The United States Department of Homeland Security ( DHS ) has updated cybersecurity warnings on various Medtronic programmer products due errors occurring with the medical devices.
DHS warned about Medtronic’s 2090 CareLink programmer, MyCareLink monitor and the CareLink monitor and 29901 Encore programmer.
The warning included details about a product that uses a per-product username and password that is stored in a recoverable format.
By March, DHS had warned of vulnerabilities in Medtronic devices using its Conexus radio frequency telemetry protocol, including some CareLink devices. DHS’ latest update cited vulnerabilities with improper access control and cleartext transmission of sensitive information.
With these devices, exploitation of the vulnerabilities may offer an attacker access to the product to interfere with, generate, modify or intercept radio frequency communication from the Medtronic Conexus telemetry system, which could impact its functionality and/or allow access to transmitted sensitive data.
For mitigation, Medtronic stated – ‘After additional review and risk evaluation of the affected products, Medtronic has disabled the network-based software update mechanism, including both the VPN and the HTTP subservices, as an immediate security mitigation. Users should not attempt to update the affected products over the network as this update mechanism is vulnerable to the attack described in section 4.2.3. Medtronic will continue to implement and deploy increased security protections and mitigation to address the vulnerabilities in this advisory. Users should still obtain and apply updates via controlled USB dongles and should contact their Medtronic representative for more information. Medtronic recommends that affected products continue to be used for their intended purpose in the previously described manner.’