Security researchers have identified two vulnerabilities in the Conexus telemetry protocol used by Medtronic MyCarelink monitors, CareLink monitors, CareLink 2090 programmers, and 17 implanted cardiac devices. One vulnerability is rated as ‘critical’, and the other is of ‘medium severity’.
A hacker would only need a low level of skill to exploit the vulnerabilities. However, the hacker would need to have adjacent access to the devices to exploit them.
The critical vulnerability was caused by a lack of authentication and authorisation controls in the Conexus telemetry protocol. A hacker with adjacent short-range access to a vulnerable device could inject, replay, modify or intercept data within the telemetry communication when the product’s radio is turned on.
An attacker could potentially change memory in a vulnerable implanted cardiac device. This could affect the functionality of the device.
The vulnerability is being tracked as CVE-2019-6538 and has been assigned a CVSS v3 base score of 9.3.
The medium severity vulnerability concerns the transmission of sensitive information in cleartext. The Conexus telemetry protocol does not use encryption, meaning an attacker with adjacent short-range access to a vulnerable product could intercept communications. Therefore, the hacker could gain access to sensitive patient data.
The vulnerability is being tracked as CVE-2019-6540 and has been assigned a CVSS v3 base score of 6.5.
The vulnerabilities affect the following Medtronic devices:
- Versions 24950 and 24952 of MyCareLink Monitor
- Version 2490C of CareLink Monitor
- CareLink 2090 Programmer
All models of the following implanted cardiac devices are affected:
- Amplia CRT-D
- Claria CRT-D
- Compia CRT-D
- Concerto CRT-D
- Concerto II CRT-D
- Consulta CRT-D
- Evera ICD
- Maximo II CRT-D and ICD
- Mirro ICD
- Nayamed ND ICD
- Primo ICD
- Protecta ICD and CRT-D
- Secura ICD
- Virtuoso ICD
- Virtuoso II ICD
- Visia AF ICD
- Viva CRT-D
Medtronic has implemented additional controls for monitoring and responding to any cases of improper use of the telemetry protocol used by affected ICDs. Medtronic will issue future updates to further protect hackers from exploiting vulnerable devices.
Medtronic has advised users of the devices should ensure unauthorised individuals can not physically access home monitors and programmers. They have recommended that home monitors should only be used in private environments. Users should only use home monitors, programmers, and ICDs that have been supplied by healthcare providers or Medtronic representatives.
Medtronic has warned that unapproved devices should not be connected to monitors through USB ports and physical connections and programmers should only be used to connect with ICDs in a hospital and clinical environments.
The vulnerabilities were identified by multiple security researchers who reported them to NCCIC. These include Peter Morgan of Clever Security; Dave Singelée and Bart Preneel of KU Leuven; former KU Leuven researcher Eduard Marin; Flavio D. Garcia; Tom Chothia; and Rik Willems.