{"id": "THN:22BD1C3E7F7F5638B94295741D887160", "hash": "4c4a6029725a7960045179d59cf144fd", "type": "thn", "bulletinFamily": "info", "title": "Medtronic's Implantable Defibrillators Vulnerable to Life-Threatening Hacks", "description": "[](<https://1.bp.blogspot.com/-_iY0SGKc8Jk/XJTIDLWzAcI/AAAAAAAAzlE/xI0FpEy8idAMeiA-6h0aoL7PWMJp9J3sgCLcBGAs/s728-e100/hacking-medtronic-implantable-defibrillators.jpg>)\n\nThe U.S. Department of Homeland Security Thursday issued an advisory warning people of severe vulnerabilities in over a dozen heart defibrillators that could allow attackers to fully hijack them remotely, potentially putting lives of millions of patients at risk. \n \nCardioverter Defibrillator is a small surgically implanted device (in patients' chests) that gives a patient's heart an electric shock (often called a countershock) to re-establish a normal heartbeat. \n \nWhile the device has been designed to prevent sudden death, several implanted cardiac defibrillators made by one of the world's largest medical device companies **Medtronic **have been found vulnerable to two serious vulnerabilities. \n\n\n \nDiscovered by researchers from security firm Clever Security, the vulnerabilities could allow threat actors with knowledge of medical devices to intercept and potentially impact the functionality of these life-saving devices. \n \n\n\n> \"Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,\" warns the [advisory](<https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01>) released by DHS.\n\n \nThe vulnerabilities reside in the Conexus Radio Frequency Telemetry Protocol\u2014a wireless communication system used by some of Medtronic defibrillators and their control units to wirelessly connect to implanted devices over the air using radio-waves. \n \n\n\n## Flaw 1: Lack of Authentication in Medtronic's Implantable Defibrillators\n\n \nAccording to an advisory [[PDF](<https://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic-security-bulletin_CRHF_Tel_C_FNL.pdf>)] published by Medtronic, these flaws affect more than 20 products, 16 of which are implantable defibrillators and rest are the defibrillators' bedside monitors and programmers. \n \nThe more critical flaw of the two is CVE-2019-6538 which occurs because the Conexus telemetry protocol does not include any checks for data tampering, nor performs any form of authentication or authorization. \n\n\n \nThe successful exploitation of this vulnerability could allow an attacker within the radio range of the affected device and right radio gear to intercept, spoof, or modify data transmitting between the device and its controller, which could potentially harm or perhaps even kill the patient. \n \n\n\n> \"This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,\" the DHS says.\n\n \n\n\n## Flaw 2: Lack of Encryption in Medtronic's Implantable Defibrillators\n\n \nThe Conexus telemetry protocol also provides no encryption to secure the telemetry communications, making it possible for attackers within the range to eavesdrop on the communication. This issue has been assigned CVE-2019-6540. \n \nHowever, Medtronic said the vulnerabilities would be hard to take advantage of and harm patients since it requires the following conditions to be met: \n \n\n\n * An unauthorized individual would need to be in close proximity of up to 6 meters (20 feet) to the targeted device or clinic programmer. \n * Conexus telemetry must be activated by a healthcare professional who is in the same room as the patient. \n * Outside of the hospital activation times of devices are limited, which vary patient to patient and are difficult to be predicted by an unauthorized user.\n \nThe medical technology giant also assures its users that \"neither a cyberattack nor patient harm has been observed or associated with these vulnerabilities\" to this date. \n \nMedtronic also noted that its line of implanted pacemakers, including those with Bluetooth wireless functionality, as well as its CareLink Express monitors and CareLink Encore programmers (Model 29901) used by some hospitals and clinics are not vulnerable to either of these flaws. \n \nMedtronic has already applied additional controls for monitoring and responding to the abuse of the Conexus protocol by the affected implanted cardiac devices and is working on a fix to address the reported vulnerabilities. \n \nThe security fix will soon become available, and in the meantime, Medtronic urged \"patients and physicians continue to use these devices as prescribed and intended.\"\n", "published": "2019-03-22T11:54:00", "modified": "2019-03-22T11:54:43", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://thehackernews.com/2019/03/hacking-implantable-defibrillators.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2019-6538", "CVE-2019-6540"], "lastseen": "2019-03-22T13:13:37", "history": [], "viewCount": 67, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-03-22T13:13:37"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-6538", "CVE-2019-6540"]}, {"type": "threatpost", "idList": ["THREATPOST:FADCF664C06E3747C40C200AE681FDF8"]}], "modified": "2019-03-22T13:13:37"}, "vulnersScore": 6.2}, "objectVersion": "1.4", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.thn.ThnBulletin"]}

{"cve": [{"lastseen": "2019-10-11T11:46:48", "bulletinFamily": "NVD", "description": "The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product?s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.", "modified": "2019-10-10T12:12:00", "id": "CVE-2019-6538", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6538", "published": "2019-03-25T22:29:00", "title": "CVE-2019-6538", "type": "cve", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-10-10T12:16:39", "bulletinFamily": "NVD", "description": "The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.", "modified": "2019-10-09T23:51:00", "id": "CVE-2019-6540", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6540", "published": "2019-03-26T18:29:00", "title": "CVE-2019-6540", "type": "cve", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}], "threatpost": [{"lastseen": "2019-11-03T07:09:57", "bulletinFamily": "info", "description": "The Department of Homeland Security has issued an emergency alert warning of critical flaws allowing attackers to tamper with several Medtronic medical devices, including defibrillators.\n\nThe two vulnerabilities \u2013 comprised of a medium and critical-severity flaw \u2013 exist in 20 products made by the popular medical device manufacturer, including an array of defibrillators and home patient monitoring systems. An update is not yet available for fixing these flaws, Medtronic told Threatpost.\n\nThe flaws could allow a local attacker to take control of the devices\u2019 functions \u2013 and for a product like an implantable cardioverter defibrillator, which is inserted under the skin and shocks patients\u2019 irregular heartbeats into a normal rhythm, that could have dangerous implications.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device,\u201d according to [the DHS alert](<https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01>).\n\nImpacted products include homecare patient monitors, portable computer system used to program cardiac devices, and several specific Medtronic implanted cardiac devices \u2013 potentially up to 750,000 devices, according to a [report](<http://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/>) by the Star Tribune.\n\nA Medtronic spokesperson stressed that while defibrillators are impacted, the issue does not affect Medtronic pacemakers or insertable cardiac monitors.\n\n\u201cMedtronic is conducting security checks to look for unauthorized or unusual activity that could be related to these issues,\u201d the spokesperson told Threatpost. \u201cTo date, no cyberattack, privacy breach, or patient harm has been observed or associated with these issues. Medtronic is developing a series of software updates to better secure the wireless communication affected by these issues. The first update is scheduled for later in 2019, subject to regulatory approvals.\u201d\n\n## The Flaws\n\nThe vulnerabilities stem from the Conexus telemetry protocol, which does not implement authentication, authorization or encryption for communication \u2013 allowing an attacker to easily carry out several attacks, such as viewing or altering sensitive data. The Conexus telemetry protocol is used as part of Medtronic\u2019s remote patient management system.\n\nThe vulnerabilities specifically are a critical improper access control vulnerability ([CVE-2019-6538](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6538>)), which has a CVSS score of 9.3 as it only requires a low skill level to exploit; and a cleartext transmission of sensitive information vulnerability ([CVE-2019-6540](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6540>)) which has a CVSS score of 6.5.\n\n\u201cSuccessful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,\u201d according to the DHS advisory.\n\nThe improper access control stems from the fact that the Conexus telemetry protocol utilized in impacted products does not implement authentication or authorization.\n\n\u201cThis communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,\u201d warned the DHS.\n\nIn order to exploit the vulnerabilities, an attacker would need a radio frequency device capable of transmitting or receiving Conexus telemetry communication (such as a monitor, programmer, or software-defined radio) and would need short-range access to the vulnerable products.\n\n## Updates To Come\n\nMedtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices \u2013 but updates will not be ready until later in 2019.\n\nIn the meantime, \u201cMedtronic and the FDA recommend that patients and physicians continue to use devices and technology as prescribed and intended, as this provides for the most efficient way to manage patients\u2019 devices and heart conditions,\u201d Medtronic said in a statement.\n\nIt\u2019s only the latest set of security issues found in medical manufacturer Medtronic. [In 2018](<https://threatpost.com/remote-code-implantation-flaw-found-in-medtronic-cardiac-programmers/138363/>), a flaw in Medtronic\u2019s CareLink 2090 and CareLink Encore 29901 programmers was discovered allowing remote code implantation over Medtronic\u2019s dedicated Software Deployment Network.\n\nAt Black Hat 2018, researchers stressed that the healthcare device landscape remains insecure and in need of addressing.\n\n\u201c[These attacks] alter how physicians act with patients because they trust technology implicitly,\u201d said Jeff Tully, a pediatrician and anesthesiologist at the University of California Davis at Black Hat.\n\n(Image is licensed under the [Creative Commons](<https://en.wikipedia.org/wiki/en:Creative_Commons> \"w:en:Creative Commons\" ) [Attribution 3.0 Unported](<https://creativecommons.org/licenses/by/3.0/deed.en>) license.)\n", "modified": "2019-03-22T16:07:33", "published": "2019-03-22T16:07:33", "id": "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "href": "https://threatpost.com/medtronic-defibrillators-have-critical-flaws-warns-dhs/143068/", "type": "threatpost", "title": "Medtronic Defibrillators Have Critical Flaws, Warns DHS", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "ics": [{"lastseen": "2019-10-23T22:48:12", "bulletinFamily": "info", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v9.3 **\n\n * **ATTENTION:** Exploitable with adjacent access/low skill level to exploit\n * **Vendor:** Medtronic\n * **Equipment:** MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, specific Medtronic implanted cardiac devices listed below\n * **Vulnerabilities:** Improper Access Control, Cleartext Transmission of Sensitive Information\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. Successful exploitation requires: (1) an RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR); (2) to have adjacent short-range access to the affected products; and (3) for the products to be in states where the RF functionality is active. Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following products and versions of Medtronic devices utilizing the Conexus telemetry protocol are affected:\n\n * MyCareLink Monitor, Versions 24950 and 24952,\n * CareLink Monitor, Version 2490C,\n * CareLink 2090 Programmer,\n * Amplia CRT-D (all models),\n * Claria CRT-D (all models),\n * Compia CRT-D (all models),\n * Concerto CRT-D (all models),\n * Concerto II CRT-D (all models),\n * Consulta CRT-D (all models),\n * Evera ICD (all models),\n * Maximo II CRT-D and ICD (all models),\n * Mirro ICD (all models),\n * Nayamed ND ICD (all models),\n * Primo ICD (all models),\n * Protecta ICD and CRT-D (all models),\n * Secura ICD (all models),\n * Virtuoso ICD (all models),\n * Virtuoso II ICD (all models),\n * Visia AF ICD (all models), and\n * Viva CRT-D (all models).\n\n### 3.2 VULNERABILITY OVERVIEW\n\n**3.2.1 [IMPROPER ACCESS CONTROL CWE-284](<https://cwe.mitre.org/data/definitions/284.html>)**\n\nThe Conexus telemetry protocol utilized within this ecosystem does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product\u2019s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.\n\n[CVE-2019-6538](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6538>) has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H>)).\n\n**3.2.2 [CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319](<https://cwe.mitre.org/data/definitions/319.html>)**\n\nThe Conexus telemetry protocol utilized within this ecosystem does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.\n\n[CVE-2019-6540](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6540>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS**: Healthcare and Public Health\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Ireland\n\n### 3.4 RESEARCHER\n\nPeter Morgan of Clever Security; Dave Singel\u00e9e and Bart Preneel of KU Leuven; Eduard Marin formerly of KU Leuven, currently with University of Birmingham; Flavio D. Garcia; Tom Chothia of the University of Birmingham; and Rik Willems of University Hospital Gasthuisberg Leuven reported these vulnerabilities to NCCIC.\n\n## 4\\. MITIGATIONS\n\nMedtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices. Additional mitigations are being developed and will be deployed through future updates, assuming regulatory approval. \nMedtronic recommends that users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Maintain good physical control over home monitors and programmers.\n * Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system.\n * Do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections.\n * Only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments.\n * Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.\n * Report any concerning behavior regarding these products to your healthcare provider or a Medtronic representative.\n\nMedtronic has released additional patient-focused information at the following location:\n\n<https://www.medtronic.com/security>\n\nNCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Restrict system access to authorized personnel only and follow a least privilege approach.\n * Apply defense-in-depth strategies.\n * Disable unnecessary accounts and services.\n * Where additional information is needed, refer to existing cybersecurity in medical device guidance issued by the FDA that can be found at the following location: \n\n<https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm>\n\nNCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nNCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities. These vulnerabilities require adjacent short-range access to the affected devices to be exploited.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the NCCIC at: \n \nEmail: [NCCICCUSTOMERSERVICE@hq.dhs.gov](<mailto:NCCICCUSTOMERSERVICE@hq.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: http://ics-cert.us-cert.gov \nor incident reporting: https://ics-cert.us-cert.gov/Report-Incident?\n\nThe NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\nWas this document helpful? Yes | Somewhat | No\n", "modified": "2019-03-21T00:00:00", "published": "2019-03-21T00:00:00", "id": "ICSMA-19-080-01", "href": "https://www.us-cert.gov//ics/advisories/ICSMA-19-080-01", "title": "Medtronic Conexus Radio Frequency Telemetry Protocol", "type": "ics", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}]}