Cybersecurity News

Medtronic Patches Vulnerabilities in CareLink, Implanted Medical Devices

Medical device giant Medtronic recently issued a set of patches for previously disclosed vulnerabilities found in its CareLink programmers and certain implanted devices.

healthcare medical device security vulnerability flaw bug patch management

By Jessica Davis

- Medtronic recently issued a set of patches for previously disclosed vulnerabilities found in certain implanted cardiac medical devices and its CareLink Encore 29901 programmers.

The first set of updates are for MedTronic’s proprietary Conexus telemetry system flaw first disclosed in March 2018. Found in thousands of the vendor’s cardio defibrillators, the vulnerability could allow a hacker to remotely control the implanted devices.

According to the initial alerts from the Department of Homeland Security and the Food and Drug Administration, the issue lies with a lack of authentication or authorization for the protocol. As a result, an attacker in close range could gain access to the defibrillator with its radio turned on, then inject, replay, modify, and or intercept data communications.

A recent DHS Cybersecurity and Infrastructure Agency advisory categorized the CVE-2019-6538 flaw with a 9.3 rating, or critical severity.

Medtronic’s latest advisory applies to all of models of its Brava CRT-D, Evera MRI ICD, Evera ICD, Mirro MRI ICD, Primo MRI ICD, and Viva CRT-D. The impacted protocol is designed to perform the remote monitoring of the device, as well as display and print real-time device data for clinicians and change device settings. The protocol also fails to implement encryption.

“To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these vulnerabilities,” officials wrote. “Conexus telemetry is not used in Medtronic pacemakers (including those with Bluetooth wireless functionality). Additionally, CareLink Express monitors and the CareLink Encore programmers (Model 29901) used by some hospitals and clinics do not use Conexus telemetry.”

“Taking advantage of these vulnerabilities in order to cause harm to a patient would require detailed knowledge of medical devices, wireless telemetry and electrophysiology,” they added.

The second round of updates apply to the CareLink Express monitors and the CareLink Encore programmers typically used by hospitals. The flaws were first reported in February 2018 and updated in October 2018.

The updated advisory states the vulnerabilities found in these devices “may allow an individual with malicious intent to update the programmers with non-Medtronic software.”

“If not mitigated, these vulnerabilities could result in potential harm to a patient,” officials wrote. “To date, we have not received a report of such an attack or patient harm. These vulnerabilities also exist with the CareLink Encore 29901 programmer and its association with the SDN. No other Medtronic programmers are impacted by this vulnerability.”

The tech giant has patched three of these non-critical vulnerabilities, including one that would allow credentials to be stored in a recoverable format and another referring to a path traversal flaw in the SDN that could allow unauthorized users to view files stored on the system

Another patch was issued for a flaw scored at a 7.1 severity that could allow these devices improperly restrict communication channels to intended endpoints, allowing a remote man-in-the-middle attack.

“The affected products do not verify the origin or integrity of these updates, as it insufficiently relied on the security of the VPN,” CISA officials wrote in an updated advisory. “An attacker with remote network access to the programmer could influence these communications.”

The issued patches should remediate these issues, with Medtronic officials explaining that the SDN can once again be used by providers to update the programmers. To date, there have been no reports that these flaw have been exploited.