The world's largest medical device company has acknowledged that many of its implanted cardiac defibrillators use an unencrypted wireless protocol that could allow an attacker to change the settings of the lifesaving devices.
The vulnerability affects more than 20 defibrillator models, monitors and programmer units made by Medtronic Inc. of Fridley, Minnesota. The devices include implantable cardioverter defibrillators, or ICDs, which can correct dangerously fast or irregular heartbeat, and cardiac resynchronization therapy defibrillators, or CRT-Ds, which essentially are pacemakers that deliver small electrical charges to help keep the heart's ventricles pumping in sync.
In a bulletin issued late last week, the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security, assigned the flaw a vulnerability score of 9.3 — near the top of its 10-point scale. It said the flaw could allow a bad actor of "low skill level" to read and write any memory location on the implanted devices.
Medtronic acknowledged in a statement that the flaw could allow an unauthorized individual to gain access to the equipment's settings — and possibly change them.
But both Medtronic and the U.S. Food and Drug Administration, or FDA, advised doctors and patients to continue using the devices while a fix is developed. That's because the defibrillators' therapeutic value far outweighs the potential risk, they said, adding that no one is known to have successfully exploited the flaw.
The system uses a proprietary wireless protocol called Conexus, which links the defibrillators with home monitors and with doctors and device programmers in remote locations.
Medtronic said it's not the same system that was used in its CareLink pacemakers and programmers, for which the company shut down internet updates in October because they, too, were vulnerable to cyberattacks.
Homeland Security said security researchers in Europe who uncovered the vulnerability found that Conexus transmits data both without encryption and without authentication, meaning it can't ensure that illegitimate systems are blocked from taking control of the defibrillators.
But the agency agreed that the likelihood of a successful attack was low, not because one would be particularly hard to pull off technically, but because the devices use radio frequency transmissions — similar to some TV remote controls — and therefore can transmit about only 20 feet. That means any attacker would basically have to be in the same room as the targeted equipment.
Moreover, the agency said, the devices would have to be "in states where the RF functionality is active" — that is, an attacker would have to be working at a time the system is actually fired up to transmit.
While Medtronic develops a fix, the FDA said, patients and doctors can protect themselves by making sure to use only remote monitors they've gotten directly from Medtronic itself. Patients should keep their equipment plugged in at all times so that it can receive updates, the FDA said.
Medtronic, which said it would roll out a fix as soon as one is available and has been approved by regulators, identified these systems as being vulnerable:
- Amplia MRI CRT-D, all models
- Claria MRI CRT-D, all models
- Compia MRI CRT-D, all models
- Concerto CRT-D, all models
- Concerto II CRT-D, all models
- Consulta CRT-D, all models
- Evera MRI ICD, all models
- Evera ICD, all models
- Maximo II CRT-D and ICD, all models
- Mirro MRI ICD, all models
- Nayamed ND ICD, all models
- Primo MRI ICD, all models
- Protecta CRT-D and ICD, all models
- Secura ICD, all models
- Virtuoso ICD, all models
- Virtuoso II ICD, all models
- Visia AF MRI ICD, all models
- Visia AF ICD, all models
- Viva CRT-D, all models
- CareLink 2090 Programmer
- MyCareLink Monitor, models 24950 and 24952
- CareLink Monitor, Model 2490C