Skip to content
Naked Security Naked Security

US-CERT warns of critical flaws in Medtronic equipment

Medtronic's latest problem is in their Valleylab electrosurgical generators used by surgeons things like cauterisation during operations.

The United States Computer Emergency Readiness Team (US-CERT) has issued another warning about security flaws in medical equipment made by Medtronic.

The problem this time is in the Valleylab FT10 (V4.0.0 and below) and Valleylab FX8 (v1.1.0 and below), electrosurgical generators used by surgeons for procedures such as cauterisation during operations.

That’s the good news – the equipment is used by hospitals which means locating the equipment and mitigating or patching the vulnerabilities should be relatively straightforward compared to medical equipment being used by thousands of consumers.

Less positively, two of the flaws – CVE-2019-3464, and CVE-2019-3463 – are severe enough to earn a CVSS rating of 9.8, which makes them critical.

The latter vulnerability is the restricted shell (rssh) utility which allows file uploads to the Valleylab units. Using an unpatched version of this could give an attacker admin access and the ability to execute code.

According to the alert, the network access necessary for this to happen is often enabled, presumably for remote management, which gives attackers a way of reaching vulnerable devices.

A third flaw, CVE-2019-13539, is caused by an insecure (i.e. reversible) password hashes, generated by descrypt, which can be pulled from the device thanks to the other vulnerabilities mentioned in the warning.

The fourth flaw, CVE-2019-13543, affects the Medtronic Valleylab Exchange Client version 3.4 and below, is caused by hard-coded credentials.

Currently, patches are available for Valleylab FT10, while the FX8 will receive the same in “early 2020”. In the meantime:

Medtronic recommends to either disconnect affected products from IP networks or to segregate those networks, such that the devices are not accessible from an untrusted network (e.g., Internet).

It’s not clear who discovered the latest flaws although US-CERT mentions them having been reported to it by Medtronic itself.

If so, that’s a step in the right direction after past alerts discovered by independent researchers who sometimes struggled to get the attention of the company.

Medtronic has suffered a number of security problems in its products in the last couple of years, including a brace of flaws in its Implantable Cardioverter Defibrillators (ICDs) in March, and in its pacemakers in 2018.

The last of those was a low point for medical equipment patching after researchers used a session at the Black Hat show to highlight that the equipment was vulnerable to a security flaw 18 months after the company was told of the issue.

Back in 2011, researcher Barnaby Jack demonstrated a proof-of-concept against a Medtronic insulin pump which he claimed could have been exploited to deliver a fatal dose to a patient.

Even though things have changed a lot since then, vulnerabilities continue to emerge at regular intervals. Cleaning up the mistakes of past security coding has a way to go yet.

14 Comments

I’d be kinda impressed if Medtronic did actually report this themselves. That doesn’t seem like something they would have done in the past as they usually try to cover up and downplay these vulnerabilities.

I have a Medtronic interstim device. I am interested in follow up articles.

Running a search, I can’t see any mentioned in connection with that device. The safest approach is for users of any connected medical equipment is to check on Medtronic’s website or that of US-CERT.

I have been using the 670 pump and the cgm6 and had not but issues with the CGM. Transmitters not working correctly keeping clients up throughout the night on the 800 line. They are focusing on quantity sold instead of quality assurance. When the supplies came from Canada instead of China they worked much better. Their billion dollar profits each quarter is their first priority $$$

What about Medtronic pain pumps? Do I have to worry about someone remotely giving me a fatal dose of my pain medication?

That seems highly unlikely – to my knowledge there are no documented examples of someone being harmed by medical equipment hacking. However, this could turn into an issue in future if vulnerabilities are not addressed now.

In the words of Weird Al from “Like a Surgeon,”
[beep.] [beep.]
I can hear your heart beat
[beep.] [beep.]
For the very last time
[beep.] [beeeeeeeeeeeeeeeeeeeeeeeeee…

Why a electrosurgical generator needs remote management in the first place??

Because if a device needs management at all (which these appear to), doing it remotely will always be quicker, cheaper and more reliable than calling out technicians to visit possibly thousands at a time.

Why does Medtronic have so many flaws and recalls?
Is this due the FDA approval before enough studies are done?
I have a device implanted and it is on the recall list.
It’s not life threatening, but I’m not happy about it.

Medtronic is a major equipment maker, so it has a lot of products and, therefore, more vulnerabilities. All devices and software suffer some vulnerabilities. It’s just that some companies have adjusted more quickly to this fact than others.

Looking at Medtronic’s website, these are listed under Covidien products, so, most likely they had these errors when originally produced by Covidien, and Medtronic discovered them after buying the brand, and is now working to resolve the issue.

The merger was nearly three and a half years ago. But you’re correct to point out that the medical sector has an historic problem with vulnerabilities.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?