Medtronic’s Implantable Defibrillators Vulnerable to Life-Threatening Hacks

The U.S. Department of Homeland Security Thursday issued an
advisory warning people of severe vulnerabilities in over a dozen
heart defibrillators that could allow attackers to fully hijack
them remotely, potentially putting lives of millions of patients at
risk.

Cardioverter Defibrillator is a small surgically implanted
device (in patients’ chests) that gives a patient’s heart an
electric shock (often called a countershock) to re-establish a
normal heartbeat.

While the device has been designed to prevent sudden death,
several implanted cardiac defibrillators made by one of the world’s
largest medical device companies Medtronic have been found
vulnerable to two serious vulnerabilities.

Discovered by researchers from security firm Clever Security, the
vulnerabilities could allow threat actors with knowledge of medical
devices to intercept and potentially impact the functionality of
these life-saving devices.

The vulnerabilities reside in the Conexus Radio Frequency Telemetry
Protocol—a wireless communication system used by some of Medtronic
defibrillators and their control units to wirelessly connect to
implanted devices over the air using radio-waves.

Flaw 1: Lack of Authentication in Medtronic’s Implantable
Defibrillators

According to an advisory [PDF] published
by Medtronic, these flaws affect more than 20 products, 16 of which
are implantable defibrillators and rest are the defibrillators’
bedside monitors and programmers.

The more critical flaw of the two is CVE-2019-6538 which occurs
because the Conexus telemetry protocol does not include any checks
for data tampering, nor performs any form of authentication or
authorization.

The successful exploitation of this vulnerability could allow an
attacker within the radio range of the affected device and right
radio gear to intercept, spoof, or modify data transmitting between
the device and its controller, which could potentially harm or
perhaps even kill the patient.

Flaw 2: Lack of Encryption in Medtronic’s Implantable
Defibrillators

The Conexus telemetry protocol also provides no encryption to
secure the telemetry communications, making it possible for
attackers within the range to eavesdrop on the communication. This
issue has been assigned CVE-2019-6540.

However, Medtronic said the vulnerabilities would be hard to
take advantage of and harm patients since it requires the following
conditions to be met:

• An unauthorized individual would need to be in close proximity
  of up to 6 meters (20 feet) to the targeted device or clinic
  programmer.
• Conexus telemetry must be activated by a healthcare
  professional who is in the same room as the patient.
• Outside of the hospital activation times of devices are
  limited, which vary patient to patient and are difficult to be
  predicted by an unauthorized user.

The medical technology giant also assures its users that “neither a
cyberattack nor patient harm has been observed or associated with
these vulnerabilities” to this date.

Medtronic also noted that its line of implanted pacemakers,
including those with Bluetooth wireless functionality, as well as
its CareLink Express monitors and CareLink Encore programmers
(Model 29901) used by some hospitals and clinics are not vulnerable
to either of these flaws.

Medtronic has already applied additional controls for monitoring
and responding to the abuse of the Conexus protocol by the affected
implanted cardiac devices and is working on a fix to address the
reported vulnerabilities.

The security fix will soon become available, and in the
meantime, Medtronic urged “patients and physicians continue to use
these devices as prescribed and intended.”

^[2]