Medical device company Medtronic informed customers last week that it has released patches for some cardiac device vulnerabilities disclosed in 2018 and 2019. The vendor says it takes time to develop and validate patches for such complex and safety-critical devices.
Both Medtronic and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) updated their original advisories last week to inform users about the availability of patches. The vendor initially provided mitigations to allow customers to continue using the devices and it has now started releasing software patches.
Medtronic told SecurityWeek that the development of the patches took so long due to the required regulatory approvals.
“Implanted medical devices are complex and safety critical,” the company said. “As a result, development and validation can take a significant amount of time and also includes a required regulatory review process before we can distribute updates to products. Medtronic worked to develop security remediations quickly while also ensuring the patches continue to maintain comprehensive safety and functionality.”
One of the advisories, initially published in March 2019 by both CISA and Medtronic, covers vulnerabilities affecting the Medtronic Conexus radio frequency wireless telemetry protocol used by some of the company’s implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds).
Researchers from various universities revealed last year that they had identified potentially serious vulnerabilities in the Conexus telemetry protocol, including the lack of authentication and authorization, as well as the lack of encryption for communications. These weaknesses can be exploited by an attacker with access to an affected product to intercept, replay or modify data, and allow them to change the settings of implantable devices, home monitors and clinic programmers.
The second advisory, first published in February 2018, describes security holes identified by researchers Billy Rios and Jonathan Butts in Medtronic’s CareLink 2090 and CareLink Encore 29901 devices designed for programming and managing cardiac devices.
The researchers discovered that these devices have vulnerabilities that can be exploited to obtain device usernames and passwords, access files on the system, and push malicious updates via man-in-the-middle (MitM) attacks.
The company has now released patches for nearly half of the devices impacted by the Conexus vulnerabilities, which represents the first phase of security updates. More updates are expected to become available later this year.
In the case of the CareLink vulnerabilities, following the disclosure of the vulnerabilities, the company disabled access to the software deployment network (SDN) used to deliver device updates. In the meantime, software updates for the programmers have been installed manually via a secured USB.
Now that the vulnerabilities have been patched, the SDN has been re-enabled and customers can once again use it to get updates, or they can continue receiving programmer updates via USB.
The company says it’s conducting security checks to look for unauthorized or unusual activity that could be related to these vulnerabilities, but so far it has not seen any cyberattacks, privacy breaches or patient harm associated with these issues.