details of their customers silently.

Magecart made headlines last year after attackers conducted several high-profile cyber attacks against major international companies including British Airways, Ticketmaster, and Newegg.

Magecart hackers use a digital payment card skimmer, a few lines of malicious Javascript code they insert into the checkout page of hacked websites and designed to captured payment information of customers in real time and then send it to a remote attacker-controlled server.

Earlier this year, Magecart attackers also compromised nearly 277 e-commerce websites in a supply-chain attack by inserting its skimming code into a popular third-party JavaScript library from Adverline.

That widely spread cyber attack eventually targeted all customers who made online purchases on hundreds of European e-commerce sites that were serving a modified Adverline script.

MageCart Hackers Target Bedding Retailers MyPillow and Amerisleep

In a new report RiskIQ shared with The Hacker News before its publication, researchers revealed two new Magecart-related breaches that compromised online bedding retailers MyPillow and Amerisleep and stole payment information of their customers.

Just like previous attacks, after finding a way to get a foothold on the targeted websites, the Magecart hackers implanted digital skimming code on both websites and managed to skim payment cards of their customers during online transactions.

payment card hacking

MyPillow was breached by the Magecart attackers in October last year, wherein attackers inserted malicious skimming script on the site that was hosted on a look-alike domain (also known as typosquatting) with an SSL certificate from LetsEncrypt.

“The last time we observed this skimmer active on the MyPillow website was November 19th. Since then, we have not observed newly registered domains for attacks on MyPillow,” the researchers say.

Another mattress company, Amerisleep, was targeted by Magecart attackers several times in 2017 to skim its customers’ cards during online transactions, but again became a victim of the attack in December 2018, when Magecart attackers hosted malicious code containing skimmers on a Github account.

However, the most recent attack against the company was observed in January this year, when the attackers decided to move some conditional checks so that their skimmers got injected only on payment pages, instead of every page.

“While the skimmer domain has been taken offline, the injection is still live on the website as of this publishing,” RisKIQ says. “Attempts to inform Amerisleep through their support desk and directly via email has gone unanswered.”

What’s more? Despite being attacked for several months, neither MyPillow nor Amerisleep issued any alert or official statement warning their customers about the Magecart attack that may have been compromised their payment details.

Since attackers usually exploit known vulnerabilities in online e-commerce software, websites administrators are highly advised to follow standard best practices, such as applying latest updates and patches, limiting privileges for critical systems and hardening web servers.

Online shoppers should also regularly review their credit card and bank statements for unfamiliar activities. No matter how small unauthorized transaction you notice, affected users should always report it to their financial institutions immediately.

Let’s block ads! (Why?)

Link to original source