Medtronic Implantable Defibrillators Vulnerable to Severe Attacks

The Department of Homeland Security (DHS) has advised the general public against using implantable heart defibrillators from Medtronic, which have been found vulnerable to remote hacking, risking millions of lives.

It was made known on a press release.

The vulnerability was first discovered by a group of researchers from Clever Security, KU Leuven, University of Birmingham and the University Hospital Gasthuisberg Leuven who reported to the National Cybersecurity and Communications Integration Center (NCCIC) that hackers with background knowledge of medical devices could intercept and damage the functionality of these devices.

The devices in question—Cardioverter Defibrillator—is a small device surgically implanted into a patient’s chest to provide the heart with an electric shock that will restore a normal heartbeat.

While these devices have been specifically designed to prevent death, Medtronic devices have been found vulnerable to two flaws: An improper access control and cleartext transmission of sensitive information.

Both of the flaws have been traced to the Conexus Radio Frequency Telemetry Protocol, a communication system by Medtronic’s control units to connect to the implanted devices using radio waves.

The improper access control vulnerability has been assigned as CVE-2019-6538 with a CVSS base score of 9.3.

The researchers noted that exploitation of this vulnerability in the telemetry protocol could allow an attacker within short-range access to the product to modify, spoof, replay, intercept, read or write data values into the cardiac devices, potentially harming or killing the patient.

The other vulnerability assigned as CVE-2019-6540 with a CVSS base score of 6.5, allows a hacker within a short distance to eavesdrop on communications, especially the transmission of sensitive information.

In the wake of these warnings, Medtronic has published a security bulletin informing the public that the flaws were evident in more than 20 products; 16 of which were implantable devices with the rest being bedside defibrillator programmes and monitors.

The company noted that neither patient harm nor cyber attacks have been traced to the vulnerabilities. It also disclosed that its CareLink Encore Programmers used by clinics and hospitals were not affected by the flaws.

While it revealed that it was working towards a security fix that will be made available, Medtronic advised physicians and patients to continue to use the devices as intended.