DHS warns of vulnerability in Medtronic medical devices

A cybersecurity alert has been released by the Department of Homeland Security regarding critical flaws in Medtronic medical equipment. The report, which came out on March 21, linked a critical vulnerability (CVSS score of 9.3) to numerous Medtronic implanted cardiac devices as well as their MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer. The vulnerability, which stems from “improper access control” and “cleartext transmission of sensitive information,” is considered by the DHS to be easily exploitable in capable hands.

The Department of Homeland Security explains the ramifications of this exploit in the following statement from the report:

Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. Successful exploitation requires: (1) an RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR); (2) to have adjacent short-range access to the affected products; and (3) for the products to be in states where the RF functionality is active.

Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.

As reported by Kaspersky Lab’s Threatpost, Medtronic is aware of the situation and is working on a fix. The problem is that the fix will not be ready until an undetermined point in 2019, and further compounding the issue, this is not the first time Medtronic products have had major vulnerabilities. As reporter Lindsey O’ Donnell noted in her report for Threatpost, 2018 saw the company dealing with a “remote code implantation” flaw that allowed access to the supposedly secure Software Deployment Network.

Medical equipment tends to not enter the conversation as much as it should when discussing InfoSec issues. As this case proves, there is still much to be done in securing equipment that literally saves lives. Let this serve as a warning to the entire medical industry that they need to step up their security measures.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Review: Identity verification solution Specops Secure Service Desk

Specops Secure Service Desk is an innovative solution for positively identifying a user who calls…

12 hours ago

Apple Silicon: What it means for the world of personal computing

Apple is moving away from Intel processors to use its own Apple Silicon processors to…

16 hours ago

RAID 0 vs. RAID 1: When to use each level and why

Two of the most popular RAID levels for improving performance are RAID 0 and RAID…

19 hours ago

Got cybersecurity tools? Good. Got too many? That may be a problem

Strength in numbers may not apply to cybersecurity tools. In fact, using too many tools…

2 days ago

Getting started with System Center Operations Manager

System Center Operations Manager can monitor your IT resources, but the tool is only as…

2 days ago

Microsoft 365 administration: Creating DNS records for email security

Microsoft 365 administration has many facets, but none is more important than configuring email. Here’s…

2 days ago