Thursday, March 21, 2019

1 Advisory Published – 03-21-19

Today the DHS NCCIC-ICS published a medical device security advisory for products from Medtronic.

The advisory describes two vulnerabilities in Medtronic MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, and specific Medtronic implanted cardiac devices. The vulnerabilities were reported by Peter Morgan of Clever Security; Dave Singelée and Bart Preneel of KU Leuven; Eduard Marin formerly of KU Leuven, currently with University of Birmingham; Flavio D. Garcia; Tom Chothia of the University of Birmingham; and Rik Willems of University Hospital Gasthuisberg Leuven. Medtronic has provided generic mitigation measures pending development of appropriate updates.

The two reported vulnerabilities are:

• Improper access control - CVE-2019-6538; and
Clear-text transmission of sensitive information - CVE-2019-6540

NCCIC-ICS reports that a relatively low-skille attacker with adjacent access could exploit these vulnerabilities to  allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.

NOTE: The Food and Drug Administration has published a separate advisory for these vulnerabilities.

No comments:

/* Use this with templates/template-twocol.html */