The implanted defibrillators are designed to treat potentially deadly heart problems. They are placed beneath the skin and deliver electric shocks if an irregular heartbeat is detected.
The Star Tribune reports that as many as 750,000 of Medtronic’s defibrillators contain a vulnerability that would allow an attacker to change or possibly inject data sent between a device and its controller.
Ars Technica writes that security firm Clever Security discovered the Conexus Radio Frequency Telemetry Protocol, which Medtronic uses to connect monitors wirelessly to implanted devices, features no authorization or authentication processes, meaning attackers with the right equipment and within radio range could alter the implant’s settings and harm or even kill the patient.
A second, less-serious issue is related to the lack of encryption in the Conexus transmissions, allowing attackers to access sensitive data being sent over the air.
Sixteen different models of Medtronic defibrillators are affected by the vulnerabilities. Medtronic says the risk to patients is low as hackers need to be close to users—around 20 feet. It added that it is monitoring its network for anyone trying to exploit the flaws, and that the defibs will shut down wireless transmission upon receiving any unusual requests. The company is working on a fix for the vulnerabilities, which should arrive later this year.
Medtronic and the FDA “recommend that patients and physicians continue to use devices and technology as prescribed and intended, as this provides for the most efficient way to manage patients’ devices and heart conditions.”
Author: Rob Thubron