DHS warns of vulnerability in Medtronic medical devices

A cybersecurity alert has been released by the Department of Homeland Security regarding critical flaws in Medtronic medical equipment. The report, which came out on March 21, linked a critical vulnerability (CVSS score of 9.3) to numerous Medtronic implanted cardiac devices as well as their MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer. The vulnerability, which stems from “improper access control” and “cleartext transmission of sensitive information,” is considered by the DHS to be easily exploitable in capable hands.

The Department of Homeland Security explains the ramifications of this exploit in the following statement from the report:

Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. Successful exploitation requires: (1) an RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR); (2) to have adjacent short-range access to the affected products; and (3) for the products to be in states where the RF functionality is active.

Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.

As reported by Kaspersky Lab’s Threatpost, Medtronic is aware of the situation and is working on a fix. The problem is that the fix will not be ready until an undetermined point in 2019, and further compounding the issue, this is not the first time Medtronic products have had major vulnerabilities. As reporter Lindsey O’ Donnell noted in her report for Threatpost, 2018 saw the company dealing with a “remote code implantation” flaw that allowed access to the supposedly secure Software Deployment Network.

Medical equipment tends to not enter the conversation as much as it should when discussing InfoSec issues. As this case proves, there is still much to be done in securing equipment that literally saves lives. Let this serve as a warning to the entire medical industry that they need to step up their security measures.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Dell launches selection of new PCs, displays, and software

A line of new Dell PCs, with innovative tech capabilities like AI and 5G, are aimed at both personal and…

4 hours ago

Exchange 2010 upgrade: Migrate or export mail to PST and start fresh?

If you’re on Exchange 2010, you will have to upgrade soon. And while starting from scratch with a new 2016…

7 hours ago

How to repair PST files and import data back to Outlook or Office 365

If your business relies on Outlook, you can’t risk losing mailbox data because of PST files corruption. Here’s how to…

3 days ago

Container security rises to meet the challenges of container vulnerabilities

As container technology becomes ubiquitous, container security has become crucial. Here’s a look at some recent innovations in this growing…

3 days ago

Best of CES 2020: Products, innovations, and services

From flying Ubers to rolling robots, CES 2020 had it all — and then some. Here’s a look at some…

4 days ago

Hardening your technology infrastructure in preparation for a DDoS attack

By establishing these 11 appropriate controls beforehand, your organization will be better positioned to withstand and survive a DDoS attack.

4 days ago