Medical devices by Medtronic found to have two nasty security bugs

• DHS issued an advisory regarding the vulnerabilities discovered in 20 products manufactured by Medtronic.
• These flaws could enable attackers to gain unauthorized access as well as help them tap into sensitive data.

Dublin-based medical device maker Medtronic was found having serious security flaws in its devices. According to a security advisory published by the Department of Homeland Security (DHS), 20 products made by Medtronic had vulnerabilities that could have compromised the functionality and have sensitive data scooped off by attackers. It was observed that these flaws resulted due to a faulty telemetry protocol present in these devices.

The big picture

• 20 Medtronic devices having the Conexus telemetry protocol was vulnerable with two security flaws. Devices included cardiac implants, defibrillators and monitoring systems.
• The flaws are designated as CVE-2019-6538 (Improper Access Control CWE-284) and CVE-2019-6540 (Cleartext Transmission of Sensitive Information CWE-319).
• The first vulnerability indicates that that the Conexus telemetry protocol lacked authentication, which could have allowed attackers to meddle with the telemetry communication and change memory on devices such as cardiac implants.
• The second vulnerability indicates that communication in Conexus did not have encryption. Attackers could intercept radio communication and capture sensitive data.
• Both vulnerabilities could have crippled the core functionality of all these devices.

Why it matters - According to an article by StarTribune, it is estimated that around 750,000 defibrillators were affected by the two vulnerabilities. Despite these flaws being rated high (CVE-2019-6538 has a CVSS score of 9.3), doctors and experts believe that the chances of attacks on these devices are low.

Robert Kowal, VP - Medical Affairs and Chief Medical Officer at Medtronic, told StarTribune that attackers needed to have a profound knowledge of the devices to conduct attacks.

“No. 1, this would be very hard to exploit to create harm. No. 2, we know of no evidence that anyone’s ever done this. And 3, we are working closely with FDA as this whole cyber issue evolves to make sure we are not only handling this problem but we’re working on future devices to optimize security versus functionality,” stressed Kowal.