The Department of Homeland Security warned of two flaws in Medtronic cardio defibrillators that could potentially allow attackers to monitor devices after they are implanted in a patient, potentially take full control of the devices without the patient knowing.
Doctors surgically implant defibrillators, small devices which deliver electrical shocks to the heart, in patients to treat potentially fatal irregular heart rhythms. Doctors rely on radio communications for initial setup, periodic maintenance, and regular monitoring of Medtronic cardio defibrillators, as radio is less invasive than older methods. Researchers from Clever Security discovered Medtronic’s proprietary protocol for wirelessly connecting monitors to the devices did not use encryption to prevent anyone from eavesdropping on the signals, and there was no authentication to prove the instructions came from legitimate sources.
Attackers with “adjacent short-range access” can potentially “interfere with, generate, modify, or intercept” the radio frequency signals as they pass between the devices and monitors, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said in an advisory.
“The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device,” the CISA advisory said.
Taking Over Defibs
The researchers developed a proof-of-concept which let them take control of the implanted device and then use the radio console to pull names and phone numbers of the patient and physician from the device. They were also able to use the console to change the amount of shocks the devices delivered, which could potentially be fatal to the patient, as well as to completely rewrite the device firmware.
This was possible because the researchers knew the hard-coded password to gain root access to the custom Linux operating system installed on the console and were able to physically connect to a debugging port on the console’s circuit board, reported Ars Technica. The password was an eight-character string protected by the weak MD5 hash algorithm.
Researchers told Ars they could potentially develop a custom hardware device which could carry out the same device without needing physical access to the Medtronic radio consoles.
Medtronic representative Ryan Mathre told Ars the attacker would need to know exactly which device model was implanted in the patient and the exact commands which would make specific changes. The attacker would also have to be in radio range at the right time, since the implanted device has to be in “listen mode” to receive instructions.
This kind of an attack would require advance planning and careful targeting. It’s not as if someone can launch an attack that would compromise implanted devices indiscriminately.
“Fully exploiting these issues requires comprehensive and specialized knowledge of devices, wireless communication and electrophysiology,” Mathre said.
Future of Device Security
The CISA advisory said Medtronic has developed additional controls to detect and respond to any abuses of the wireless protocol, and that other measures will be deployed after receiving regulatory approvals. It’s not clear at the moment if Medtronic will be updating the firmware to require encryption or authentication. Clever Security researchers told Ars that Medtronic’s changes focus on detecting attack attempts, and the problem would not fixed without actual changes to the firmware.
CISA has assigned a severity rating of 9.3 (out of 10) on the CVSS v3 scale and said the issue was “exploitable with adjacent access/low skill level to exploit.” That doesn’t match Medtronic’s claim that the attacker would need “comprehensive and specialized knowledge.”
In fact, Mathre appears to downplay the severity of the issue in the statement to Ars: “Even in the unlikely scenario that an unauthorized user may be able to access the wireless technology, that access does not equate to the ability to control or manipulate the settings.”
This resistance to fixing issues isn’t specific to Medtronic. Researchers are scrutinizing the security of medical devices because these devices, if compromised, have the potential to cause a lot of harm. CISA advisories highlight the severity of issues such as the lack of access control and encryption. However, medical technology companies are just as likely to wait until they absolutely have to fix the issue, either because of an actual security incident or the regulators demanded a fix.
The question of what device makers have to do came up during the comment period for the Food and Drug Administration’s updated guidance for the cybersecurity of premarket medical devices. The FDA had proposed a two-tier system in the draft guidance to classify medical devices based on their security risk. Commenters said the FDA needed to redefine risk and what the device makers’ responsibilities were.
Healthcare organization Kaiser Permanente asked FDA to “address the responsibility of all stakeholders to ensure security of and risk mitigation of medical devices exploiting network vulnerabilities." Devices can pose risks for enterprises and patients without causing direct harm—such as network security flaw in a device allowing for patient data in electronic medical records to be exposed or modified.
Many of our members continue to be confronted with some manufacturers who refuse to take action on known vulnerabilities choosing either to categorize them as 'controlled risks' or saying they will wait until the FDA recalls a device," wrote the College of Healthcare Information Management Executive (CHIME), an association of healthcare CIOs and CISOs. The group noted that there some manufacturers have still not deployed the Microsoft update (MS17-010) that closes the security flaw that WannaCry exploited to certain medical devices “due to the manufacturers classifying that vulnerability as a controlled risk.
"Importantly, we believe that the FDA must be as explicit as possible with manufacturers around their expectations,” CHIME wrote. “Without clear direction to the manufacturers about what is required, the burden of proof for demonstrating a standard has been met and devices are secure will be shouldered by providers.”