Medtronic has released updates to address known vulnerabilities in its line of connected medical devices that were initially disclosed last year and in 2018.
The vendor has addressed two sets of bugs. The first group, disclosed in March of last year, is found in a range of Medtronic implanted cardiac resynchronization therapy with defibrillation (CRT-D) devices; and in multiple implantable cardioverter defibrillators (ICDs). An ICS-CERT advisory last week gives the most severe of the flaws a CVSS “critical” severity rating of 9.3.
The second group impacts the CareLink 2090 CareLink Encore 29901 programmers, and their accompanying Software Deployment Network (SDN).
Implanted Device Bugs
The medical device giant said in an advisory last week that at issue is the proprietary Medtronic Conexus radio frequency (RF) wireless telemetry protocol that the devices use for remote monitoring of a patient’s implanted cardiac device. The protocol is also used to display and print device information in real time for clinicians; and for changing the devices’ settings.
The critical flaw, CVE-2019-6538, arises from improper access control, according to ICS-CERT; i.e., the Conexus protocol has no authentication mechanism.
An attacker could potentially access and potentially change the settings of an implantable device, home monitor or clinic programmer. “An attacker…can inject, replay, modify and/or intercept data within the telemetry communication,” the ICS-CERT advisory reads. “This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.”
A second flaw, CVE-2019-6540 (CVSS score 6.5), arises because the protocol does not implement encryption.
However, the company said that carrying out an exploit that could actually cause harm to a patient would be difficult at best given that the protocol’s range is only 20 feet – so an attacker would need to be in close physical proximity to the patient to cause any damage.
Also, the RF capability would need to be active for an attack to take place, and Medtronic noted that “outside of the hospital/clinic, [the times the devices are active] are limited, vary by patient and are difficult to be predicted by an unauthorized user.” And also, an attack would require “detailed knowledge of medical devices, wireless telemetry and electrophysiology.”
While most of the affected products are still awaiting fixes, Medtronic has now issued patches for all models of the Brava and Viva lines of CRT-D devices; and bugs in the Evera, Evera MRI, Mirro MRI and Primo MRI lines of ICDs.
It should be noted that Conexus telemetry is not used in other common Medtronic devices, such as pacemakers, CareLink Express monitors and the CareLink Encore programmers (Model 29901) used by hospitals and clinics.
However, the CareLink brand is at the heart of the second group of vulnerabilities, first disclosed in February 2018 and last updated in October of that year.
Medtronic’s CareLink 2090 CareLink Encore 29901 programmers are used for programming, testing and evaluating “cardiac implantable electrophysiology devices,” a.k.a. CIEDs. These include pacemakers, implantable defibrillators to provide an electrical shock or pacing to stop dangerously fast heart rhythms, cardiac resynchronization devices to pace the heart to improve contraction to treat heart failure, and insertable cardiac monitors for long-term cardiac monitoring for irregular or abnormal heart rhythms.
The SDN is “a worldwide network hosted by Medtronic that allows the download of new or updated software to Medtronic’s CareLink 2090 and CareLink Encore 29901 programmers using a network connection,” according to the updated advisory, issued last week.
The bugs would have allowed an attacker to remotely update the programmers with non-Medtronic software, causing potential harm to a patient, Medtronic said. So after disclosure, the company disabled external connections to the devices via the SDN altogether.
According to an ICS-CERT advisory last week, Medtronic has patched three vulnerabilities, all non-critical. The first, CVE-2018-5446, has a CVSS severity score of 4.9 and arises because credentials could be stored in a recoverable format. The second, CVE-2018-5448 (CVSS score 4.8), is a relative path traversal flaw in the SDN that could allow an attacker to read files on the system. And the third, CVE-2018-10596 (CVSS score 7.1) arises from improper restriction of communication channels to intended endpoints; it would allow a remote man-in-the-middle attack.
“The affected product uses a virtual private network connection to securely download updates. The product does not verify it is still connected to this virtual private network before downloading updates,” according to the ICS-CERT advisory. “Thus, an attacker could cause the VPN connection to terminate (through various methods and attack points) and intercept the HTTP request, responding with malicious updates via a man-in-the-middle attack. The affected products do not verify the origin or integrity of these updates, as it insufficiently relied on the security of the VPN. An attacker with remote network access to the programmer could influence these communications.”
Medtronic said that the patches fully mitigate the issues and make allowing external access to the SDN safe again, according to the advisory: “Physicians can once again update Medtronic programmers via the SDN.”
For both groups of bugs, to date, Medtronic said that “no cyberattack, privacy breach, or patient harm has been observed or associated with these vulnerabilities.”