The Department of Homeland Security is warning users of Medtronic defibrillators of two vulnerabilities that could lead to an attacker accessing and altering the device.
The warning, which was issued through the DHS Cybersecurity and Infrastructure Security Agency, covers two vulnerabilities, CVE-2019-6538 and CVE-2019-6540. A complete list of the models affected can be found here.
The first is a flaw in the Conexus telemetry system the device use to communicate that does not implement authentication or authorization. This could allow an attacker, who must be relatively close to the defibrillator to intercept, read, modify and inject data into the device’s RF signal. This, in turn, would allow someone to read or write to the memory of the implanted device.
CVE-2019-6540 involves the Conexus telemetry system not using encryption and transmitting data in cleartext so an attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.
Medtronic has pushed out some additional controls for monitoring and responding to improper use of the Conexus telemetry protocol and more are expected. In the meantime the company said users should maintain good physical control over home monitors and programmers, use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system, and do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections.
