Security flaw in Medtronic heart defibrillators is serious, DHS says, but don’t panic
The Department of Homeland Security has issued an advisory warning that a vulnerability in Medtronic heart defibrillators could allow hackers to change the settings in a medical device from within radio range.
The flaw, designated CVE-2019-6538, has been assigned a 9.3 severity out of a possible 10, according to the Cybersecurity and Infrastructure Security Agency advisory issued Thursday. The Food and Drug Administration in its own safety communication said it has “confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable home device, home monitor, or clinic programmer.”
The issue involves Conexus, Medtronic’s radio-frequency protocol that’s used for communication between medical technology such as defibrillators, home monitoring devices and other clinician programming tools. Conexus connections fail to implement any kind of authentication or authorization, according to DHS. That means that, in situations where a product’s radio is activated, outsiders can exploit the connection to read and write memory in the cardiac device.
“Medtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices,” the DHS advisory states. “Additional mitigations are being developed and will be deployed through future updates, assuming regulatory approval.”
Medtronic said in its alert that it was not aware of any patients whose devices had been attacked. The company said it is conducting security checks for unauthorized behavior, and that it is developing a series of software updates to resolve the issues. The first update is scheduled for release later in 2019 pending regulatory approval, the company said.
“It’s a serious issue, but not one to panic over,” Beau Woods, cyber safety innovation fellow at the Atlantic Council, told CyberScoop. “If you may be affected, work with your doctor to see if, how, and when to update [your device].”
As an example of how such risk can be mitigated, Woods pointed to a 2017 recall by medical-device manufacturer Abbott of roughly half a million pacemakers after researchers showed their programming commands could be altered to threaten patient health. There were no reports of physical harm resulting from the vulnerability, and the vast majority of the firmware updates the company issued were applied smoothly.
Devices affected by the Medtronic flaw include 20 device models, including products by the MyCareLink Monitor and CareLink Monitor.
DHS encouraged users to exert physical control over their monitors and programmers, avoid connecting unapproved devices to defibrillators, and to use monitors only in controlled environments.
The FDA in October issued a cybersecurity advisory for two models of programming equipment built by Minneapolis-based Medtronic. The equipment was used by doctors to check cardiac devices such as pacemakers and defibrillators, CyberScoop previously reported. The company at the time said it would manually update all affected programmers to mitigate the vulnerability.
Sean Lyngaas contributed reporting to this story.