Medtronic, the world's largest medical device company, has acknowledged that many of its implanted cardiac defibrillators use an unencrypted wireless protocol that could let an attacker change the device settings. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has assigned the flaw a vulnerability score of 9.3 -- near the top of its 10-point scale. It said the flaw makes it possible for an unauthorized party to read and write any memory location of the implanted devices. At issue is the Conexus radio frequency telemetry protocol, which is used as part of its remote patient-management system for communicating between defibrillators, home monitoring devices, and clinician programming devices. According to CISA, affected devices include the MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, and other Medtronic implanted cardiac devices listed in its alert. The primary vulnerabilities are improper access control and transmission of sensitive information.
"Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data," CISA said. "The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device."
The CISA alert goes on to say, "Medtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices. Additional mitigations are being developed and will be deployed through future updates, assuming regulatory approval. Medtronic recommends that users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities." These "additional defensive measures" are spelled out in the CISA alert.
The US Food and Drug Administration has also issued an alert. -- Thanks to Department of Homeland Security's Cybersecurity and Infrastructure Security Agency