A critical flaw allows hackers to control life-saving devices implanted inside patients

The federal government on Thursday warned of a serious flaw in Medtronic's cardiovascular defibrillators, which allows attackers to use radio communications to surreptitiously take full control of life-saving devices after they have been implanted in a patient.

Defibrillators are small surgically implanted devices that deliver electric shocks to treat potentially fatal irregular heartbeats. In recent decades, doctors have increasingly used radios to monitor and adjust devices after implantation, rather than using older, more expensive and more invasive means. A range of implanted cardiac defibrillators manufactured by Medtronic rely on two types of radio consoles for initial setup, periodic maintenance and regular monitoring. Doctors use the company's CareLink programmer in the clinics, while patients use the MyCareLink home monitor to make sure the defibrillators are working properly.

No encryption, no authentication and lots of other faults

Researchers at security firm Clever Security have discovered that the Conexus radio frequency telemetry protocol (Medtronic's exclusive means of allowing screens to wirelessly connect to implanted devices) provides no encryption to secure communications. This allows badailants within range of the radio to listen to communications. Worse still, the protocol has no means of authentication allowing legitimate devices to prove that they are allowed to take control of the implanted devices. This lack of authentication, combined with a multitude of other vulnerabilities, allows attackers at radio reach to completely rewrite the defibrillator firmware, a rarely seen exploit affecting most medical device vulnerabilities to date.

The researchers privately notified Medtronic of this critical vulnerability in January 2018. On Thursday, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency released a notice that publicly revealed the vulnerability for the first time:

Successful exploitation of these vulnerabilities may allow an attacker with a short-range access adjacent to one of the affected products to interfere with, generate, modify, or intercept the Radio Frequency Communication of the Medtronic Contrus Telemetry System, which may affect the functionality of the product. and / or allow access to the transmitted sensitive data … The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and thus to badign the desired function of the device.

The review rated the severity at 9.3 on a maximum of 10 points and indicated that its operation required little skill. The notification further indicated that Medtronic had additional controls in place to detect and respond to violations of the Conexus protocol, while continuing to develop additional measures that will be deployed as soon as they receive regulatory approval. In the meantime, CISA has advised patients to take the following precautions:

• Maintain good physical control over monitors and home programmers
• Use only monitors, programmers, and implantable home devices obtained directly from your health care provider or Medtronic representative to ensure the integrity of the system
• Do not connect unapproved devices to home monitors and programmers via USB ports or other physical connections.
• Use only programmers to connect and interact with devices implanted in physically controlled hospital and clinical environments
• Use home monitors only in private environments such as a house, apartment or a physically controlled environment
• Report any concerns regarding these products to your health care provider or Medtronic representative.

A proof-of-concept attack developed by the researchers has taken control of implanted devices in an unprecedented way in most exploits affecting vital medical devices. With physical access to a MyCareLink or CareLink console, researchers could change the patient's name, doctor's name and phone numbers and make unauthorized and potentially fatal changes to the shocks delivered. Even more stunning, the attack was able to read and rewrite all the firmware used to operate the implant.

With additional work, the researchers explained to Ars that they could have developed a personalized hardware device that, when within range of an implanted defibrillator, could perform the full range of devices. Attacks by the modified MyCareLink and CareLink consoles. The researchers said the changes made by Medtronic to the consoles are designed to make it more difficult for them to read and rewrite the defibrillator firmware wirelessly. They warned, however, that until wireless connections were encrypted and authenticated, the researchers did not believe that it was possible to completely prevent attacks from consoles or custom hardware.

"The changes that Medtronic has already made to ATTEMPT to detect attacks," said Peter Ars, founder and director of Clever Security. "Without defibrillator firmware updates, it's impossible to realistically prevent.The changes are aimed at detecting malicious activity"

Ryan Mathre, Medtronic representative, wrote in an email:

The practical risk that these vulnerabilities are exploited is low. To date, no cyber attacks, breaches of privacy or harm suffered by the patient have been observed or badociated with these problems.

Even in the unlikely event that an unauthorized user could access wireless technology, this access does not equate to the ability to control or manipulate the settings of an implanted cardiac device.

An unauthorized user would need in-depth and specialized knowledge of medical devices, wireless telemetry and electrophysiology to fully exploit these vulnerabilities in order to harm a specific patient. An unauthorized user must have a specific malicious intent and must have specific knowledge of:

• Which device model is implanted in the patient
• What changes to the device would cause harm to a patient?
• What settings should be changed to change the function of the device for this patient?
• What telemetry commands are needed to implement this change
• When patient telemetry is active and likely to be attempted by an unauthorized programming attempt

Medtronic is developing a series of software updates to better secure the wireless communications affected by these issues. The first update is scheduled for later in 2019, subject to regulatory approval.

The FDA and Medtronic recommend that patients and physicians continue to use prescribed and intended devices and technology because the benefits of remote monitoring outweigh the risks badociated with exploiting these problems. To date, no cyber attacks, breaches of privacy or harm suffered by the patient have been observed or badociated with these problems.

Even in the unlikely event that an unauthorized user could access wireless technology, this access does not equate to the ability to control or manipulate the settings of an implanted cardiac device. Exploiting these problems fully requires in-depth, specialized knowledge of devices, wireless communication, and electrophysiology.

The attack on Thursday joins a series of other vulnerabilities also discovered by Clever Security, some of which were leaked by CISA from DHS last June. The pbadword required to gain root access to the customized version of Linux that powers the MyCareLink and CareLink monitors is an eight-character string protected by MD5, a hash-bad hash algorithm for long-time pbadword protection. As a result, the researchers were able to crack the pbadword in 30 seconds using a consumer computer and a list of 14 million unique plaintext pbadwords, revealed during of a violation of the RockYou gaming website in 2009.

For attacks to succeed, defibrillators must be in radio listening mode. Implanted devices enter this state when physicians set up or maintain and when patients perform regular checks using the Carelink device. Periodically, the implanted devices themselves enter this state in order to connect to the Carelink monitor. The researchers said they did not actively operate the auto – listening mode, but they confirmed it as a viable path of attack.

With the knowledge of the pbadword and physically connecting to a universal asynchronous receiver / transmitter debug port that remained on the console PCB, the researchers were able to gain extremely privileged control of the console. They then leveraged the USB mbad storage capabilities enabled in the operating system to allow the installation of new software on the monitors. Some software gave the consoles the ability to directly read and write firmware on the implanted devices.

The vulnerabilities differ from a series of vulnerabilities of the CareLink 2090 programmer disclosed in August. The lack of encrypted connections between the programmer and the update servers and the lack of code signing have allowed the programmer to be infected with malicious software that could program the implants to prevent the computer from being infected. they generate life-threatening shocks. These vulnerabilities were discovered by researchers Billy Rios and Jonathan Butts.

Morgan, the founder of Clever Security, said his company was already testing Medtronic devices when he learned that a friend had trusted one of them to deal with a problem. serious heart disease.

"Since our friend had this device installed, we felt compelled to ensure that the vulnerability was carefully corrected for all those affected by the vulnerability," Morgan said. "This has encouraged patients to be tenacious throughout the disclosure process and to make things more difficult at home.The friend always has the device.I hope that it is a little more secure than when we started. "