Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

DHS Warns of Vulnerabilities in Medtronic Defibrillators

The Department of Homeland Security (DHS) has issued an alert to warn of critical vulnerabilities impacting numerous Medtronic devices, which are exploitable with low skill level. 

The Department of Homeland Security (DHS) has issued an alert to warn of critical vulnerabilities impacting numerous Medtronic devices, which are exploitable with low skill level. 

Residing in the Medtronic proprietary Conexus telemetry system, the vulnerabilities may allow an attacker within short-range of affected products “to interfere with, generate, modify, or intercept the radio frequency (RF) communication,” potentially impacting product functionality and/or accessing transmitted data. 

An attacker looking to exploit the vulnerabilities would need an RF device capable of communicating with the Medtronic system, such as a monitor, programmer, or software-defined radio (SDR), short-range access to the affected products, and for the RF functionality to be active in the target products.

“Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol,” the DHS alert reads. 

Tracked as CVE-2019-6538, the first vulnerability exists because of the lack of authentication or authorization in the Conexus telemetry protocol used in the affected devices. This allows an attacker within short-range access, if the product’s radio is turned on, to inject, replay, modify, and/or intercept data. 

“This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,” DHS says

The second vulnerability, CVE-2019-6540, exists because no encryption is used by the Conexus telemetry protocol utilized within this ecosystem. This allows an attacker within range to listen to communications, including the transmission of sensitive data.

The impact of these vulnerabilities is mitigated by the fact that Medtronic introduced controls for monitoring and responding to improper use of the Conexus telemetry protocol. The company is also working on additional mitigations that will be deployed through future updates. 

Advertisement. Scroll to continue reading.

Medtronic recommends that users use only home monitors, programmers, and implantable devices obtained directly from the healthcare provider or a Medtronic representative to ensure integrity of the system, and do not connect unapproved devices to home monitors and programmers via USB ports or other physical connections.

Furthermore, they should only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments, and only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.

To minimize risk of exploitation, users should restrict system access to authorized personnel only and follow a least privilege approach, apply defense-in-depth strategies, and disable unnecessary accounts and services. 

A total of 20 Medtronic devices utilizing the Conexus telemetry protocol are affected, including MyCareLink Monitor, Versions 24950 and 24952; CareLink Monitor, Version 2490C; CareLink 2090 Programmer; Amplia CRT-D (all models); Claria CRT-D (all models); Compia CRT-D (all models); Concerto CRT-D and Concerto II CRT-D (all models); Consulta CRT-D (all models); Evera ICD (all models); Maximo II CRT-D and ICD (all models); Mirro ICD (all models); Nayamed ND ICD (all models); Primo ICD (all models); Protecta ICD and CRT-D (all models); Secura ICD (all models); Virtuoso ICD and Virtuoso II ICD (all models); Visia AF ICD (all models); and Viva CRT-D (all models).

“No known public exploits specifically target these vulnerabilities. These vulnerabilities require adjacent short-range access to the affected devices to be exploited,” DHS underlines. 

Related: Flaws in Roche Medical Devices Can Put Patients at Risk

Related: FDA Reveals New Plans for Medical Device Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

ICS/OT

As smart cities evolve with more and more integrated connected services, cybersecurity concerns will increase dramatically.

IoT Security

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

IoT Security

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...