Two vulnerabilities have been found in the Conexus telemetry protocol, which is used in Medtronic MyCarelink monitors, CareLink 2090 programmers, CareLink monitors and 17 Medtronic implanted cardiac devices. Only a low level skill is needed to exploit the vulnerabilities, but to do so would require adjacent access to a vulnerable device.
The vulnerability CVE-2019-6538 was assigned a CVSS v3 base rating of 9.3. The critical vulnerability involves an authentication and authorization control deficiency in the Conexus telemetry protocol. If an attacker has adjacent short-range access to a vulnerable device, the vulnerability makes it possible for the attacker to inject, replay, change, and/or intercept data via telemetry communications if the product’s radio is switched on. An attacker can possibly modify the memory in a vulnerable implanted cardiac device, thus affecting the device’s functionality.
The vulnerability CVE-2019-6540 was assigned a CVSS v3 base rating of 6.5. This second vulnerability is of medium severity and involves the transmission of sensitive data in cleartext. Because encryption is not used in the Conexus telemetry protocol, it is possible for an attacker with adjacent short-range access to a vulnerable device to intercept communications and acquire sensitive patient information.
The vulnerabilities were found to affect the Medtronic devices listed below:
- CareLink 2090 Programmer
- Versions 24950 and 24952 of MyCareLink Monitor
- Version 2490C of CareLink Monitor
All models of the implanted cardiac devices listed below are affected:
- Amplia CRT-D
- Claria CRT-D
- Concerto CRT-D and Concerto II CRT-D
- Compia CRT-D
- Consulta CRT-D
- Evera ICD
- Mirro ICD
- Maximo II CRT-D and ICD
- Nayamed ND ICD
- Primo ICD
- Protecta ICD and CRT-D
- Secura ICD
- Virtuoso ICD and Virtuoso II ICD
- Visia AF ICD
- Viva CRT-D
Medtronic has applied extra controls for keeping track of and responding to any incidences of inappropriate use of the telemetry protocol utilized by impacted ICDs. Additional mitigations will be deployed on vulnerable devices via future updates.
Meanwhile, users of the vulnerable devices need to make sure that unauthorized persons are unable to access home monitors and programmers and home monitors must be used only in private settings. Use of home monitors, programmers, and ICDs should be restricted to those provided by healthcare companies or Medtronic representatives. USers should also not connect unapproved devices to monitors via USB ports. Physical connections and programmers should only be allowed to connect with ICDs in clinical settings such as hospitals.
Multiple security researchers identified the vulnerabilities and reported them to NCCIC. They were Dave Singelée and Bart Preneel of KU Leuven; Peter Morgan of Clever Security; former KU Leuven researcher Eduard Marin; Tom Chothia; Flavio D. Garcia; and Rik Willems.