Medtronic cardiac implants can be hacked, FDA issues alert

Note. Naked Security cannot provide medical advice nor answer questions about specific Medtronic devices. If you’re concerned please contact your health professional or Medtronic directly on (US) 855-275-2717.

The US Food and Drug Administration (FDA) has issued a warning about two dangerous security flaws affecting a number of implantable heart defibrillators and home monitoring systems manufactured by medical device giant Medtronic.

According to an alert put out last week, the flaws affect all models from 20 product families of Implantable Cardioverter Defibrillators (ICDs), which are placed inside patients’ bodies to automatically counteract life-threatening cardiac arrhythmias.

Discovered by a team of researchers in the Netherlands and the UK, the problem is with the inhouse wireless technology, Conexus, which the ICDs use for telemetry, configuration and to retrieve device info.

The vulnerabilities

The first flaw, identified as CVE-2019-6538, is that Conexus wireless protocol has no authentication or authorization, which means that when the device’s radio is turned on, attackers can take control of the communication.

Having done so, there is nothing to stop them from reconfiguring an ICD device with potentially life-threatening settings.

The second flaw, CVE-2019-6540, is that the Conexus protocol doesn’t use any form of wireless encryption, so that attackers nearby can sniff out sensitive data going to and from the device.

The silver lining is that attackers would have to be close to the target device at precisely the right moment.

According to Medtronic, ICD communications are only activated in a hospital setting, so patients are not vulnerable when they are at home or out and about. In its notification, the company also pointed out:

Taking advantage of these vulnerabilities in order to cause harm to a patient would require detailed knowledge of medical devices, wireless telemetry and electrophysiology.

Medtronic hasn’t said when software updates will be made available to address the vulnerabilities. (The updates themselves will require medical approval.)

Meantime, mitigations include: only connecting to the devices in medical facilities, and reporting “concerning behaviour” .

It unlikely that these flaws have been exploited by attackers. As the company says, targeting them would still require advanced knowledge of their operation as well as knowledge of the flaws themselves. However, just to be on the safe side:

Medtronic is conducting security checks to look for unauthorized or unusual activity that could be related to these vulnerabilities.

What the flaws underline, however, is how medical devices are dogged by the problem of weak security, much of it relating to devices designed in the past.

A decade or more ago, adding wireless capability to huge amount of medical equipment looked like an easy win for convenience.

Unfortunately, security was low on the priority list and based on too many assumptions about likelihood and motive. We now see regular medical device security alerts, including one affecting Medtronic’s pacemakers last August.

Mitigations

These are the affected Medtronic devices:

Medtronic has released patient-focused information in this security bulletin, which includes recommendations from the company to mitigate the risks to patients.