Connect with us

Hi, what are you looking for?


IoT Security

FDA Warns of Flaws in Medtronic Programmers

A vulnerability in the software update process of certain Medtronic Programmer models has determined the vendor to block the functionality on affected devices, the U.S. Food and Drug Administration (FDA) informs.

A vulnerability in the software update process of certain Medtronic Programmer models has determined the vendor to block the functionality on affected devices, the U.S. Food and Drug Administration (FDA) informs.

The flaw was found to impact the Internet connection of Medtronic’s Carelink 2090 and Carelink Encore 29901 programmers, and could allow malicious attackers to tamper with the programmers or implanted devices, the FDA reveals.

The programmers are used during implantation and regular follow-up visits for Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors.

The programmers allow physicians to obtain data from CIEDs (including performance information and battery status) and adjust or reprogram devices, but are also used by Medtronic to deliver software updates to the implanted devices.

The programmer software can be downloaded and updated over the Internet, by connecting to the Medtronic Software Distribution Network (SDN), or by physically plugging a universal serial bus (USB) device into the programmer.

Medtronic has discovered the vulnerabilities in the Internet connection of both Carelink 2090 and Carelink Encore 29901 programmers and has disabled access to the SDN through a software update.

“To remediate these vulnerabilities and enhance cybersecurity of device programmers, Medtronic has disabled access to the SDN. When software updates are needed, a Medtronic representative will manually update, via a secured USB, all CareLink 2090 and CareLink Encore 29901 programmers,” Medtronic notes in a security bulletin (PDF).

Although the programmers use a virtual private network (VPN) to connect to the Medtronic SDN over the Internet, the devices would not verify that they were still connected to the VPN before starting to download software updates.

Advertisement. Scroll to continue reading.

“To address this cybersecurity vulnerability and improve patient safety, on October 5, 2018, the FDA approved Medtronic’s update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN,” the FDA says.

Now, any attempt to update the programmer over the Internet by selecting the “Install from Medtronic” option will result in error messages such as “Unable to connect to local network” or “Unable to connect to Medtronic.”

“To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities,” the FDA’s safety communication reads.

Previously, the United States Department of Homeland Security (DHS) alerted on the vulnerabilities in 2090 Programmers in February, revealing that they “may allow an attacker with physical access […] to obtain per-product credentials to the software deployment network.”

“Additionally, successful exploitation of these vulnerabilities may allow an attacker with local network access to influence communications between the Programmer and the software deployment network,” the DHS notes in its alert.

Related: NIST’s New Advice on Medical IoT Devices

Related: FDA Reveals New Plans for Medical Device Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights