FDA Warns That Hackers Could Take Over Some Implanted Defibrillators
By R.J. Johnson - @rickerthewriter
March 25, 2019
The U.S. Department of Homeland Security has issued a warning for all Americans who use implanted defibrillators that says hackers could gain access to their devices and potentially modify data on an affected defibrillator.
Manufactured by Medtronic Inc., the implantable devices use cardioverter defibrillators (ICDs) to correct fast or irregular heartbeats in patients. The electronic pulses assist the heart's ventricles to keep pumping in sync.
But, according to a bulletin issued by the Cybersecurity and Infrastructure Security Agency, the devices contain a flaw that could allow bad actors of "low skill level" to read and write any memory location on the implanted devices.
"Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data."
The flaw could allow hackers to gain access to the equipment's settings, and even change them, Medtronic acknowledged.
"Although the system’s overall design features help safeguard patients, Medtronic is developing updates to further mitigate these cyber-security vulnerabilities. To date, the FDA is not aware of any reports of patient harm related to these cyber-security vulnerabilities," a statement by the U.S. Federal Drug Administration said.
Despite the warning, both Medtronic and the FDA are advising doctors and patients to keep using the devices while they work on implementing a fix. The government says that the therapeutic benefits of using the defibrillators far outweigh the potential risks posed by hackers.
A proprietary wireless protocol is used to link the defibrillators with a home monitor that doctors and device programmers can access from remote locations. Security experts found that the link transmits data without encryption or authentication. That means the device can't block bad actors from accessing and taking control of the device.
While the vulnerability is serious, because the devices use radio frequency transmissions, anyone trying to hack the defibrillators would need to be in the same room.
Medtronic said it would roll out the fix as soon as it was available. Until then, the company identified the following models as being vulnerable to cyber
Amplia MRI CRT-D, all models
- Claria MRI CRT-D, all models
- Compia MRI CRT-D, all models
- Concerto CRT-D, all models
- Concerto II CRT-D, all models
- Consulta CRT-D, all models
- Evera MRI ICD, all models
- Evera ICD, all models
- Maximo II CRT-D and ICD, all models
- Mirro MRI ICD, all models
- Nayamed ND ICD, all models
- Primo MRI ICD, all models
- Protecta CRT-D and ICD, all models
- Secura ICD, all models
- Virtuoso ICD, all models
- Virtuoso II ICD, all models
- Visia AF MRI ICD, all models
- Visia AF ICD, all models
- Viva CRT-D, all models
- CareLink 2090 Programmer
- MyCareLink Monitor, models 24950 and 24952
- CareLink Monitor, Model 2490C