Security flaws leave life-saving cardiac defibrillators open to attack

Security flaw enables attackers to take full control of life-saving devices

US security researchers have discovered a flaw enabling hackers to take full control of life-saving Medtronic cardiac defibrillators.

According to specialists at Clever Security, the Conexus Radio Frequency Telemetry Protocol, which connects the monitors to implants, lacks secure communications encryption.

Because of this vulnerability, attackers are able to listen to sensitive communications, control implanted devices and even tweak firmware.

After discovering the flaw, Clever Security contacted Medtronic, giving the company time to fix the flaws before going public. Yesterday, the US Department of Homeland Security (DHS) issued a public warning.

In an advisory, rating the vulnerability 9.3 out of 10, the DHS warned that "successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system".

The security note explains how the flaw can impact product functionality and allow access to transmitted sensitive data with little skill.

For successful exploitation, attackers need an RF device capable of transmitting or receiving Conexus telemetry communication ( such as a monitor, programmer, or software-defined radio)", "to have adjacent short-range access to the affected products" and " for the products to be in states where the RF functionality is active".

DHS continued: "Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol.

"Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications.

"The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device."

Since being informed of the flaw, Medtronic has "applied controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices", the company said, adding that it is working on additional mitigations to be "deployed through future updates".

Medtronic has also issued a list of recommendations to stop attackers from exploiting these flaws: