Medical gear maker Medtronic is once again at the center of a hacker panic storm. This time, a number of its heart defibrillators, implanted in patients' chests, can, in certain circumstances, be wirelessly hijacked and reprogrammed, perhaps to lethal effect.
On Thursday, the US government's Dept of Homeland Security issued an alert over two CVE-listed vulnerabilities in Medtronic's wireless communications system Conexus, which is used by some of its heart defibrillators and their control units. Conexus exchanges data between implanted devices and their control units over the air using radio-waves, with a range of roughly 25 feet without any signal boosting.
The more serious of the flaws, CVE-2019-6538, can be potentially exploited by an attacker to meddle with data flying between the device and its controller. The Conexus protocol does not include any checks for this kind of tampering, nor performs any form of authentication. This means transmissions can be intercepted, spoofed, and modified by hackers and their nearby equipment, which can also masquerade as a control unit, in certain circumstances that we'll come to describe.
Here's where it gets serious: the protocol allows a nearby miscreant, with the right radio gear and in the right circumstances, to send commands to the implanted cardiac device that reads or writes memory in the gadget. That means someone can, at the right moment, maliciously manipulate the operation of the vulnerable implant over the airwaves, potentially harming or perhaps even ultimately killing the patient.
Pete Morgan, one of the researchers who discovered and reported the flaw, told The Register that while a successful exploit could indeed lead to an attacker changing how the defibrillator operates – for example, making it fire randomly – there are some mitigating factors. Most notably, the device has to be in so-called listen mode, in which is awaits commands, a state that is not active the vast majority of the day.
The implanted device typically wakes up to pick up transmissions when it is activated by an inductive wand waved over the patient's chest, usually during an appointment or checkup with a doctor, or it wakes up automatically and briefly to exchange telemetry with a control unit in the patient's home.
"They enter listen mode through either of two states," Morgan, the founder of Clever Security, explained.
"One, inductive wake up through a wand or puck with the programmer or Carelink home monitor. Two, during intervals usually configured by the physician, the implanted cardiac device will wake up and begin RF communication with the Carelink home monitor to check in and report on status."
A spokesperson for Medtronic noted to El Reg that, in addition to being in range and having the device in listen mode, the attacker would need to know the specific model of device in the victim, and have reverse-engineered its design to know which commands to send to write the necessary data into memory to cause harm.
Thus, someone really needs to be out to get you if pull this off; it's not like miscreants can go war-driving through town zapping people dead.
The second vulnerability, CVE-2019-6540, addresses the lack of encryption with Conexus wireless transmissions. This means an attacker within range can listen in on the data being sent and received, and spy on the patient's condition over the air.
Pain in the brain! Kaspersky warns of hackable brain implantsREAD MORE
Medtronic said it is working on a fix for both issues, and in the meantime urged doctors and patients to use the implants and controllers as usual.
"Medtronic recommends that patients and physicians continue to use these devices as prescribed and intended," the med-tech giant said in its advisory [PDF].
"The benefits of remote monitoring outweigh the practical risk that these vulnerabilities could be exploited. These benefits include earlier detection of arrhythmias, fewer hospital visits and improved survival rates."
Medtronic noted that its line of implanted pacemakers are not vulnerable to either of the flaws, just some of its heart defibrillators.
This isn't the first time Medtronic has made headlines for its lapses in security. Last year, researchers reported a similar issue when the programming units for pacemakers were found to be using insecure channels to download their firmware updates. ®