The Department of Homeland Security has issued an emergency alert warning of critical flaws allowing attackers to tamper with several Medtronic medical devices, including defibrillators.
The two vulnerabilities – comprised of a medium and critical-severity flaw – exist in 20 products made by the popular medical device manufacturer, including an array of defibrillators and home patient monitoring systems. An update is not yet available for fixing these flaws, Medtronic told Threatpost.
The flaws could allow a local attacker to take control of the devices’ functions – and for a product like an implantable cardioverter defibrillator, which is inserted under the skin and shocks patients’ irregular heartbeats into a normal rhythm, that could have dangerous implications.
“The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device,” according to the DHS alert.
Impacted products include homecare patient monitors, portable computer system used to program cardiac devices, and several specific Medtronic implanted cardiac devices – potentially up to 750,000 devices, according to a report by the Star Tribune.
A Medtronic spokesperson stressed that while defibrillators are impacted, the issue does not affect Medtronic pacemakers or insertable cardiac monitors.
“Medtronic is conducting security checks to look for unauthorized or unusual activity that could be related to these issues,” the spokesperson told Threatpost. “To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these issues. Medtronic is developing a series of software updates to better secure the wireless communication affected by these issues. The first update is scheduled for later in 2019, subject to regulatory approvals.”
The vulnerabilities stem from the Conexus telemetry protocol, which does not implement authentication, authorization or encryption for communication – allowing an attacker to easily carry out several attacks, such as viewing or altering sensitive data. The Conexus telemetry protocol is used as part of Medtronic’s remote patient management system.
The vulnerabilities specifically are a critical improper access control vulnerability (CVE-2019-6538), which has a CVSS score of 9.3 as it only requires a low skill level to exploit; and a cleartext transmission of sensitive information vulnerability (CVE-2019-6540) which has a CVSS score of 6.5.
“Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,” according to the DHS advisory.
The improper access control stems from the fact that the Conexus telemetry protocol utilized in impacted products does not implement authentication or authorization.
“This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,” warned the DHS.
In order to exploit the vulnerabilities, an attacker would need a radio frequency device capable of transmitting or receiving Conexus telemetry communication (such as a monitor, programmer, or software-defined radio) and would need short-range access to the vulnerable products.
Medtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices – but updates will not be ready until later in 2019.
In the meantime, “Medtronic and the FDA recommend that patients and physicians continue to use devices and technology as prescribed and intended, as this provides for the most efficient way to manage patients’ devices and heart conditions,” Medtronic said in a statement.
It’s only the latest set of security issues found in medical manufacturer Medtronic. In 2018, a flaw in Medtronic’s CareLink 2090 and CareLink Encore 29901 programmers was discovered allowing remote code implantation over Medtronic’s dedicated Software Deployment Network.
At Black Hat 2018, researchers stressed that the healthcare device landscape remains insecure and in need of addressing.
“[These attacks] alter how physicians act with patients because they trust technology implicitly,” said Jeff Tully, a pediatrician and anesthesiologist at the University of California Davis at Black Hat.