Right on the end of May 2017, we published an article detailing how researchers had discovered over 8,600 vulnerabilities in pacemakers. These vulnerabilities were found across four producers of several products defined as pacemakers and some were discovered in radio controlled devices. On March 21, 2019, the US Food and Drug Administration, known as the FDA, for short, issued a warning over a critical flaw affecting scores of Medtronic heart defibrillators that allows a nearby attacker to change the settings of a patient's cardiac device by manipulating radio communications between it and control devices. This alert further highlights the cybersecurity difficulties experienced by the community and globe regarding internet of things (IoT) devices. It is important to note that Medtronic pacemakers are not affected by the recent vulnerability discovery.
According to the US regulatory body the problem lies with Medtronic's proprietary Conexus radio-frequency wireless telemetry protocol. This protocol is used as part of the devices’ remote patient-management system for communicating between defibrillators, home monitoring devices, and clinician programming devices. Researchers discovered that the Conexus protocol lacks any kind of authentication, this means that an attacker within the devices range, approximately 6 meters, can inject, replay, modify and intercept the telemetry data. Further, the protocol only allows control devices to remotely read and write memory to the heart implants if a nearby attacker had a software-defined radio they could then exploit the protocol's lack of authentication to reprogram the cardiac device.
The flaw, CVE-2019-6538, has been assigned a CVSS severity rating of 9.3 out of a possible 10, according to the US Department of Homeland Security (DHS) in an advisory issued also on March 21, 2019. With a rating of 9.3 out of a possible 10, the flaw can safely be regarded as serious. It was also confirmed that a second flaw exists. The second flaw also affects the Conexus protocol and presents a potentially serious privacy threat to patients since data transmitted between cardiac and control devices is done in the clear. Like with CVE-2019-6583, a nearby attacker with radio equipment could intercept communications to learn about the person's specific condition. The FDA confirmed that,
“…these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient's physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer.”
In an advisory published by Medtronic it was emphasized that the Conexus protocol was not used in its pacemakers and thus the vulnerabilities explained above pose no danger to those devices. The devices affected include: Amplia MRI CRT-D, all models, Claria MRI CRT-D all models, Compia MRI CRT-D all models, Concerto CRT-D all models, Concerto II CRT-D all models, Consulta CRT-D all models, Evera MRI ICD all models, Evera ICD all models, Maximo II CRT-D and ICD all models, Mirro MRI ICD all models, Nayamed ND ICD all models, Primo MRI ICD all models, Protecta CRT-D and ICD all models, Secura ICD all models, Virtuoso ICD all models, Virtuoso II ICD all models, Visia AF MRI ICD all models, Visia AF ICD all models, Viva CRT-D all models, CareLink 2090 Programmer, MyCareLink Monitor models 24950 and 24952, CareLink Monitor Model 2490C.
No Need to Panic
While the DHS believes that the flaws could be exploited by low-level attackers there are a number of factors that mitigate the entire scenario. These factors limit the extent to which an attacker can easily exploit the flaws mentioned. Firstly, the cardiac device needs to have radio communications enabled. This generally only happens at the clinic before the implant procedure and during follow-up visits. Outside of the clinic radio activation times are limited and vary from patient to patient making predictions incredibly difficult. Medtronic and the FDA recommend that patients and practitioners still use the affected products as prescribed and intended. Medtronic and the FDA are working together to patch the vulnerabilities but in the meantime, Medtronic further stated,
“The benefits of remote monitoring outweigh the practical risk that these vulnerabilities could be exploited. These benefits include earlier detection of arrhythmias, fewer hospital visits, and improved survival rates,”
When vulnerabilities arise with regards to medical devices there is a knee jerk reaction to assume the worst, when they are often not the life-threatening instances initially believed. They are serious, as with this case, serious enough for the FDA to issue an alert. With the vulnerabilities affecting the above listed Medtronic devices, in order to successfully exploit the vulnerability, the attacker doesn’t only just need to know how to exploit it the have a whole list of other requirements. The device’s radio transmitter has to be on, the attacker has to be near the target device, about 6 meters, and have knowledge of when devices are radio enabled depending on the patient. The variables involved naturally exclude anyone but the most driven attacker and even then there are easier options on the table.
Alerts are issued for consumer protection and to prevent the worst case scenario. As the FDA concludes,
“The FDA urges manufacturers everywhere to remain vigilant about their products — companies should take steps to monitor and assess cybersecurity vulnerability risk, and be proactive about disclosing vulnerabilities and mitigations to address them. This is part of the FDA’s overall effort to collaborate with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device’s total product lifecycle. The FDA issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.”