A critical vulnerability found in thousands of Medtronic cardio defibrillators could allow a hacker to remotely control the implanted devices, according to an alert from both the Food and Drug Administration and the Department of Homeland Security.
The flaw is found in Medtronic’s MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, and other Medtronic implanted cardiac devices. Officials said the flaw could allow improper access control, as well as clear text transmission of sensitive data, which can be remotely exploited with a low skill level.
The flaw resides in the Conexus telemetry protocol found within the MyCareLink ecosystem. The protocol doesn’t require authentication or authorization for access, which means an attacker within short-range could gain access to the defibrillator with its radio turned on and then inject, replay, modify, and or intercept data communications.
“This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices,” DHS officials warned. “Therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.”
The Conexus telemetry protocol also does not use data encryption, so a hacker in short-range could access the device to listen to communications, including the transmission of sensitive data.
Medtronic has already applied additional controls to the devices for monitoring and responding to improper use. Officials said they’re also developing additional mitigations that will be deployed in future device updates, with regulatory approval.
To prevent exploitation, Medtronic recommended users take additional defensive measures, including maintaining good physical control over home monitors and programmers and only using home monitors, programmers, and implantable devices directly received from a provider or Medtronic representative to ensure device integrity.
Further, users should not connect unapproved devices to home monitors or programmers through USB ports or other physical connections. And programmers should only be used to connected with the implanted device in a physically controlled hospital or clinical environment.
DHS officials further recommended access to the system should be restricted to authorized personnel only, and individuals should follow a least privilege approach. They also recommended defense-in-depth strategies, along with disabling unnecessary accounts and services.
“Report any concerning behavior regarding these products to your healthcare provider or a Medtronic representative,” Medtronic officials wrote in a statement. “Even though an unauthorized user may be able to access the Conexus telemetry, that access does not mean the unauthorized user will have the ability to control or change the settings of an implanted heart device.”
“Fully exploiting these vulnerabilities requires comprehensive and specialized knowledge of medical devices, wireless telemetry and, electrophysiology,” they added. “These vulnerabilities are not accessible from the internet.”
Vendors have increased vulnerability reporting in recent years, in response to the FDA’s medical device cybersecurity guidance released in 2016. The increase highlights manufacturers' efforts to address commonly understood cybersecurity flaws found in many devices.
Medtronic has ramped up its vulnerability disclosures over the last year. In August, the vendor addressed flaws in some of its patient monitors and insulin pumps. And in December, Medtronic addressed customer feedback around its USB drive in its ventilators that impacted the GUI function and display.