Vulnerability Discovered in Medtronic Encore and CareLink Programmers

ICS-CERT issued a bulletin regarding a vulnerability that was found in some Medtronic CareLink and Encore Programmers. Any personally identifiable information (PII) and protected health information (PHI) that the devices contain could potentially be accessed due to the absence of encryption for information at rest.

The programmers are utilized for programming and managing Medtronic cardiac devices in hospitals and may store reports that contain patients’ PII/PHI. If an attacker has physical access to a vulnerable programmer, it would be possible to gain access to the reports and see the patients’ PII/PHI. Attackers with a low skill level could potentially exploit the vulnerability, although not remotely.

Whitescope LLC, security researchers Billy Rios and Jonathan Butts discovered the vulnerability (CVE-2018-18984). They discovered that the programmers lack encryption for stored PII/PHI or the encryption is not sufficient. The vulnerability was given a CVSS V3 base rating of 4.6.

The vulnerability is found in all 29901 Encore Programmers, CareLink 2090 Programmers, and CareLink 9790 Programmers.

Medtronic recommended all hospitals stop using CareLink 9790 Programmers as they have reached end-of-life and are no longer supported. CareLink 2090 and 29901 Encore Programmers should only have PII/PHI stored for a short period of time. The programmers should only store patient data temporarily until it can be transferred to other medical systems or printed out.

All affected programmers allow the manual deletion of reports with PII/PHI when they’re no longer required. Users of the Programmers should also erase all PII/PHI from the devices prior to scrapping the devices.

Medtronic likewise advised users to ensure Programmers are physically secured at all times and never to use Programmers supplied by third parties. Programmers should only be obtained from official suppliers.