Researchers find potentially deadly flaw in Medtronic Cardio defibrillators

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent notice regarding Medtronic cardio defibrillators. Researchers have found critical vulnerabilities in the hardware that, if exploited, could put lives at risk.

Whereas before doctors had to open up a patient to modify such a device, today’s smarter defibrillators can be maintained from outside. But that presents a huge problem when the device is flawed.

The devices in question have wireless functions for programming, calibration and maintenance. According to the researchers, Medtronic’s proprietary communication protocol that wirelessly connects to implanted devices is not encrypted, allowing man-in-the-middle attacks (eavesdropping, data exfiltration). Neither does the protocol include authentication, meaning a motivated attacker could attempt to hack the implant with a custom-made controller.

From CISA’s advisory:

“Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data… The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.”

Since cardio defibrillators are designed to ensure proper beating of the heart, any tampering with its behavior can be life-threatening. CISA provides the following precautions to patients with Medtronic devices in their chests:

• Maintain good physical control over home monitors and programmers.
• Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system.
• Do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections.
• Only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments.
• Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.
• Report any concerning behavior regarding these products to your healthcare provider or a Medtronic representative.

In a statement to Ars Technica, Medtronic downplayed allegations that the vulnerabilities in its hardware are severe, but didn’t deny them either.

Representative Ryan Mathre tells the publication that the risk the vulnerabilities would be exploited is low because “an unauthorized user would need comprehensive and specialized knowledge of medical devices, wireless telemetry, and electrophysiology to fully exploit these vulnerabilities in order to harm a specific patient.”

In any case, Mathre said, Medtronic is working on an update for the hardware that it plans to roll out later this year.