On March 21, external security researchers disclosed potential cybersecurity vulnerabilities in some Medtronic implantable devices and related products.
These cardio-defibrillators are implanted in a patient’s chest to deliver small electrical shocks to prevent irregular or fast heartbeats.
More than 20 different Medtronic defibrillators models are affected, including the CareLink programmer used by health professionals and the MyCareLink monitor used in patient homes.
The vulnerabilities could allow an unauthorized individual (i.e. someone other than a health care professional) to access and potentially change the settings of an implantable device, home monitor or clinic programmer.
An attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.
- The Department of Homeland Security (DHS) has flagged a cybersecurity weakness in the system Medtronic uses to transmit data from certain cardiac implants.
- DHS gave the cybersecurity weakness a rating of 9.3 out of 10 on a vulnerability scoring system, indicating its belief that the problem is critical.
- The vulnerability could enable a hacker to change the settings on defibrillator implants.
US-CERT has scored the vulnerability with a CVSS v3 Base Score of 9.3 – CRITICAL
- The telemetry protocol utilized within does not implement authentication or authorization.
- Sensitive information is not encrypted and is transmitted in cleartext
An unauthorized individual would need to be reasonably close to an active device, monitor, or clinic programmer to take advantage of these vulnerabilities, but not that close, as the range is typically up to 6 meters (about 20 feet).
- US-CERT MEDICAL ADVISORY: https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01
- FDA SAFETY ALERT: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm633960.htm
- MEDTRONIC SECURITY BULLETIN: https://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic-security-bulletin_CRHF_Tel_C_FNL.pdf