Medtronic Conexus Telemetry Vulnerabilities

Medtronic has released details of two vulnerabilities in their proprietary Conexus radio-frequency telemetry protocol, used by a number of their cardiac resynchronisation therapy defibrillators (CRT-D) and implantable cardioverter defibrillator implant products.

Threat ID:: CC-2991
Category:
Threat Severity:: Low
Threat Vector:
Published:: 26 March 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Medtronic MyCareLink Patient Monitors

Medtronic Amplia CRT-D - All versions

Medtronic CareLink 2090 Programmer - All versions
Medtronic CareLink Monitor - Version 2490C
Medtronic Claria CRT-D - All versions
Medtronic Compia CRT-D - All versions
Medtronic Concerto CRT-D - All versions
Medtronic Concerto II CRT-D - All versions
Medtronic Consulta CRT-D - All versions
Medtronic Evera ICD - All versions
Medtronic Maximo II CRT-D and ICD - All versions
Medtronic Mirro ICD - All versions
Medtronic MyCareLink Monitor - Versions 24950 and 24952
Medtronic Nayamed ND ICD - All versions
Medtronic Primo ICD - All versions
Medtronic Protecta ICD and CRT-D - All versions
Medtronic Secura ICD - All versions
Medtronic Virtuoso ICD - All versions
Medtronic Virtuoso II ICD - All versions
Medtronic Visia AF ICD - All versions and
Medtronic Viva CRT-D - All versions

Threat details

An unauthenticated attacker within local radio range may exploit these vulnerabilities to alter device settings or obtain sensitive information.

For further information:

Remediation steps

Type	Step
	Medtronic has developed additional controls to monitor Conexus telemetry and respond to improper use of it by the affected devices. They have also confirmed further control are being developed and will be deployed in future updates.

Last edited: 14 February 2020 2:43 pm