{"id": "THN:22BD1C3E7F7F5638B94295741D887160", "hash": "4c4a6029725a7960045179d59cf144fd", "type": "thn", "bulletinFamily": "info", "title": "Medtronic's Implantable Defibrillators Vulnerable to Life-Threatening Hacks", "description": "[](<https://1.bp.blogspot.com/-_iY0SGKc8Jk/XJTIDLWzAcI/AAAAAAAAzlE/xI0FpEy8idAMeiA-6h0aoL7PWMJp9J3sgCLcBGAs/s728-e100/hacking-medtronic-implantable-defibrillators.jpg>)\n\nThe U.S. Department of Homeland Security Thursday issued an advisory warning people of severe vulnerabilities in over a dozen heart defibrillators that could allow attackers to fully hijack them remotely, potentially putting lives of millions of patients at risk. \n \nCardioverter Defibrillator is a small surgically implanted device (in patients' chests) that gives a patient's heart an electric shock (often called a countershock) to re-establish a normal heartbeat. \n \nWhile the device has been designed to prevent sudden death, several implanted cardiac defibrillators made by one of the world's largest medical device companies **Medtronic **have been found vulnerable to two serious vulnerabilities. \n\n\n \nDiscovered by researchers from security firm Clever Security, the vulnerabilities could allow threat actors with knowledge of medical devices to intercept and potentially impact the functionality of these life-saving devices. \n \n\n\n> \"Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,\" warns the [advisory](<https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01>) released by DHS.\n\n \nThe vulnerabilities reside in the Conexus Radio Frequency Telemetry Protocol\u2014a wireless communication system used by some of Medtronic defibrillators and their control units to wirelessly connect to implanted devices over the air using radio-waves. \n \n\n\n## Flaw 1: Lack of Authentication in Medtronic's Implantable Defibrillators\n\n \nAccording to an advisory [[PDF](<https://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic-security-bulletin_CRHF_Tel_C_FNL.pdf>)] published by Medtronic, these flaws affect more than 20 products, 16 of which are implantable defibrillators and rest are the defibrillators' bedside monitors and programmers. \n \nThe more critical flaw of the two is CVE-2019-6538 which occurs because the Conexus telemetry protocol does not include any checks for data tampering, nor performs any form of authentication or authorization. \n\n\n \nThe successful exploitation of this vulnerability could allow an attacker within the radio range of the affected device and right radio gear to intercept, spoof, or modify data transmitting between the device and its controller, which could potentially harm or perhaps even kill the patient. \n \n\n\n> \"This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,\" the DHS says.\n\n \n\n\n## Flaw 2: Lack of Encryption in Medtronic's Implantable Defibrillators\n\n \nThe Conexus telemetry protocol also provides no encryption to secure the telemetry communications, making it possible for attackers within the range to eavesdrop on the communication. This issue has been assigned CVE-2019-6540. \n \nHowever, Medtronic said the vulnerabilities would be hard to take advantage of and harm patients since it requires the following conditions to be met: \n \n\n\n * An unauthorized individual would need to be in close proximity of up to 6 meters (20 feet) to the targeted device or clinic programmer. \n * Conexus telemetry must be activated by a healthcare professional who is in the same room as the patient. \n * Outside of the hospital activation times of devices are limited, which vary patient to patient and are difficult to be predicted by an unauthorized user.\n \nThe medical technology giant also assures its users that \"neither a cyberattack nor patient harm has been observed or associated with these vulnerabilities\" to this date. \n \nMedtronic also noted that its line of implanted pacemakers, including those with Bluetooth wireless functionality, as well as its CareLink Express monitors and CareLink Encore programmers (Model 29901) used by some hospitals and clinics are not vulnerable to either of these flaws. \n \nMedtronic has already applied additional controls for monitoring and responding to the abuse of the Conexus protocol by the affected implanted cardiac devices and is working on a fix to address the reported vulnerabilities. \n \nThe security fix will soon become available, and in the meantime, Medtronic urged \"patients and physicians continue to use these devices as prescribed and intended.\"\n", "published": "2019-03-22T11:54:00", "modified": "2019-03-22T11:54:43", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://thehackernews.com/2019/03/hacking-implantable-defibrillators.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2019-6538", "CVE-2019-6540"], "lastseen": "2019-03-22T13:13:37", "history": [], "viewCount": 57, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2019-03-22T13:13:37"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-6540", "CVE-2019-6538"]}, {"type": "threatpost", "idList": ["THREATPOST:FADCF664C06E3747C40C200AE681FDF8"]}], "modified": "2019-03-22T13:13:37"}, "vulnersScore": 6.1}, "objectVersion": "1.4", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.thn.ThnBulletin"]}

{"cve": [{"lastseen": "2019-04-05T10:36:27", "bulletinFamily": "NVD", "description": "The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product?s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.", "modified": "2019-04-03T14:05:15", "published": "2019-03-25T18:29:00", "id": "CVE-2019-6538", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6538", "title": "CVE-2019-6538", "type": "cve", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-04-09T10:38:09", "bulletinFamily": "NVD", "description": "The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.", "modified": "2019-04-08T15:23:49", "published": "2019-03-26T14:29:01", "id": "CVE-2019-6540", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6540", "title": "CVE-2019-6540", "type": "cve", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "threatpost": [{"lastseen": "2019-04-25T05:44:24", "bulletinFamily": "info", "description": "The Department of Homeland Security has issued an emergency alert warning of critical flaws allowing attackers to tamper with several Medtronic medical devices, including defibrillators.\n\nThe two vulnerabilities \u2013 comprised of a medium and critical-severity flaw \u2013 exist in 20 products made by the popular medical device manufacturer, including an array of defibrillators and home patient monitoring systems. An update is not yet available for fixing these flaws, Medtronic told Threatpost.\n\nThe flaws could allow a local attacker to take control of the devices\u2019 functions \u2013 and for a product like an implantable cardioverter defibrillator, which is inserted under the skin and shocks patients\u2019 irregular heartbeats into a normal rhythm, that could have dangerous implications.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device,\u201d according to [the DHS alert](<https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01>).\n\nImpacted products include homecare patient monitors, portable computer system used to program cardiac devices, and several specific Medtronic implanted cardiac devices \u2013 potentially up to 750,000 devices, according to a [report](<http://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/>) by the Star Tribune.\n\nA Medtronic spokesperson stressed that while defibrillators are impacted, the issue does not affect Medtronic pacemakers or insertable cardiac monitors.\n\n\u201cMedtronic is conducting security checks to look for unauthorized or unusual activity that could be related to these issues,\u201d the spokesperson told Threatpost. \u201cTo date, no cyberattack, privacy breach, or patient harm has been observed or associated with these issues. Medtronic is developing a series of software updates to better secure the wireless communication affected by these issues. The first update is scheduled for later in 2019, subject to regulatory approvals.\u201d\n\n## The Flaws\n\nThe vulnerabilities stem from the Conexus telemetry protocol, which does not implement authentication, authorization or encryption for communication \u2013 allowing an attacker to easily carry out several attacks, such as viewing or altering sensitive data. The Conexus telemetry protocol is used as part of Medtronic\u2019s remote patient management system.\n\nThe vulnerabilities specifically are a critical improper access control vulnerability ([CVE-2019-6538](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6538>)), which has a CVSS score of 9.3 as it only requires a low skill level to exploit; and a cleartext transmission of sensitive information vulnerability ([CVE-2019-6540](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6540>)) which has a CVSS score of 6.5.\n\n\u201cSuccessful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,\u201d according to the DHS advisory.\n\nThe improper access control stems from the fact that the Conexus telemetry protocol utilized in impacted products does not implement authentication or authorization.\n\n\u201cThis communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,\u201d warned the DHS.\n\nIn order to exploit the vulnerabilities, an attacker would need a radio frequency device capable of transmitting or receiving Conexus telemetry communication (such as a monitor, programmer, or software-defined radio) and would need short-range access to the vulnerable products.\n\n## Updates To Come\n\nMedtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices \u2013 but updates will not be ready until later in 2019.\n\nIn the meantime, \u201cMedtronic and the FDA recommend that patients and physicians continue to use devices and technology as prescribed and intended, as this provides for the most efficient way to manage patients\u2019 devices and heart conditions,\u201d Medtronic said in a statement.\n\nIt\u2019s only the latest set of security issues found in medical manufacturer Medtronic. [In 2018](<https://threatpost.com/remote-code-implantation-flaw-found-in-medtronic-cardiac-programmers/138363/>), a flaw in Medtronic\u2019s CareLink 2090 and CareLink Encore 29901 programmers was discovered allowing remote code implantation over Medtronic\u2019s dedicated Software Deployment Network.\n\nAt Black Hat 2018, researchers stressed that the healthcare device landscape remains insecure and in need of addressing.\n\n\u201c[These attacks] alter how physicians act with patients because they trust technology implicitly,\u201d said Jeff Tully, a pediatrician and anesthesiologist at the University of California Davis at Black Hat.\n\n(Image is licensed under the [Creative Commons](<https://en.wikipedia.org/wiki/en:Creative_Commons> \"w:en:Creative Commons\" ) [Attribution 3.0 Unported](<https://creativecommons.org/licenses/by/3.0/deed.en>) license.)\n", "modified": "2019-03-22T15:07:33", "published": "2019-03-22T15:07:33", "id": "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "href": "https://threatpost.com/medtronic-defibrillators-have-critical-flaws-warns-dhs/143068/", "type": "threatpost", "title": "Medtronic Defibrillators Have Critical Flaws, Warns DHS", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}