FDA issues safety alert for Medtronic defibrillators due to cybersecurity vulnerabilities

Henrietta Strickland
March 24, 2019

They are placed beneath the skin and deliver electric shocks if an irregular heartbeat is detected.

The wireless telemetry protocol, which is used to transmit patient data from the implanted cardiac device to Medtronic clinic programmers and home monitors, is vulnerable because it does not use "encryption, authentication, or authorization", according to the agency. The issue affects 16 separate Medtronic defibrillators, which wirelessly connect to monitoring devices.

The US Food and Drug Administration has issued a safety communication warning doctors and patients about cybersecurity vulnerabilities in several of Medtronic's products, including implantable cardioverter-defibrillators (ICDs) and combination cardiac resynchronization therapy-defibrillators (CRT-Ds), that rely on wireless telemetry. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

A major flaw in defibrillator implants, used by more than 31,000 people in the United Kingdom, could allow hackers to take control of the devices and harm patients. Also, in addition to physically keeping monitors and programmers safe, Medtronic is discouraging patients from plugging USB sticks and other unapproved accessories into the devices.

Researchers told Ars they could potentially develop a custom hardware device which could carry out the same device without needing physical access to the Medtronic radio consoles. The attacker would also have to be in radio range at the right time, since the implanted device has to be in "listen mode" to receive instructions.

This kind of an attack would require advance planning and careful targeting.

Other reports by Click Lancashire

Discuss This Article