Homeland Security details vulnerabilities in Medtronic ICD, CRT-Ds, CareLink devices

The U.S. Dept. of Homeland Security today released a medical advisory warning of exploits within a number of Medtronic (NYSE:MDT) implanted cardiac devices and associated equipment that could allow an attacker to affect the functionality of the devices or intercept transmitted sensitive data. The vulnerability affects Fridley, Minn.-based Medtronic devices using its Conexus radio frequency telemetry protocol, according to the release, and requires only a low level of skill and adjacent access to exploit. Successful exploitation could allow an outside actor to “interfere with, generate, modify, or intercept” the RF communication of the Conexus telemetry system, the HHS said. To do so, an attacker would need an RF device capable of transmitting or receiving Conexus telemetry communication, to be in adjacent short-range of the products and for the products to be in states where RF functionality is active, according to the release. Before the device is implanted and during follow-up clinic visits, Conexus telemetry sessions require initiation by an inductive protocol, the HHS said. Outside of those environments, the RF radio is only enabled for brief periods of time to support follow-up transmissions and “other operational safety notifications.” The HHS warned that the Conexus telemetry protocol does not implement authentication or authorization, or encryption. The exploit affects Medtronic devices that use its Conexus telemetry protocol, according to the ...
Source: Mass Device - Category: Medical Devices Authors: Tags: Cardiac Assist Devices Cardiac Implants Software / IT Medtronic Source Type: news