The Home Security and Security Security Department of the home country has issued a notice that some Medtronic implanted defibrillators contain vulnerabilities that will allow them to exploit attackers who have proper device knowledge and proximity to an individual who has one. The Star Tribune reported on Thursday that as many as 750,000 units could be vulnerable.
Implanted defibrillators are small devices that prevent potentially fatal heart problems by administering electrical shocks to treat irregular heartbeats. The agency said Thursday that if exploited, the vulnerabilities of some Medtronic would allow an attacker to capture and potentially affect the functionality of certain models of defibrillators and monitoring devices.
According to Ars Technica, the vulnerabilities were flagged to Medtronic in January last year by scientists with security firm Clever Security, who made a number of alarming findings:
A proof of concept attack developed by the researchers was able to take control of the implanted devices In a way that was previously invisible in most designs that affect life-saving medical devices. With physical access to a MyCareLink or CareLink console, researchers could make changes that would pull patient names, doctor names, and relevant phone numbers out of the device and make unauthorized and potentially fatal changes to the shocks devices delivered. Even more impressive, the attack could read and rewrite all the firmware used to operate the implant.
DHS erected more than a dozen Medtronic heart devices affected by the defects, including implantable cardioverter defibrillators and heart synchronization therapy defibrillators – but the company said they did not affect other Medtronic devices such as pacemakers.
Medtronic said in a statement to Gizmodo that it is currently looking at unusual or unauthorized activity related to the vulnerability, but that it has found no cases of successful exploitation of errors up to this point. The company added that it is working on security fixes for the errors, the first to say later this year.
Despite federal counseling, the company's chief medical officer Robert Kowal told the Star Tribune that the vulnerability "would be very difficult to exploit to cause harm." DHS also noted that an attacker should have "short access" to one of the affected Medtronic devices to extract a utilization, a distance that Kowal said the paper would be within about 20 meters.
In an e-mail statement, a Medtronic spokesman said both the Food and Drug Administration "recommends that patients and doctors continue to use devices and technology as prescribed and intended, as this provides the most effective way to manage patients devices and heart disease. "
According to Medtronic, patients should also only use defibrillator monitoring devices provided by them either by Medtronic or their physical ician. The company also recommended people to maintain "good physical control" over their screens and avoid connecting them to unauthorized devices.
[DHS via Star Tribune, Ars Technica]