FDA Warns of Flaws in Medtronic Programmers
18.10.2018 securityweek

A vulnerability in the software update process of certain Medtronic Programmer models has determined the vendor to block the functionality on affected devices, the U.S. Food and Drug Administration (FDA) informs.

The flaw was found to impact the Internet connection of Medtronic's Carelink 2090 and Carelink Encore 29901 programmers, and could allow malicious attackers to tamper with the programmers or implanted devices, the FDA reveals.

The programmers are used during implantation and regular follow-up visits for Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors.

The programmers allow physicians to obtain data from CIEDs (including performance information and battery status) and adjust or reprogram devices, but are also used by Medtronic to deliver software updates to the implanted devices.

The programmer software can be downloaded and updated over the Internet, by connecting to the Medtronic Software Distribution Network (SDN), or by physically plugging a universal serial bus (USB) device into the programmer.

Medtronic has discovered the vulnerabilities in the Internet connection of both Carelink 2090 and Carelink Encore 29901 programmers and has disabled access to the SDN through a software update.

“To remediate these vulnerabilities and enhance cybersecurity of device programmers, Medtronic has disabled access to the SDN. When software updates are needed, a Medtronic representative will manually update, via a secured USB, all CareLink 2090 and CareLink Encore 29901 programmers,” Medtronic notes in a security bulletin (PDF).

Although the programmers use a virtual private network (VPN) to connect to the Medtronic SDN over the Internet, the devices would not verify that they were still connected to the VPN before starting to download software updates.

“To address this cybersecurity vulnerability and improve patient safety, on October 5, 2018, the FDA approved Medtronic's update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN,” the FDA says.

Now, any attempt to update the programmer over the Internet by selecting the "Install from Medtronic" option will result in error messages such as "Unable to connect to local network" or "Unable to connect to Medtronic."

“To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities,” the FDA’s safety communication reads.

Previously, the United States Department of Homeland Security (DHS) alerted on the vulnerabilities in 2090 Programmers in February, revealing that they “may allow an attacker with physical access […] to obtain per-product credentials to the software deployment network.”

“Additionally, successful exploitation of these vulnerabilities may allow an attacker with local network access to influence communications between the Programmer and the software deployment network,” the DHS notes in its alert.