The Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security has issued an advisory concerning critical flaws in the Conexus telemetry protocol in cardio defibrillators issued by Medtronic that could allow hackers to interfere with or modify the radio frequency communication in devices as well as read and write any valid memory location on such devices.
The Medtronic proprietary Conexus telemetry system that powers cardio defibrillators issued by the firm has been rendered vulnerable due to several flaws in the Conexus telemetry protocol that allow hackers to have adjacent short-range access to affected devices, and to transmit sensitive information stored in these devices in clear text.
According to the Cybersecurity and Infrastructure Security Agency (CISA), devices that are vulnerable to external hacking due to these flaws in the protocol include MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, and a number of other cardio defibrillators such as Primo ICD, Virtuoso ICD, Virtuoso II ICD, Mirro ICD, Evera ICD, and Compia CRT-D.
Lack of encryption in cardio defibrillators can be quickly exploited
The agency noted that a lack of authentication or authorisation in the Conexus telemetry protocol allows hackers to gain short-range access to affected devices and if radios in such devices are turned on, then hackers can inject, replay, modify, and/or intercept data within the telemetry communication. This way, a hacker can change memory in the implanted cardiac device.
"Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications.
"The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device," it noted.
These vulnerabilities in Medtronic cardio defibrillators were discovered and demonstrated by security researchers at Clever Security who first reported the vulnerabilities to Medtronic in January last year. The researchers told Ars Technica that Medtronic did introduce certain changes to the consoles to make it harder for them to wirelessly read and rewrite defibrillator firmware but until wireless connections are encrypted and authenticated, these devices will remain vulnerable to external attacks.
"The changes Medtronic has already made ATTEMPT to detect attacks. Without updates to the defibrillator firmware, it's not realistically possible to prevent. The changes are intended to detect malicious activity," said Peter Morgan, founder and principal at Clever Security, adding that using a custom hardware device, they could carry out the entire range of attacks performed by the modified MyCareLink and CareLink consoles.
Medtronic says flaws are extremely hard to exploit
In an email to Ars Technica, Medtronic played down the severity of the vulnerabilities in its cardio defibrillators, stating that exploiting these vulnerabilities would require an attacker to have "comprehensive and specialized knowledge of medical devices, wireless telemetry, and electrophysiology".
At the same time, Medtronic added that to exploit such flaws, an attacker would also need to know what device model is implanted in the patient, what changes to the device would cause a patient harm, what settings would need to be changed to alter the device function for that patient, what telemetry command(s) are needed to implement that change, and when the patient's telemetry is active and susceptible to the unauthorised programming attempt.
"Medtronic is developing a series of software updates to better secure the wireless communication affected by these issues. The first update is scheduled for later in 2019, subject to regulatory approvals.
"FDA and Medtronic recommend that patients and physicians continue to use devices and technology as prescribed and intended, as the benefits of remote monitoring outweigh the risks of exploiting these issues. To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these issues.
"Even in the unlikely scenario that an unauthorized user may be able to access the wireless technology, that access does not equate to the ability to control or manipulate the settings of an implanted heart device. Fully exploiting these issues requires comprehensive and specialized knowledge of devices, wireless communication and electrophysiology," the company added.