ICSMA-20-170-05 · Published 2020-06-18 · View on CISA ICS-CERT ↗

BIOTRONIK CardioMessenger II

CVSS 4.6 MEDIUM

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker with physical access to the CardioMessenger to obtain sensitive data, obtain transmitted medical data from implanted cardiac devices with the implant 's serial number or impact Cardio Messenger II product functionality. Successful exploitation of these vulnerabilities could allow an attacker with adjacent access to influence communications between the Home Monitoring Unit (HMU) and the Access Point Name (APN) gateway network.

CVEs (5)

CVE-2019-18246 CVE-2019-18248 CVE-2019-18252 CVE-2019-18254 CVE-2019-18256

Remediations

BIOTRONIK reports they will not be issuing a product security update; however, BIOTRONIK has identified compensating controls which have been put place that reduce the risk of exploitation and prevent patient safety risks. BIOTRONIK assessed these vulnerabilities and determined no new potential safety risks exist. BIOTRONIK recommends users take the following defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Affected Vendors

BIOTRONIK

Affected Products (2)

BIOTRONIK · CardioMessenger II-S T-Line T4APP 2.2

BIOTRONIK · CardioMessenger II-S GSM T4APP 2.2

Affected Sectors

Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more