← Back to home
ICSMA-19-080-01  ·  Published 2021-04-08  ·  View on CISA ICS-CERT ↗

Medtronic Conexus Radio Frequency Telemetry Protocol (Update C)

CVSS 9.3 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. Successful exploitation requires: (1) an RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR); (2) to have adjacent short-range access to the affected products; and (3) for the products to be in states where the RF functionality is active. Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.

CVEs (2)

Remediations

  • Medtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices. Additional mitigations are being developed and will be deployed through future updates, assuming regulatory approval.
  • Medtronic has developed mitigating patches for a subset of the affected implanted cardiac device models. These patches are installed during regular office visits. Medtronic has stated that patches for additional impacted models are being developed by Medtronic and will be deployed through future updates. Patches are currently available for the following affected models:
  • Medtronic recommends that users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
  • Medtronic has released additional patient focused information.

Affected Vendors

Medtronic

Affected Products (22)

Medtronic · MyCareLink Monitor 24950 | 24952
Medtronic · Brava CRT-D vers:all/*
Medtronic · Amplia CRT-D vers:all/*
Medtronic · CareLink Monitor 2490C
Medtronic · CareLink 2090 Programmer vers:all/*
Medtronic · Concerto CRT-D vers:all/*
Medtronic · Evera ICD vers:all/*
Medtronic · Mirro ICD vers:all/*
Medtronic · Virtuoso II ICD vers:all/*
Medtronic · Concerto II CRT-D vers:all/*
Medtronic · Visia AF ICD vers:all/*
Medtronic · Mirro MRI ICD vers:all/*
Medtronic · Viva CRT-D vers:all/*
Medtronic · Virtuoso ICD vers:all/*
Medtronic · Claria CRT-D vers:all/*
Medtronic · Secura ICD vers:all/*
Medtronic · Primo ICD vers:all/*
Medtronic · Consulta CRT-D vers:all/*
Medtronic · Protecta ICD and CRT-D vers:all/*
Medtronic · Maximo II CRT-D and ICD vers:all/*
Medtronic · Compia CRT-D vers:all/*
Medtronic · Nayamed ND ICD vers:all/*

Affected Sectors

Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more