Tag Archives: Medtronic

IoT updates

Updates to Internet of (not necessarily necessary) Things

Added a few days ago, in fact, but I’ve been a bit busy…

  • Threat Post: Remote Code Implantation Flaw Found in Medtronic Cardiac Programmers – “The flaw impacted patients with pacemakers, implantable defibrillators, cardiac resynchronization devices and insertable cardiac monitors.”
  • The Register: Last year, D-Link flubbed a router bug-fix, so it’s back with total pwnage – “Plain text password storage? Check. Directory traversal? Check. SOHOpeless? Check….Eight D-Link router variants are vulnerable to complete pwnage via a combination of security screwups, and only two are going to get patched.”
  • The Register: Alexa heard what you did last summer – and she knows what that was, too: AI recognizes activities from sound – “Gadgets taught to identify actions via always-on mics” What could go wrong?
  • Pierluigi Paganini: A Russian cyber vigilante is patching outdated MikroTik routers exposed online – “Alexey described his activity on a Russian blogging platform, he explained he hacked into the routers to change settings and prevent further compromise.” As Paganini points out, this is still ‘cybercrime’. Well, in most jurisdictions. Indeed, I remember dissuading a friend from taking somewhat similar action to remediate the impact of the Code Red worm in 2001 . Even if the motivation is pure, it’s still unauthorized access and modification. I talked about related issues in the context of the BBC’s purchase of a botnet in 2009 here and elsewhere linked in the article. Unfortunately, the ESET link there no longer works, and it’s on ESET’s blog that I did most of my writing on the topic, but you could try this.
  • The UK’s National Cyber Security Centre (NCSC), in collaboration with the Department for Digital, Culture, Media and Sport (DCMS) , has published a Code of Practice for Consumer IoT Security (a differently-formatted – i.e. picture-free – version is available here). It is based on the following guidelines:
    • No default passwords
    • Implement a vulnerability disclosure policy
    • Keep software updated
    • Securely store credentials and security-sensitive data
    • Communicate securely
    • Minimise exposed attack surfaces
    • Ensure software integrity
    • Ensure that personal data is protected
    • Make systems resilient to outages
    • Monitor system telemetry data
    • Make it easy for consumers to delete personal data
    • Make installation and maintenance of devices easy
    • Validate input data

Commentary from The Register: GCHQ asks tech firms to pretty please make IoT devices secure – “Hive, HP Inc sign up to refreshed code of practice”


AVIEN resource updates: 13th October 2018

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

The Register: It’s the real Heart Bleed: Medtronic locks out vulnerable pacemaker programmer kit – “The US Food and Drug Administration (FDA) is advising health professionals to keep an eye on some of the equipment they use to monitor pacemakers and other heart implants.”

Updates to Specific Ransomware Families and Types

David Bisson for Tripwire: New Sextortionist Scam Uses Email Spoofing Attack to Trick Users – “As reported by Bleeping Computer, an attack email belonging to this ploy attempts to lure in a user with the subject line “[email address] + 48 hours to pay,” where [email address] is their actual email address.”

In the Bleeping Computer article, Lawrence Abrams says: “In the past, the sextortion emails would just include a target’s password that the attackers found from a data breach dump in order to scare the victim into thinking that the threats were real. Now the scammers are also pretending to have access to the target’s email account by spoofing the sender of the scam email to be the same email as the victim.”

Updates to Mac Virus

Krebs/Sager interview on supply chain security (also published on this site).

David Harley