The U.S. Dept. of Homeland Security today released a medical advisory warning of exploits within a number of Medtronic (NYSE:MDT) implanted cardiac devices and associated equipment that could allow an attacker to affect the functionality of the devices or intercept transmitted sensitive data.
The vulnerability affects Fridley, Minn.-based Medtronic devices using its Conexus radio frequency telemetry protocol, according to the release, and requires only a low level of skill and adjacent access to exploit.
Successful exploitation could allow an outside actor to “interfere with, generate, modify, or intercept” the RF communication of the Conexus telemetry system, the HHS said.
To do so, an attacker would need an RF device capable of transmitting or receiving Conexus telemetry communication, to be in adjacent short-range of the products and for the products to be in states where RF functionality is active, according to the release.
Before the device is implanted and during follow-up clinic visits, Conexus telemetry sessions require initiation by an inductive protocol, the HHS said. Outside of those environments, the RF radio is only enabled for brief periods of time to support follow-up transmissions and “other operational safety notifications.”
The HHS warned that the Conexus telemetry protocol does not implement authentication or authorization, or encryption.
The exploit affects Medtronic devices that use its Conexus telemetry protocol, according to the warning. Affected devices include all models of the Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, Viva CRT-D, the CareLink 2090 Programmer, the 2490C version of its CareLink Monitor and versions 24950 and 24952 of its MyCareLink Monitor.
Medtronic has implemented additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by affected devices, according to the release, and is developing further mitigations that will require regulatory approval.
A Medtronic spokesperson said that to date, no cyberattack, privacy breach or patient harm has been observed or associated with the issues.
The company said that it is developing a series of software updates to better secure the wireless communication affected by the issues, with the first update expected to launch later this year, subject to regulatory approvals.
Medtronic said that it, and the FDA, recommend that patients and physicians continue to use the devices as intended.
Last October, Medtronic disabled internet updates for approximately 34,000 CareLink devices designed for accessing and programming implanted pacemakers due to cybersecurity vulnerabilities with the systems.