The Department of Homeland Security (DHS) has issued an alert to warn of critical vulnerabilities impacting numerous Medtronic devices, which are exploitable with low skill level.
Residing in the Medtronic proprietary Conexus telemetry system, the vulnerabilities may allow an attacker within short-range of affected products “to interfere with, generate, modify, or intercept the radio frequency (RF) communication,” potentially impacting product functionality and/or accessing transmitted data.
An attacker looking to exploit the vulnerabilities would need an RF device capable of communicating with the Medtronic system, such as a monitor, programmer, or software-defined radio (SDR), short-range access to the affected products, and for the RF functionality to be active in the target products.
“Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol,” the DHS alert reads.
Tracked as CVE-2019-6538, the first vulnerability exists because of the lack of authentication or authorization in the Conexus telemetry protocol used in the affected devices. This allows an attacker within short-range access, if the product’s radio is turned on, to inject, replay, modify, and/or intercept data.
“This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,” DHS says.
The second vulnerability, CVE-2019-6540, exists because no encryption is used by the Conexus telemetry protocol utilized within this ecosystem. This allows an attacker within range to listen to communications, including the transmission of sensitive data.
The impact of these vulnerabilities is mitigated by the fact that Medtronic introduced controls for monitoring and responding to improper use of the Conexus telemetry protocol. The company is also working on additional mitigations that will be deployed through future updates.
Medtronic recommends that users use only home monitors, programmers, and implantable devices obtained directly from the healthcare provider or a Medtronic representative to ensure integrity of the system, and do not connect unapproved devices to home monitors and programmers via USB ports or other physical connections.
Furthermore, they should only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments, and only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.
To minimize risk of exploitation, users should restrict system access to authorized personnel only and follow a least privilege approach, apply defense-in-depth strategies, and disable unnecessary accounts and services.
A total of 20 Medtronic devices utilizing the Conexus telemetry protocol are affected, including MyCareLink Monitor, Versions 24950 and 24952; CareLink Monitor, Version 2490C; CareLink 2090 Programmer; Amplia CRT-D (all models); Claria CRT-D (all models); Compia CRT-D (all models); Concerto CRT-D and Concerto II CRT-D (all models); Consulta CRT-D (all models); Evera ICD (all models); Maximo II CRT-D and ICD (all models); Mirro ICD (all models); Nayamed ND ICD (all models); Primo ICD (all models); Protecta ICD and CRT-D (all models); Secura ICD (all models); Virtuoso ICD and Virtuoso II ICD (all models); Visia AF ICD (all models); and Viva CRT-D (all models).
“No known public exploits specifically target these vulnerabilities. These vulnerabilities require adjacent short-range access to the affected devices to be exploited,” DHS underlines.