A critical flaw has affected the Medtronic heart defibrillators that would allow an attacker nearby to change the settings of a patient’s cardiac device. They can do it by manipulating radio communications between it and control devices.
The issue lies in Medtronic’s proprietary Conexus radio-frequency wireless telemetry protocol, that is used as part of its remote patient-management system for communicating between defibrillators, home monitoring devices, and clinician programming devices.
The security researchers found that the Conexus protocol does not have any kinds of authentication. So, it is possible for an attacker within the range of around 20 feet from the patient’s cardiac device to inject, replay, modify, and intercept the telemetry data.
The Conexus protocol allows control devices to remotely read and write memory to the heart implants and so it is easy for an attacker with a software-defined radio to exploit the protocol’s lack of authentication to reprogram the cardiac device.
The flaw dubbed as CVE-2019-6538, has been given a CVSS severity rating of 9.3 out of 10 by the Department of Homeland Security (DHS) advisory.
The US Food and Drug Administration stated that they have confirmed that if these vulnerabilities are exploited, it would be able for an unauthorized person to access and manipulate the device, home monitor, or clinic programmer.
Another flaw which is low severity that affects the Conexus protocol exhibit a serious privacy threat to patients as the data transmitted between cardiac and control devices is done in the clear. So, a nearby attacker with radio equipment could intercept communications to know about the person’s health condition.
Medtronic highlights in its advisory that Conexus telemetry is not used in its pacemakers.
According to the DHS’s advisory the flaw requires a “low skill level” to exploit, there are some factors that should create a way for an attacker to exploit the flaws.
Firstly, the cardiac device needs to have radio communications enabled. This is done at the clinic before the implant procedure and during follow-up visits. Outside the clinic, the radio activation times are less, it varies for each patient and is difficult to predict.
Medtronic is looking for a patch that the FDA will need to approve to address the authentication and encryption weaknesses.
Even though the authentication flaw is threatening, Medtronic and the FDA recommends its patients to continue to use the devices as prescribed. These devices have several benefits despite these risks such as detection of arrhythmias, fewer hospital visits and improved survival rates.