Homeland Security warns of critical flaws in Medtronic defibrillators

Homeland Security has issued a warning for a set of critical-rated vulnerabilities in Medtronic defibrillators that put the devices at risk of manipulation.

These small cardio-defibrillators are implanted in a patient’s chest to deliver small electrical shocks to prevent irregular or dangerously fast heartbeats, which can prove fatal. Most modern devices come with wireless or radio-based technology to allow patients to monitor their conditions and their doctors to adjust settings without having to carry out an invasive surgery.

But the government-issued alert warned that Medtronic’s proprietary radio communications protocol, known as Conexus, wasn’t encrypted and did not require authentication, allowing a nearby attacker with radio-intercepting hardware to modify data on an affected defibrillator.

Homeland Security gave the alert a 9.3 out of 10 rating, describing it as requiring “low skill level” to exploit.

It doesn’t mean that anyone with an affected defibrillator is suddenly a walking target for hackers. These devices aren’t always broadcasting a radio frequency as it would be too battery intensive. Medtronic said patients would be most at risk when patients are getting their implant checked while they’re at their doctor’s office. At all other times, the defibrillator will occasionally wake up and listen for a nearby monitoring device if it’s in range, narrowing the scope of an attack.

More than 20 different Medtronic defibrillators and models are affected, the alert said, including the CareLink programmer used in doctor’s offices and the MyCareLink monitor used in patient homes.

Peter Morgan, founder and principal at Clever Security, found and privately reported the bug to Medtronic in January. In an email, Morgan told TechCrunch that the bugs weren’t easy to discover, but warned of a potential risk to patients.

“It is possible with this attack to cause harm to a patient, either by erasing the firmware that is giving necessary therapy to the patient’s heart, or by directly invoking shock related commands on the defibrillator,” he said. “Since this protocol is unauthenticated, the ICD cannot discern if communications its receiving are coming from a trusted Medtronic device, or an attacker.”

A successful attacker could erase or reprogram the defibrillator’s firmware, and run any command on the device.

Medtronic said in its own advisory that it’s not aware of any patient whose devices have been attacked, but that the company was “developing updates” to fix the vulnerabilities, but did not say when fixes would be rolled out.

The Food and Drug Administration (FDA), which regulates medical devices, provided a list of the affected devices.

It’s the latest example of smart medical devices taking a turn for the worst, even as spending in healthcare cybersecurity is set to become a $65 billion industry by 2021.

The FDA rolled out non-binding recommendations in 2016 to advise medical device makers into practicing better cybersecurity to prevent these kinds of flaws from occurring in the first place, advising companies to “build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats.”

Yet, this latest government alert marks the second time in two years Medtronic was forced to respond to security flaws in its medical devices. In October, the company finally shuttered an internet-based software update system that put its pacemaker-monitoring devices at risk.