Today the DHS NCCIC-ICS published a medical device security
advisory for products from Medtronic.
The advisory
describes two vulnerabilities in Medtronic MyCareLink Monitor, CareLink
Monitor, CareLink 2090 Programmer, and specific Medtronic implanted cardiac
devices. The vulnerabilities were reported by Peter Morgan of Clever Security;
Dave Singelée and Bart Preneel of KU Leuven; Eduard Marin formerly of KU
Leuven, currently with University of Birmingham; Flavio D. Garcia; Tom Chothia
of the University of Birmingham; and Rik Willems of University Hospital
Gasthuisberg Leuven. Medtronic has provided generic mitigation measures pending
development of appropriate updates.
The two reported vulnerabilities are:
• Improper access control - CVE-2019-6538;
and
• Clear-text transmission of sensitive information - CVE-2019-6540
NCCIC-ICS reports that a relatively low-skille attacker with
adjacent access could exploit these vulnerabilities to allow an attacker with adjacent short-range
access to one of the affected products to interfere with, generate, modify, or
intercept the radio frequency (RF) communication of the Medtronic proprietary
Conexus telemetry system, potentially impacting product functionality and/or
allowing access to transmitted sensitive data.
NOTE: The Food and Drug Administration has published a separate
advisory for these vulnerabilities.
Posts
No comments:
Post a Comment