The US Food and Drug Administration (FDA) has issued a warning about two dangerous security flaws affecting a number of implantable heart defibrillators and home monitoring systems manufactured by medical device giant Medtronic.
According to an alert put out last week, the flaws affect all models from 20 product families of Implantable Cardioverter Defibrillators (ICDs), which are placed inside patients’ bodies to automatically counteract life-threatening cardiac arrhythmias.
Discovered by a team of researchers in the Netherlands and the UK, the problem is with the inhouse wireless technology, Conexus, which the ICDs use for telemetry, configuration and to retrieve device info.
In the first flaw, identified as CVE-2019-6538, it turned out that the Conexus wireless protocol has no authentication or authorization, which means that when the device’s radio was turned on an attacker could take control of the communication.
Having done that, there was nothing to stop them from writing these potentially life-threatening settings to the ICDs’ memory.
The second flaw, CVE-2019-6540, was that Conexus protocol lacks wireless encryption of the sort that would keep hackers out in the first place.
The better news is that attackers would have to work quite hard to be in a position to take advantage of these weaknesses by being within a short range of the target device at precisely the right moment when the radio communication is initiated.
According to Medtronic, ICDs are only activated and vulnerable in a hospital setting so patients would not be vulnerable when they were at home. In its notification, the company also pointed out:
Taking advantage of these vulnerabilities in order to cause harm to a patient would require detailed knowledge of medical devices, wireless telemetry and electrophysiology.
Medtronic hasn’t said when software updates will be made available to address the vulnerabilities, which also require medical approval.
Meantime, mitigations included that the devices should only be connected to in medical facilities and that “concerning behaviour” should be reported.
It unlikely that these flaws have been exploited by attackers. As the company says, targeting them would still require advanced knowledge of their operation as well as knowledge of the flaws themselves. However, just to be on the safe side:
Medtronic is conducting security checks to look for unauthorized or unusual activity that could be related to these vulnerabilities.
What the flaws underline, however, is how medical devices are dogged by the problem of weak security, much of it relating to devices designed in the past.
A decade or more ago, adding wireless capability to huge amount of medical equipment looked like an easy win for convenience.
Unfortunately, security was low on the priority list and based on too many assumptions about likelihood and motive. We now see regular medical device security alerts, including one affecting Medtronic’s pacemakers last August.
These are the affected Medtronic devices:
- MyCareLink Monitor, Versions 24950 and 24952,
- CareLink Monitor, Version 2490C,
- CareLink 2090 Programmer,
- Amplia CRT-D (all models),
- Claria CRT-D (all models),
- Compia CRT-D (all models),
- Concerto CRT-D (all models),
- Concerto II CRT-D (all models),
- Consulta CRT-D (all models),
- Evera ICD (all models),
- Maximo II CRT-D and ICD (all models),
- Mirro ICD (all models),
- Nayamed ND ICD (all models),
- Primo ICD (all models),
- Protecta ICD and CRT-D (all models),
- Secura ICD (all models),
- Virtuoso ICD (all models),
- Virtuoso II ICD (all models),
- Visia AF ICD (all models), and
- Viva CRT-D (all models)
Medtronic has released patient-focused information in this security bulletin, which includes recommendations from the company to mitigate the risks to patients. Further to this, US-CERT advises users to:
- Restrict system access to authorized personnel only and follow a least privilege approach.
- Apply defense-in-depth strategies.
- Disable unnecessary accounts and services.