A number of heart defibrillators are vulnerable to severe, life-threatening attacks. The flaws, located in Medtronic’s Conexus radiofrequency wireless telemetry protocol, could allow attackers to hijack the devices remotely, thus putting the lives of countless patients at risk.
More specifically, Clever Security researchers discovered that the Conexus Radio Frequency Telemetry Protocol provides no encryption to secure communications.
The lack of encryption enables attackers within radio range to eavesdrop on the communications. However, this is not the only issue – the protocol lacks authentication for legitimate devices. The two issues combined with some other flaws allow hackers to rewrite the defibrillator firmware. This is quite rare for vulnerabilities in medical devices, researchers say.
Medtronic Vulnerabilities: Explained
The vulnerabilities endanger devices that use Medtronic’s Conexus radiofrequency wireless telemetry protocol. Among the affected devices are the company’s implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators. However, Medtronic’s pacemakers are not affected.
The good news is that the vulnerabilities haven’t been exploited so far, or at least there is no evidence. Nonetheless, a hacker in a close proximity to a patient can still interfere the communication when the radiofrequency is active, thus gaining access to data sent by the device.
Furthermore, according to an alert by the Department of Homeland Security, the vulnerabilities are easy to exploit and don’t require specific knowledge. This makes the issues critical. Medtronic, on the other hand, said that while someone may be able to access Conexus they would need detailed knowledge of medical devices, wireless telemetry and electrophysiology to endanger a patient’s life.
The vulnerabilities are the following:
- A critical improper access control vulnerability known as CVE-2019-6538, with a CVSS score of 9.3 as it only requires a low skill level to exploit;
- A cleartext transmission of sensitive information vulnerability, or CVE-2019-6540, with a CVSS score of 6.5.
Here’s the list of affected devices:
MyCareLink Monitor, Versions 24950 and 24952
CareLink Monitor, Version 2490C
CareLink 2090 Programmer
Amplia CRT-D (all models)
Claria CRT-D (all models)
Compia CRT-D (all models)
Concerto CRT-D (all models)
Concerto II CRT-D (all models)
Consulta CRT-D (all models)
Evera ICD (all models)
Maximo II CRT-D and ICD (all models)
Mirro ICD (all models)
Nayamed ND ICD (all models)
Primo ICD (all models)
Protecta ICD and CRT-D (all models)
Secura ICD (all models)
Virtuoso ICD (all models)
Virtuoso II ICD (all models)
Visia AF ICD (all models)
Viva CRT-D (all models).