The federal government on Thursday warned of a serious flaw in Medtronic cardio defibrillators that allows attackers to use radio communications to surreptitiously take full control of the lifesaving devices after they are implanted in a patient.
Defibrillators are small, surgically implanted devices that deliver electrical shocks to treat potentially fatal irregular heart rhythms. In recent decades, doctors have increasingly used radios to monitor and adjust the devices once they’re implanted rather than using older, costlier, and more invasive means. An array of implanted cardio defibrillators made by Medtronic rely on two types of radio-based consoles for initial setup, periodic maintenance, and regular monitoring. Doctors use the company’s CareLink Programmer in clinics, while patients use the MyCareLink Monitor in homes to regularly ensure the defibrillators are working properly.
No encryption, no authentication, and a raft of other flaws
Researchers from security firm Clever Security discovered that the Conexus Radio Frequency Telemetry Protocol (Medtronic’s proprietary means for the monitors to wirelessly connect to implanted devices) provides no encryption to secure communications. That makes it possible for attackers within radio range to eavesdrop on the communications. Even worse, the protocol has no means of authentication for legitimate devices to prove they are authorized to take control of the implanted devices. That lack of authentication, combined with a raft of other vulnerabilities, makes it possible for attackers within radio range to completely rewrite the defibrillator firmware, an exploit that’s rarely seen affecting most medical device vulnerabilities to date.