A cybersecurity alert has been released by the Department of Homeland Security regarding critical flaws in Medtronic medical equipment. The report, which came out on March 21, linked a critical vulnerability (CVSS score of 9.3) to numerous Medtronic implanted cardiac devices as well as their MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer. The vulnerability, which stems from “improper access control” and “cleartext transmission of sensitive information,” is considered by the DHS to be easily exploitable in capable hands.
The Department of Homeland Security explains the ramifications of this exploit in the following statement from the report:
Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. Successful exploitation requires: (1) an RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR); (2) to have adjacent short-range access to the affected products; and (3) for the products to be in states where the RF functionality is active.
Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.
As reported by Kaspersky Lab’s Threatpost, Medtronic is aware of the situation and is working on a fix. The problem is that the fix will not be ready until an undetermined point in 2019, and further compounding the issue, this is not the first time Medtronic products have had major vulnerabilities. As reporter Lindsey O’ Donnell noted in her report for Threatpost, 2018 saw the company dealing with a “remote code implantation” flaw that allowed access to the supposedly secure Software Deployment Network.
Medical equipment tends to not enter the conversation as much as it should when discussing InfoSec issues. As this case proves, there is still much to be done in securing equipment that literally saves lives. Let this serve as a warning to the entire medical industry that they need to step up their security measures.
Featured image: Pixabay