DHS warns of vulnerability in Medtronic medical devices

A cybersecurity alert has been released by the Department of Homeland Security regarding critical flaws in Medtronic medical equipment. The report, which came out on March 21, linked a critical vulnerability (CVSS score of 9.3) to numerous Medtronic implanted cardiac devices as well as their MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer. The vulnerability, which stems from “improper access control” and “cleartext transmission of sensitive information,” is considered by the DHS to be easily exploitable in capable hands.

The Department of Homeland Security explains the ramifications of this exploit in the following statement from the report:

Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. Successful exploitation requires: (1) an RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR); (2) to have adjacent short-range access to the affected products; and (3) for the products to be in states where the RF functionality is active.

Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.

As reported by Kaspersky Lab’s Threatpost, Medtronic is aware of the situation and is working on a fix. The problem is that the fix will not be ready until an undetermined point in 2019, and further compounding the issue, this is not the first time Medtronic products have had major vulnerabilities. As reporter Lindsey O’ Donnell noted in her report for Threatpost, 2018 saw the company dealing with a “remote code implantation” flaw that allowed access to the supposedly secure Software Deployment Network.

Medical equipment tends to not enter the conversation as much as it should when discussing InfoSec issues. As this case proves, there is still much to be done in securing equipment that literally saves lives. Let this serve as a warning to the entire medical industry that they need to step up their security measures.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Facebook creating deep fakes — and for genuinely good reasons

Deep fakes are a catastrophe waiting to happen. Facebook’s attempt to create a tool that differentiates between real and fake…

2 days ago

Microsoft Intune gets a new streamlined user experience

Microsoft Intune is getting a bunch of new updates that will streamline the administration experience for users of the popular…

2 days ago

SD-WAN: Is this going to be your network of the future?

As businesses evolve into a SaaS/IaaS model for accessing applications, new network technology is crucial. SD-WAN is just such a…

2 days ago

Monitoring Exchange and the rest of your network to avert disasters

What you don’t know about Exchange and your network can come back to bite you. Monitoring Exchange is one way…

3 days ago

Quick tip: Removing warning messages from Azure cmdlets

Warnings are nice, except when they are annoying and unnecessary. Here’s a tip to show you how to remove warning…

3 days ago

Is the Group Policy Central Store still relevant in the age of Windows 10?

Having a Group Policy Central Store in Active Directory made life easier for administrators. But does it still work in…

3 days ago