Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs

Two vulnerabilities have been identified in the Conexus telemetry protocol used by Medtronic MyCarelink monitors, CareLink monitors, CareLink 2090 programmers, and 17 implanted cardiac devices. Both vulnerabilities require a low level of skill to exploit, although adjacent access to a vulnerable device would be required to exploit either vulnerability.

The most serious vulnerability, rated critical, is a lack of authentication and authorization controls in the Conexus telemetry protocol which would allow an attacker with adjacent short-range access to a vulnerable device to inject, replay, modify, and/or intercept data within the telemetry communication when the product’s radio is turned on.

An attacker could potentially change memory in a vulnerable implanted cardiac device which could affect the functionality of the device.

The vulnerability is being tracked as CVE-2019-6538 and has been assigned a CVSS v3 base score of 9.3.

A second, medium severity vulnerability concerns the transmission of sensitive information in cleartext. Since the Conexus telemetry protocol does not use encryption, an attacker with adjacent short-range access to a vulnerable product could intercept communications and obtain sensitive patient data.

The vulnerability is being tracked as CVE-2019-6540 and has been assigned a CVSS v3 base score of 6.5.

The vulnerabilities affect the following Medtronic devices:

  • Versions 24950 and 24952 of MyCareLink Monitor
  • Version 2490C of CareLink Monitor
  • CareLink 2090 Programmer

All models of the following implanted cardiac devices are affected:

  • Amplia CRT-D
  • Claria CRT-D
  • Compia CRT-D
  • Concerto CRT-D
  • Concerto II CRT-D
  • Consulta CRT-D
  • Evera ICD
  • Maximo II CRT-D and ICD
  • Mirro ICD
  • Nayamed ND ICD
  • Primo ICD
  • Protecta ICD and CRT-D
  • Secura ICD
  • Virtuoso ICD
  • Virtuoso II ICD
  • Visia AF ICD
  • Viva CRT-D

Medtronic has implemented additional controls for monitoring and responding to any cases of improper use of the telemetry protocol used by affected ICDs. Further mitigations will be applied to vulnerable devices through future updates.

In the meantime, users of the devices should ensure home monitors and programmers cannot be accessed by unauthorized individuals and home monitors should only be used in private environments. Only home monitors, programmers, and ICDs that have been supplied by healthcare providers or Medtronic representatives should be used.

Unapproved devices should not be connected to monitors through USB ports and physical connections and programmers should only be used to connect with ICDs in hospital and clinical environments.

The vulnerabilities were identified by multiple security researchers who reported them to NCCIC. (Peter Morgan of Clever Security; Dave Singelée and Bart Preneel of KU Leuven; former KU Leuven researcher Eduard Marin; Flavio D. Garcia; Tom Chothia; and Rik Willems.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.