DHS warns of vulnerability in Medtronic medical devices

A cybersecurity alert has been released by the Department of Homeland Security regarding critical flaws in Medtronic medical equipment. The report, which came out on March 21, linked a critical vulnerability (CVSS score of 9.3) to numerous Medtronic implanted cardiac devices as well as their MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer. The vulnerability, which stems from “improper access control” and “cleartext transmission of sensitive information,” is considered by the DHS to be easily exploitable in capable hands.

The Department of Homeland Security explains the ramifications of this exploit in the following statement from the report:

Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. Successful exploitation requires: (1) an RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR); (2) to have adjacent short-range access to the affected products; and (3) for the products to be in states where the RF functionality is active.

Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.

As reported by Kaspersky Lab’s Threatpost, Medtronic is aware of the situation and is working on a fix. The problem is that the fix will not be ready until an undetermined point in 2019, and further compounding the issue, this is not the first time Medtronic products have had major vulnerabilities. As reporter Lindsey O’ Donnell noted in her report for Threatpost, 2018 saw the company dealing with a “remote code implantation” flaw that allowed access to the supposedly secure Software Deployment Network.

Medical equipment tends to not enter the conversation as much as it should when discussing InfoSec issues. As this case proves, there is still much to be done in securing equipment that literally saves lives. Let this serve as a warning to the entire medical industry that they need to step up their security measures.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Software-defined perimeter solutions: Why this is the future of security

Traditional VPNs are showing their age in the modern cloud-powered workplace. That’s why software-defined perimeter solutions are in your future.

2 days ago

Why you need to check your virtualization host’s NUMA configuration

Should you disallow NUMA spanning in your Hyper-V architecture? There are two sides to this story, and you’ll get both…

2 days ago

Getting started with Visual Studio Code and integrating with Azure DevOps

Coding may not be the No. 1 job duty for cloud admins, but it is often a part of the…

3 days ago

Apple Event 2019: New iPad, Apple Watch, and more

Apple Event 2019 was more than just about iPhones. The tech giant also rolled out new iPads, an upgraded Apple…

3 days ago

Migrating and configuring Hyper-V passthrough disks

Believe it or not, Hyper-V virtual machines can be configured to use a dedicated physical hard disk, which is referred…

3 days ago

Cut costs and kick back: Use Azure automation accounts for VM utilization

Using Azure automation accounts to start and stop your VMs may just save you enough time to kick back, relax,…

4 days ago