- Researchers Billy Rios and Jonathan Butts criticized Medtronic’s response to medical device security issues in its products during a presentation at the BlackHat security conference held last week in Las Vegas.
The researchers said that they informed Medtronic last year about the vulnerabilities they had discovered, but that the vendor was uncooperative and unresponsive, according to a report on the presentation by Security Boulevard.
Medtronic “spent more time trying to twist the story than fixing it—and we told them how to fix it,” Butts was quoted as saying.
When the researchers first contacted the vendor about the vulnerabilities and provided research documentation, Medtronic representatives said they were “setting up a testing environment” to reproduce the results, according to their presentation.
But eight months later, the company admitted that it had never set up a testing environment to reproduce the results. Ten months later, the vendor said that there were no patient safety implications to the findings, according to the researchers.
“We have no financial interest here—we’re not invested in anything related to this. We’re just passionate about patient safety, and they have the money to fix this. Do you think Microsoft, Google, or Adobe would take 18 months to push out a patch?,” Butts was quoted by Security Boulevard as saying.
“Most vendors are trying to do the right thing. But situations like this show the industry still has a long way to go,” he added.
There have been a number security advisories and product safety advisories about Medtronic devices issued this year.
In May, ICS-CERT warned that the vendor’s N’Vision clinical programmer did not encrypt PHI or PII stored on the machine, putting PHI data security at risk. The handheld 8840 N’Vision clinical programmer is used to program Medtronic neuromodulation devices.
Medtronic said it is not developing a product update to address the vulnerability because physical access to the programmer and card is needed by the attackers and because these devices are only intended for healthcare practitioners.
In June, an ICS CERT advisory noted that Medtronic MyCareLink handheld patient monitor, used for patients with an implantable heart device, suffers from cybersecurity vulnerabilities that could allow an attacker to gain access to the operating system and product development code.
These vulnerabilities — hard-coded password and exposed dangerous method or function — could enable an attacker with physical access to the monitor to use the hard-coded password to access the operating system. They could also enable an attacker using the monitor near the implantable cardiac device to read and write arbitrary memory values on the device.
Also in June, Metronic released two product advisory for its medical devices. The first advisory dealt with Percepta and Percepta Quad CRT-P MRI SureScan heart pacemakers, which have the potential for a device reset caused by a timing interaction between the EffectivCRT diagnostic and the ventricular safety pacing feature.
A software update, Application SW040 Version 8.1, is available for installation on all CareLink Model 2090 and Encore programmers to fix this issue. Once installed on a programmer, an in-clinic device interrogation will update the patient’s device automatically to prevent this timing interaction from generating a reset.
The second advisory involved EnTrust and Escudo implantable cardioverter defibrillators, which have the potential for loss of high voltage and anti-tachycardia pacing therapy as they near elective replacement indicator voltage.
Through June 15, Medtronic had confirmed 25 charge timeout events related to this issue, with no patient deaths or complications. All events occurred during routine capacitor formation or in-clinic charge testing.
In August, ICS-CERT flagged vulnerabilities in the Medtronic MyCareLink patient monitor suffered from insufficient verification of data authenticity and storing passwords in a recoverable format,
MyCareLink patient monitor is a remote monitoring system for patients with Medtronic implantable cardiac devices, which allows patients to transmit device data to the CareLink Network using a cellular connection for viewing by clinicians.
ICS-CERT also warned this week about vulnerabilities — cleartext transmission of sensitive information and authentication bypass by capture-replay — in the Medtronic MiniMed Paradigm insulin pump and remote controller.
By exploiting these vulnerabilities, an attack could replay captured wireless communications and cause an insulin (bolus) delivery.