Medtronic Releases Patches for Vulnerable CareLink Programmers and Implanted Cardiac Devices

Medtronic, a manufacturer of medical device, issued patches for fixing vulnerabilities in the following devices:

  • implantable cardioverter defibrillators (ICDs)
  • CareLink 2090 and CareLink Encore 29901 programmers
  • cardiac resynchronization therapy defibrillators (CRT-Ds)

Security researchers first identified the vulnerabilities in 2018 and 2019 and informed Medtronic about it. Immediately, Medtronic published mitigations to minimize the risk of attackers exploiting the vulnerabilities and to make it possible for customers to keep on using the impacted products safely. It took a long time to develop and release the patches for the complicated and safety-critical devices because of the necessary regulatory approval process. Medtronic developed security remediations immediately at the same time ensured that the patches would sustain the products’ comprehensive security and functionality.

In 2018, Security researchers Jonathan Butts and Billy Rios discovered three flaws in Medtronic’s devices used for programming and managing implanted cardiac devices, particularly CareLink 2090 and CareLink Encore 29901. Because of the vulnerabilities, an advisory was issued in February 2018. An attacker could exploit the vulnerabilities and change the firmware through a man-in-the-middle attack, gain access to files stored in the system, get device usernames and passwords, and manipulate implanted Medtronic devices remotely.

A number of researchers also identified two more vulnerabilities in the Medtronic Conexus telemetry protocol in 2019. Thus, a second Medtronic advisory was issued in March 2019. The vulnerabilities exist because of the insufficiency of encryption, authorization, and authentication. An attacker could exploit the vulnerabilities and intercept, replay, and alter data, and modify the settings of programmers, implanted devices, and home monitors. One rated critical vulnerability, CVE-2019-6538, was designated a CVSS v3 base rating of 9.3 out of 10.

The most recent patches fix the vulnerabilities found in MyCareLink monitors aad nCareLink monitors and programmers. Patches were issued for roughly 50% of the impacted Medtronic implantable devices affected by the Conexus vulnerabilities. See the list of all the products below:

  • Brava™ CRT-D, all models
  • Evera™ ICD, all models
  • Evera MRI™ ICD, all models
  • Mirro MRI™ ICD, all models
  • Viva™ CRT-D, all models
  • Primo MRI™ ICD, all models

Patches for the other vulnerable products will be available later this year.

To protect against exploitation of the vulnerabilities, Medtronic deactivated the software development network (SDN) used for delivering device updates. Therefore, software updates should be done manually by using a secured USB. Since the patches are already available, Medtronic reactivated the SDN and customers can use it now to update their devices.

Medtronic is monitoring possible exploitation of the vulnerabilities. It’s good that no cyberattack or privacy breach has been reported resulting from the vulnerabilities and there is no report of patients being harmed.