FDA Alert: Signal Vulnerability Found in Defibrillators

The US Food and Drug Administration (FDA) has issued an alert regarding a critical flaw affecting Medtronic heart defibrillators. The vulnerability allows a threat actor to alter settings of a cardiac apparatus by manipulating the radio communications signal between the device and control equipment. The main issue lies in Medtronic's proprietary Conexus radio-frequency wireless telemetry protocol, which lacks an authentication procedure. The attacker could potentially modify, inject, or intercept transmissions within radio range, or about 20 feet from the patient. According to the Department of Homeland Security (DHS) advisory, the vulnerability, CVE-2019-6538, has been assigned a severity rating of 9.3 out of a possible 10. The FDA recommends patients to continue using the devices as prescribed while Medtronic is working on a patch. 

The NJCCIC advises those who use or know someone who uses Medtronic defibrillators to utilize only home monitors, programmers, and implantable devices obtained directly from their healthcare provider or Medtronic vendor to ensure integrity of the system. Also, we recommend users refrain from connecting unapproved devices to home monitors and programmers through USB ports or other physical connections. We encourage users to review additional resources from Medtronic here.