Medtronic Issues Patches for CareLink Programmers and Implanted Cardiac Devices

The medical device manufacturer Medtronic has issued patches to correct flaws in its CareLink 2090 and CareLink Encore 29901 programmers, implantable cardioverter defibrillators (ICDs), and cardiac resynchronization therapy defibrillators (CRT-Ds).

The vulnerabilities were first identified by security researchers in 2018 and 2019. When Medtronic was informed about the vulnerabilities, mitigations were quickly published to reduce the risk of exploitation of the vulnerabilities and allow customers to continue to use the affected products safely. The development and release of patches for these complex and safety-critical devices has taken a long time due to the required regulatory approval process.

“Development and validation can take a significant amount of time and also includes a required regulatory review process before we can distribute updates to products. Medtronic worked to develop security remediations quickly while also ensuring the patches continue to maintain comprehensive safety and functionality,” explained Medtronic.

In 2018, Security researchers Billy Rios and Jonathan Butts identified three vulnerabilities in Medtronic’s CareLink 2090 and CareLink Encore 29901 devices, prompting an advisory to be issued in February 2018. The devices are used to program and manage implanted cardiac devices. The vulnerabilities would allow an attacker to alter the firmware via a man-in-the-middle attack, access files contained in the system, obtain device usernames and passwords, and remotely control implanted Medtronic devices.

Several researchers were credited with the discovered two further vulnerabilities in 2019 in the Medtronic Conexus telemetry protocol, prompting a second Medtronic advisory in March 2019. The vulnerabilities concern the lack of encryption, authentication, and authorization. If exploited, an attacker could intercept, replay, and modify data, and change the configuration of implanted devices, programmers, and home monitors. One of the vulnerabilities, CVE-2019-6538, was rated critical and was assigned a CVSS v3 base score of 9.3 out of 10.

The latest patches correct the flaws in CareLink monitors and programmers and MyCareLink monitors. Patches have also been released for approximately half of the affected Medtronic implantable devices impacted by the Conexus vulnerabilities:

  • Brava™ CRT-D, all models
  • Evera MRI™ ICD, all models
  • Evera™ ICD, all models
  • Mirro MRI™ ICD, all models
  • Primo MRI™ ICD, all models
  • Viva™ CRT-D, all models

Patches for all the remaining vulnerable devices will be released later this year.

To prevent exploitation of the flaws, Medtronic disabled the software development network (SDN) that was used to deliver device updates, so software needed to be updated manually via a secured USB. Now that patches have been released, the SDN has been reactivated and it can be used by customers to update their devices.

Medtronic has been monitoring for exploitation of the vulnerabilities and says there have been no cyberattacks or privacy breaches as a result of the vulnerabilities and no patients have been harmed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.