Friday March 22, 2019

The DHS Issues Medical Advisory for Medtronic Cardiac Devices

The Department of Homeland Security (DHS) has issued a cybersecurity warning that documents vulnerabilities in the Medtronic Conexus Radio Frequency Telemetry Protocol. Medtronic makes cardio-defibrillators that are planted into a patient's chest and can be read and programmed by trained medical personnel. This allows the devices to communicate with home monitoring devices and Carelink programmers found at doctor's offices. These vulnerabilities require a low level of skill to exploit as the proprietary Conexus telemetry protocol utilized within this ecosystem does not implement authentication or authorization. An attacker can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device. Because the devices also lack encryption, attackers can listen to communications, including the transmission of sensitive data. Medtronics is working on developing updates to fix the vulnerabilities.

News Image

"It is possible with this attack to cause harm to a patient, either by erasing the firmware that is giving necessary therapy to the patient's heart, or by directly invoking shock related commands on the defibrillator," he said. "Since this protocol is unauthenticated, the ICD cannot discern if communications its receiving are coming from a trusted Medtronic device, or an attacker." A successful attacker could erase or reprogram the defibrillator's firmware, and run any command on the device.