FDA warning: Scores of heart implants can be hacked from 20ft away

US warns over severe security flaw affecting the wireless communications in cardiac implants.

Pacemakers, defibrillators: Are medical IoT devices trustworthy? Do you know what's in your pacemaker's source code? Your defibrillator? Your insulin pump? No one does -- except its maker. And that's worrying.

The US government has put out an alert over a critical flaw affecting scores of Medtronic heart defibrillators that allows a nearby attacker to change the settings of a patient's cardiac device by manipulating radio communications between it and control devices. 

The main problem lies in Medtronic's proprietary Conexus radio-frequency wireless telemetry protocol, which is used as part of its remote patient-management system for communicating between defibrillators, home monitoring devices, and clinician programming devices.   

Researchers discovered that the Conexus protocol lacks any form of authentication, meaning an attacker within radio range – about 20 feet from the patient's cardiac device – can inject, replay, modify, and intercept the telemetry data.

And since the Conexus protocol allows control devices to remotely read and write memory to the heart implants, a nearby attacker with a software-defined radio could also exploit the protocol's lack of authentication to reprogram the cardiac device.

The flaw, CVE-2019-6538, has been assigned a CVSS severity rating of 9.3 out of a possible 10, according to the Department of Homeland Security (DHS) advisory.  

The US Food and Drug Administration says it has "confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient's physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer."

A second, lower-severity flaw affecting the Conexus protocol presents a potentially serious privacy threat to patients since data transmitted between cardiac and control devices is done in the clear. Again, a nearby attacker with radio equipment could intercept communications to learn about the person's specific condition.  

Medtronic emphasizes in its advisory that Conexus telemetry is not used in its pacemakers.

While DHS's advisory says the flaw requires a "low skill level" to exploit, there are some mitigating factors that should create a narrow window for an attacker to exploit the flaws.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

First, the cardiac device needs to have radio communications enabled. This happens at the clinic before the implant procedure and during follow-up visits. Outside the clinic, Medtronic says the radio activation times are "limited, vary by patient, and are difficult to be predicted". 

The FDA considers these to be "safety features", but notes that Medtronic is working on a patch that the FDA will need to approve to address the authentication and encryption weaknesses. 

Despite the severity of the authentication flaw and the potential for life-threatening harm, Medtronic and the FDA are recommending patients continue to use the devices as prescribed. 

"The benefits of remote monitoring outweigh the practical risk that these vulnerabilities could be exploited. These benefits include earlier detection of arrhythmias, fewer hospital visits and improved survival rates," Medtronic says. 

More on medical security