CERT-In Vulnerability Note
CIVN-2020-0029
Medtronic Conexus Radio Frequency Telemetry Protocol Vulnerabilities
Original Issue Date:February 14, 2020
Severity Rating: MEDIUM
Systems Affected
- Medtronic MyCareLink Monitor, Versions 24950 and 24952
- Medtronic CareLink Monitor, Version 2490C
- Medtronic CareLink 2090 Programmer
- Medtronic Amplia CRT-D (all models)
- Medtronic Claria CRT-D (all models)
- Medtronic Compia CRT-D (all models)
- Medtronic Concerto CRT-D (all models)
- Medtronic Concerto II CRT-D (all models)
- Medtronic Consulta CRT-D (all models)
- Medtronic Evera ICD (all models)
- Medtronic Maximo II CRT-D and ICD (all models)
- Medtronic Mirro ICD (all models)
- Medtronic Nayamed ND ICD (all models)
- Medtronic Primo ICD (all models)
- Medtronic Protecta ICD and CRT-D (all models)
- Medtronic Secura ICD (all models)
- Medtronic Virtuoso ICD (all models)
- Medtronic Virtuoso II ICD (all models)
- Medtronic Visia AF ICD (all models)
- Viva CRT-D (all models)
- Brava CRT-D (all models)
- Mirro MRI ICD (all models)
Overview
Multiple vulnerabilities have been reported in Medtronic Conexus Radio frequency telemetry protocol which could allow an attacker to bypass the security mechanism and gain unauthorized access to obtain sensitive information on the targeted device.
Description
1. Improper Authentication Vulnerability
(
CVE-2019-6538
)
This vulnerability exists in the Conexus telemetry protocol due to improper authentication or authorization. An attacker having adjacent short-range access to the affected device could exploit this vulnerability to inject, replay, modify, or intercept data within the telemetry communication when the device¿s radio is turned on. Successful exploitation of this vulnerability could allow the attacker to modify memory values of the affected implanted cardiac devices.
2. Information Disclosure Vulnerability
(
CVE-2019-6540
)
This vulnerability exists in the Conexus telemetry protocol due to improper implementation of encryption. By sniffing the communication traffic, an attacker could exploit this vulnerability to obtain sensitive information.
Best Practices:
It is recommended that users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities: - Maintain good physical control over home monitors and programmers.
- Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider to ensure integrity of the system.
- Do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections.
- Only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments.
- Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.
- Report any concerning behavior regarding these products to your healthcare provider.
- Restrict system access to authorized personnel only and follow a least privilege approach.
- Apply defense-in-depth strategies.
- Disable unnecessary accounts and services
Solution
Apply appropriate updates as mentioned by the vendor:
https://global.medtronic.com/xg-en/product-security/security-bulletins.html
Vendor Information
Medtronic
https://global.medtronic.com/xg-en/product-security/security-bulletins.html
References
Medtronic
https://global.medtronic.com/xg-en/product-security/security-bulletins.html
https://global.medtronic.com/xg-en/product-security.html
US-CERT
https://www.us-cert.gov/ics/advisories/ICSMA-19-080-01
CVE Name
CVE-2019-6538
CVE-2019-6540
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|