Medtronic cardiac implants can be hacked, FDA issues alert

Note. Naked Security cannot provide medical advice nor answer questions about specific Medtronic devices. If you’re concerned please contact your health professional or Medtronic directly on (US) 855-275-2717.

The US Food and Drug Administration (FDA) has issued a warning about two dangerous security flaws affecting a number of implantable heart defibrillators and home monitoring systems manufactured by medical device giant Medtronic.

According to an alert put out last week, the flaws affect all models from 20 product families of Implantable Cardioverter Defibrillators (ICDs), which are placed inside patients’ bodies to automatically counteract life-threatening cardiac arrhythmias.

Discovered by a team of researchers in the Netherlands and the UK, the problem is with the inhouse wireless technology, Conexus, which the ICDs use for telemetry, configuration and to retrieve device info.

The vulnerabilities

The first flaw, identified as CVE-2019-6538, is that Conexus wireless protocol has no authentication or authorization, which means that when the device’s radio is turned on, attackers can take control of the communication.

Having done so, there is nothing to stop them from reconfiguring an ICD device with potentially life-threatening settings.

The second flaw, CVE-2019-6540, is that the Conexus protocol doesn’t use any form of wireless encryption, so that attackers nearby can sniff out sensitive data going to and from the device.

The silver lining is that attackers would have to be close to the target device at precisely the right moment.

According to Medtronic, ICD communications are only activated in a hospital setting, so patients are not vulnerable when they are at home or out and about. In its notification, the company also pointed out:

Taking advantage of these vulnerabilities in order to cause harm to a patient would require detailed knowledge of medical devices, wireless telemetry and electrophysiology.

Medtronic hasn’t said when software updates will be made available to address the vulnerabilities. (The updates themselves will require medical approval.)

Meantime, mitigations include: only connecting to the devices in medical facilities, and reporting “concerning behaviour” .

It unlikely that these flaws have been exploited by attackers. As the company says, targeting them would still require advanced knowledge of their operation as well as knowledge of the flaws themselves. However, just to be on the safe side:

Medtronic is conducting security checks to look for unauthorized or unusual activity that could be related to these vulnerabilities.

What the flaws underline, however, is how medical devices are dogged by the problem of weak security, much of it relating to devices designed in the past.

A decade or more ago, adding wireless capability to huge amount of medical equipment looked like an easy win for convenience.

Unfortunately, security was low on the priority list and based on too many assumptions about likelihood and motive. We now see regular medical device security alerts, including one affecting Medtronic’s pacemakers last August.

Mitigations

These are the affected Medtronic devices:

• MyCareLink Monitor, Versions 24950 and 24952,
• CareLink Monitor, Version 2490C,
• CareLink 2090 Programmer,
• Amplia CRT-D (all models),
• Claria CRT-D (all models),
• Compia CRT-D (all models),
• Concerto CRT-D (all models),
• Concerto II CRT-D (all models),
• Consulta CRT-D (all models),
• Evera ICD (all models),
• Maximo II CRT-D and ICD (all models),
• Mirro ICD (all models),
• Nayamed ND ICD (all models),
• Primo ICD (all models),
• Protecta ICD and CRT-D (all models),
• Secura ICD (all models),
• Virtuoso ICD (all models),
• Virtuoso II ICD (all models),
• Visia AF ICD (all models), and
• Viva CRT-D (all models)

Medtronic has released patient-focused information in this security bulletin, which includes recommendations from the company to mitigate the risks to patients.