Remote Code Implantation Flaw Found in Medtronic Cardiac Programmers

A flaw in Medtronic’s CareLink 2090 and CareLink Encore 29901 programmers, which are portable computer systems used to manage implanted cardiac devices in clinical settings, would have allowed remote code implantation over Medtronic’s dedicated Software Deployment Network (SDN).

The programmers are used for programming, testing and evaluating “cardiac implantable electrophysiology devices,” a.k.a. CIEDs. These include pacemakers, implantable defibrillators to provide an electrical shock or pacing to stop dangerously fast heart rhythms, cardiac resynchronization devices to pace the heart to improve contraction to treat heart failure, and insertable cardiac monitors for long-term cardiac monitoring for irregular or abnormal heart rhythms.

The SDN meanwhile is a worldwide network hosted by Medtronic that allows the download of new or updated software to the programmers using a network connection.

The vulnerabilities, identified by well-known med-device researchers Billy Rios and Jonathan Butts from White Scope, would have allowed someone to remotely update the programmers with non-Medtronic software over the SDN, thus changing the programmer’s functionality or affecting the CIED during the device implantation procedure or during follow-up visits.

In turn, that could have resulted in potential harm to a patient if exploited, according to a Medtronic alert – although to date, no attacks have been recorded.

“Specifically, this cybersecurity vulnerability is associated with using an internet connection to update software between the CareLink and CareLink Encore programmers and the SDN,” the FDA said in its own alert. “Software updates normally include new software for the programmer’s functionality as well as updates to implanted device firmware. Although the programmer uses a virtual private network (VPN) to establish an internet connection with the Medtronic SDN, the vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates.”

Medtronic and ICS-CERT previously issued a security bulletin on issues in the programmers in February, followed by an update in June 2018. The latest alert however was prompted by the discovery that an attacker would not necessarily need to have physical access to the programmer in order to exploit the vulnerabilities.

To remediate the problem, Medtronic said in its alert that it has disabled access to the SDN (remote access is not needed for in-person programming of implants) – and it said that it’s working on additional security updates that a Medtronic representative will manually update, via a secured USB.

For now, anyone attempting to update the programmer through the internet by selecting the “Install from Medtronic” button will see error messages that say things like, “Unable to connect to local network” or “Unable to connect to Medtronic.”

Other Medtronic-provided features that require network connections to the SDN, like the SessionSync and RemoteView functions, are not impacted by the vulnerabilities.

Hacking Patient Safety

Flaws in medical gear have raised the specter of harming or even killing patients through hacking for years – though it hasn’t happened to date, thankfully. Researchers tend to point the finger at a lax culture around cybersecurity from medical device manufacturers and healthcare professionals (and a lack of user education around good security measures).

For instance, at DEF CON 2018, Doug McKee, senior security researcher at McAfee’s Advanced Threat Research team, disclosed a weakness in the RWHAT protocol, one of the networking protocols used by medical devices to monitor a patient’s condition and vital signs. The flaw allows data on the patient’s condition to be modified by an attacker in real-time, to provide false information to medical personnel.

The ramifications are profound; false information could lead a doctor to prescribe medication that the patient doesn’t need; or, a patient could be thought to be peacefully resting, when in fact they are under cardiac arrest. Further, McKee found that a lack of authentication also allows rogue devices to be placed onto the network and mimic patient monitors.

Earlier this year, Abbott (formerly St. Jude Medical) pushed a firmware upgrade for 350,000 implantable defibrillators. A backdoor had been discovered in certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices that, if exploited, could allow an attacker to manipulate the implants and cause heart problems and even death.

The patch was part a planned series of updates that began with pacemakers, programmers and remote monitoring systems in 2017, following 2016 claims by researchers that the then-St. Jude’s cardiac implant ecosystem was rife with cybersecurity flaws that could result in “catastrophic results.”

There are yet more examples of healthcare devices being built without adequate security. Last year, 8,000 vulnerabilities were discovered across seven different pacemaker programmers (a device used for programming pacemakers) from four different manufacturers. White Scope, which reported all of the vulnerabilities to DHS ICS-CERT, focused its research on programmers that have RF capabilities. Thousands of flaws in third-party libraries came to light—and all of the programmers that White Scope examined had outdated software with known vulnerabilities. For instance, many of them run Windows XP.

In 2016, researchers warned that patients who used certain insulin pumps made by Johnson & Johnson were at the mercy of vulnerabilities in the devices, which could be exploited to trigger an overdose.

Even as far back as 2012, the late IoT researcher Barnaby Jack, then at IOActive, demonstrated that several vendors’ pacemakers could be remotely controlled and commanded to deliver a 830-volt shock via a laptop, That is, of course, enough to kill someone, and Jack noted at the time that the vulnerabilities open the door to “mass murder.”

At Black Hat 2018, researchers stressed that the healthcare device landscape remains insecure and in need of addressing.

“Whether [healthcare professionals] like it or not, code, networks and devices are now caring for patients every single day, and it is so important to remember that securing them, we think, will save lives,” said Christian Dameff, M.D. at the University of California at San Diego School of Medicine and a security researcher, in a session at the conference.