The devices that DHS warned about include the Medtronic 2090 CareLink programmer, 29901 Encore programmer, MyCareLink monitor and the CareLink monitor.
All warnings are updates on previous advisories from DHS. In October 2018, Medtronic disabled Internet updates for approximately 34,000 CareLink devices after the discovery of a vulnerability that could allow an outside agent to plant malware on the pacers to control or disable therapy.
The updated warning said that vulnerabilities include storing passwords in a recoverable format, relative path traversal and improper restriction of the communication channel to its intended endpoints. Attackers may be able to access the programmer to obtain credentials to the software deployment network and potentially influence communications between the programmer and the network, according to the warning.
By March, DHS had warned of vulnerabilities in Medtronic devices using its Conexus radio frequency telemetry protocol, including some CareLink devices. DHS’ latest update cited vulnerabilities with improper access control and cleartext transmission of sensitive information.
With these devices, exploitation of the vulnerabilities may offer an attacker access to the product to interfere with, generate, modify or intercept radio frequency communication from the Medtronic Conexus telemetry system, which could impact its functionality and/or allow access to transmitted sensitive data. Successful exploitation could result in the ability to read and write valid memory location and impact the intended function of the device.
Medtronic assessed the vulnerabilities with the CareLink 2090 Programmer and identified no new potential safety risks. However, the company has added periodic integrity checks for files associated with the software deployment network and developed server-side security changes to enhance security.
For the Conexus telemetry devices and associated products, the company developed mitigating patches for a subset of the affected implanted cardiac device models to be installed during regular office visits. Medtronic also urged users to maintain good physical control over home monitors and programmers, to only use them directly from a healthcare provider or the company, and to not connect unapproved devices to the programmers or monitors.