Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

FDA Warns of Flaws in Medtronic Programmers

A vulnerability in the software update process of certain Medtronic Programmer models has determined the vendor to block the functionality on affected devices, the U.S. Food and Drug Administration (FDA) informs.

A vulnerability in the software update process of certain Medtronic Programmer models has determined the vendor to block the functionality on affected devices, the U.S. Food and Drug Administration (FDA) informs.

The flaw was found to impact the Internet connection of Medtronic’s Carelink 2090 and Carelink Encore 29901 programmers, and could allow malicious attackers to tamper with the programmers or implanted devices, the FDA reveals.

The programmers are used during implantation and regular follow-up visits for Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors.

The programmers allow physicians to obtain data from CIEDs (including performance information and battery status) and adjust or reprogram devices, but are also used by Medtronic to deliver software updates to the implanted devices.

The programmer software can be downloaded and updated over the Internet, by connecting to the Medtronic Software Distribution Network (SDN), or by physically plugging a universal serial bus (USB) device into the programmer.

Medtronic has discovered the vulnerabilities in the Internet connection of both Carelink 2090 and Carelink Encore 29901 programmers and has disabled access to the SDN through a software update.

“To remediate these vulnerabilities and enhance cybersecurity of device programmers, Medtronic has disabled access to the SDN. When software updates are needed, a Medtronic representative will manually update, via a secured USB, all CareLink 2090 and CareLink Encore 29901 programmers,” Medtronic notes in a security bulletin (PDF).

Although the programmers use a virtual private network (VPN) to connect to the Medtronic SDN over the Internet, the devices would not verify that they were still connected to the VPN before starting to download software updates.

“To address this cybersecurity vulnerability and improve patient safety, on October 5, 2018, the FDA approved Medtronic’s update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN,” the FDA says.

Now, any attempt to update the programmer over the Internet by selecting the “Install from Medtronic” option will result in error messages such as “Unable to connect to local network” or “Unable to connect to Medtronic.”

“To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities,” the FDA’s safety communication reads.

Previously, the United States Department of Homeland Security (DHS) alerted on the vulnerabilities in 2090 Programmers in February, revealing that they “may allow an attacker with physical access […] to obtain per-product credentials to the software deployment network.”

“Additionally, successful exploitation of these vulnerabilities may allow an attacker with local network access to influence communications between the Programmer and the software deployment network,” the DHS notes in its alert.

Related: NIST’s New Advice on Medical IoT Devices

Related: FDA Reveals New Plans for Medical Device Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet