A new found cybersecurity vulnerability in as many as 750,000 Medtronic implantable defibrillators could let hackers control the devices. The Department of Homeland Security issued a medical advisory alert over a serious flaw in these devices. The vulnerability could allow hackers that are within a close range of the patient to be able to take control of the device by altering the its programming. There are two types of computer-hacking vulnerabilities in 16 different models of the Medtronic implantable defibrillators that are sold around the world, including some that are still on the market. This vulnerability also affects bedside monitors that read data from devices in patients’ homes and in-office programming computers that are used by doctors.
Medtronic defibrillators are complex, battery-run computers placed beneath the skin in patients’ upper chests to monitor the heart and deliver electric shocks if an irregular heartbeat is detected. They’re designed to treat potentially deadly heart problems.
Researchers from Clever Security discovered that the Conexus Radio Frequency Telemetry Protocol (Medtronic’s proprietary means for monitors to wirelessly connect to the implanted devices) has absolutely no encryption to secure these devices. This is how hackers can get in within a proximity range of the device. And further yet, this protocol has no means of authentication for legitimate devices to prove that they are authorized to take control of the implanted devices. Because of this, hackers can completely rewrite the defibrillator software.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s issue reads, “Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.”
This advisory is rated a 9.3 out of 10 points and requires low skill to exploit. A higher score base indicated a more severe vulnerability, but it assumes a hacker already has the knowledge and tools to mount the attack.
Medtronic is now actively monitoring its network for signs that someone was trying to exploit the vulnerabilities. They say affected defibrillators contain a feature that shuts down wireless communications upon receiving unusual commands.
The chief medical officer for Medtronic’s cardiac rhythm system and heart failure products stated a hacker would have to be within 20 feet of the patient, would need detailed knowledge of the device’s inner workings, and have possession of special technology to pull of the hack.
The FDA is not likely to issue a recall. Instead, the device vulnerabilities will most probably be addressed in a future software patch. The company is working on a fix for these vulnerabilities which should happen later this year.
A second vulnerability allows the hacker to read sensitive data that is streamed out of the device, such as the patient’s name and past health data. There is no encryption for this data.
Medtronic recommends that patients use only the remote monitor obtained directly from a health care provider or Medtronic directly, to keep them plugged in so they can receive software updates, and that patients maintain good physical control over the monitor.
Here at CipherCloud, we help organizations secure their cloud data using our CASB+ platform.
Our solution provides cloud governance with deep visibility, allowing you to discover your sensitive data, cloud apps and shadow IT and enforce AI guided policies in minutes. Its data security centric CASB includes Cloud DLP, rights management, and end-to-end encryption to protect sensitive data.
We take data security seriously and with our zero trust architecture and encryption protection, companies, nonprofits and other orgs can maintain data rights and avoid egregious breaches.