Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

DHS Warns of Vulnerabilities in Medtronic Defibrillators

The Department of Homeland Security (DHS) has issued an alert to warn of critical vulnerabilities impacting numerous Medtronic devices, which are exploitable with low skill level. 

The Department of Homeland Security (DHS) has issued an alert to warn of critical vulnerabilities impacting numerous Medtronic devices, which are exploitable with low skill level. 

Residing in the Medtronic proprietary Conexus telemetry system, the vulnerabilities may allow an attacker within short-range of affected products “to interfere with, generate, modify, or intercept the radio frequency (RF) communication,” potentially impacting product functionality and/or accessing transmitted data. 

An attacker looking to exploit the vulnerabilities would need an RF device capable of communicating with the Medtronic system, such as a monitor, programmer, or software-defined radio (SDR), short-range access to the affected products, and for the RF functionality to be active in the target products.

“Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol,” the DHS alert reads. 

Tracked as CVE-2019-6538, the first vulnerability exists because of the lack of authentication or authorization in the Conexus telemetry protocol used in the affected devices. This allows an attacker within short-range access, if the product’s radio is turned on, to inject, replay, modify, and/or intercept data. 

“This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,” DHS says

The second vulnerability, CVE-2019-6540, exists because no encryption is used by the Conexus telemetry protocol utilized within this ecosystem. This allows an attacker within range to listen to communications, including the transmission of sensitive data.

The impact of these vulnerabilities is mitigated by the fact that Medtronic introduced controls for monitoring and responding to improper use of the Conexus telemetry protocol. The company is also working on additional mitigations that will be deployed through future updates. 

Medtronic recommends that users use only home monitors, programmers, and implantable devices obtained directly from the healthcare provider or a Medtronic representative to ensure integrity of the system, and do not connect unapproved devices to home monitors and programmers via USB ports or other physical connections.

Furthermore, they should only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments, and only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.

To minimize risk of exploitation, users should restrict system access to authorized personnel only and follow a least privilege approach, apply defense-in-depth strategies, and disable unnecessary accounts and services. 

A total of 20 Medtronic devices utilizing the Conexus telemetry protocol are affected, including MyCareLink Monitor, Versions 24950 and 24952; CareLink Monitor, Version 2490C; CareLink 2090 Programmer; Amplia CRT-D (all models); Claria CRT-D (all models); Compia CRT-D (all models); Concerto CRT-D and Concerto II CRT-D (all models); Consulta CRT-D (all models); Evera ICD (all models); Maximo II CRT-D and ICD (all models); Mirro ICD (all models); Nayamed ND ICD (all models); Primo ICD (all models); Protecta ICD and CRT-D (all models); Secura ICD (all models); Virtuoso ICD and Virtuoso II ICD (all models); Visia AF ICD (all models); and Viva CRT-D (all models).

“No known public exploits specifically target these vulnerabilities. These vulnerabilities require adjacent short-range access to the affected devices to be exploited,” DHS underlines. 

Related: Flaws in Roche Medical Devices Can Put Patients at Risk

Related: FDA Reveals New Plans for Medical Device Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Australia's Defense Department said that they will remove surveillance cameras made by Chinese Communist Party-linked companies from its buildings.

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...