Incident: Vulnerability in Medtronic Defibrillators Allows Hackers to Collect Data

Published Date: 2019-03-30

Postmortem Analysis
Timeline 1. The software failure incident involving Medtronic's implantable defibrillators happened in March 2019 as per the article published on March 30, 2019 [Article 82238].
System The software failure incident in Article 82238 involved the Conexus telemetry system used in certain ICD (implantable cardioverter defibrillator) and CRT-Ds (implantable cardiac resynchronization therapy/defibrillator device) models by Medtronic. The specific systems/components that failed are: 1. Conexus telemetry system 2. Certain ICD and CRT-Ds models using the Conexus telemetry system [82238]
Responsible Organization 1. Hackers targeted the vulnerability in the Conexus telemetry system used by certain Medtronic implantable defibrillators, causing the software failure incident [Article 82238].
Impacted Organization 1. Patients with implantable defibrillators made by Medtronic were impacted by the software failure incident [82238].
Software Causes 1. The software cause of the failure incident was the use of an unsecured protocol by Medtronic's defibrillators to communicate with other devices, allowing attackers to interfere with and collect sensitive data [82238]. 2. Another software cause was the lack of authentication or authorization in the Conexus telemetry protocol used by the devices, enabling attackers with adjacent short-range access to inject, replay, modify, and intercept data within the telemetry communication [82238].
Non-software Causes 1. Lack of authentication and authorization in the Conexus telemetry protocol used by the Medtronic devices [82238]
Impacts 1. The software failure incident involving Medtronic's implantable defibrillators allowed attackers to interfere with and collect sensitive data from the devices, posing a significant security risk [82238]. 2. The vulnerability in the Conexus telemetry system used by certain models of Medtronic devices did not implement authentication or authorization, enabling attackers with low skill levels to inject, replay, modify, and intercept data within the telemetry communication [82238]. 3. The Department of Homeland Security (DHS) issued a medical advisory highlighting the risks associated with the software vulnerability in the defibrillators, emphasizing the need for immediate action to address the security concerns [82238]. 4. Medtronic is working on developing software updates to enhance the security of wireless communication in their devices, with the first update scheduled for later in 2019 pending regulatory approvals [82238].
Preventions 1. Implementing authentication and authorization in the Conexus telemetry protocol used by the devices could have prevented the software failure incident [82238]. 2. Regularly updating software to improve security of wireless communication could have helped prevent the vulnerability exploited by attackers [82238]. 3. Ensuring that only approved devices are connected to home monitors and programmers could have minimized the risk of unauthorized access [82238].
Fixes 1. Developing software updates to improve the security of wireless communication [82238]
References 1. Department of Homeland Security (DHS) [82238] 2. Medtronic [82238] 3. Food and Drug Administration (FDA) [82238] 4. Nadir Izrael, CTO & Co-Founder, Armis [82238]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to vulnerabilities in implantable defibrillators made by Medtronic has happened again within the same organization. The Department of Homeland Security (DHS) issued a medical advisory stating that certain models of Medtronic's implantable defibrillators using the Conexus telemetry system were vulnerable to cyber attacks due to an unsecured protocol used for communication [82238]. Medtronic is working on developing software updates to enhance the security of wireless communication for these devices, with the first update scheduled for later in 2019 [82238]. (b) There is no information in the provided article indicating that a similar software failure incident has happened at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the vulnerability of certain Medtronic implantable defibrillators due to the use of an unsecured protocol to communicate with other devices. The Department of Homeland Security (DHS) highlighted that the Conexus telemetry protocol used by the devices does not implement authentication or authorization, allowing an attacker with adjacent short-range access to inject, replay, modify, and intercept data within the telemetry communication [82238]. (b) The software failure incident related to the operation phase is demonstrated by the potential risk posed by the vulnerability in the Medtronic devices when they are in use. The vulnerability allows attackers to interfere with and collect sensitive data from the defibrillators, emphasizing the importance of maintaining physical control over home monitors and programmers, using approved devices obtained directly from healthcare providers, and avoiding connecting unapproved devices to the system to minimize risks [82238].
Boundary (Internal/External) within_system (a) within_system: The software failure incident related to the Medtronic defibrillators is primarily within the system. The vulnerability arises from the Conexus telemetry protocol used by the devices, which does not implement authentication or authorization, allowing attackers with adjacent short-range access to interfere with the telemetry communication [82238]. The lack of security measures within the system itself contributes to the software failure incident.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case is primarily due to non-human actions, specifically the vulnerability in the Conexus telemetry protocol used by the Medtronic devices. The Department of Homeland Security highlighted that the protocol lacks authentication or authorization, allowing an attacker with adjacent short-range access to interfere with the telemetry communication [82238]. (b) However, human actions also play a role in this software failure incident as the lack of security in the design of the medical devices, as mentioned by Nadir Izrael, CTO & Co-Founder of Armis, contributes to the vulnerability of these connected devices to malicious actors [82238].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: The incident involving Medtronic's implantable defibrillators was due to a vulnerability in the Conexus telemetry system, which is a communication protocol used by the devices. This vulnerability allowed attackers with adjacent short-range access to inject, replay, modify, and intercept data within the telemetry communication, indicating a hardware-related issue [82238]. (b) The software failure incident related to software: The software failure incident was primarily caused by a lack of authentication or authorization in the Conexus telemetry protocol used by the Medtronic devices. This software vulnerability enabled attackers to interfere with and collect sensitive data from the implantable defibrillators, highlighting a software-related flaw in the system [82238].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident related to the Medtronic defibrillators is malicious in nature. The incident involves a vulnerability in the Conexus telemetry protocol used by the devices, which allows an attacker with adjacent short-range access to inject, replay, modify, and intercept data within the telemetry communication. The Department of Homeland Security (DHS) highlighted that the vulnerability only requires a "low skill level" and could potentially lead to interference with and collection of sensitive data from the devices [82238]. Additionally, the article mentions that connected devices in healthcare settings are being targeted by malicious actors, indicating a deliberate intent to exploit vulnerabilities in the system for harmful purposes.
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident related to the vulnerability in Medtronic's implantable defibrillators was primarily due to poor decisions. The Department of Homeland Security (DHS) highlighted that the Conexus telemetry protocol used by the devices did not implement authentication or authorization, making it susceptible to attacks by individuals with low skill levels [82238]. This lack of security implementation can be attributed to poor decisions made during the design and development of the software, which left the devices vulnerable to potential cyber threats.
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the case of the Medtronic defibrillators. The vulnerability in the Conexus telemetry protocol used by the devices was due to the lack of authentication or authorization implementation, as highlighted by the Department of Homeland Security (DHS) advisory [82238]. This lack of professional competence in ensuring secure communication protocols led to the potential for attackers with low skill levels to interfere with and collect sensitive data from the defibrillators. (b) The accidental aspect of the software failure incident is also present in the case of the Medtronic devices. The vulnerability in the Conexus telemetry system, which allowed for data interception and manipulation, was not intentional but rather a result of the protocol's design flaws and lack of security measures [82238]. This accidental introduction of vulnerabilities made the devices susceptible to cyber threats and potential attacks.
Duration temporary The software failure incident reported in the articles is temporary. The vulnerability in the Medtronic defibrillators is due to the use of an unsecured protocol for communication, specifically the Conexus telemetry system, which lacks authentication and authorization. Medtronic is actively working on developing software updates to improve the security of wireless communication, with the first update scheduled for later in 2019 [82238].
Behaviour value, other (a) crash: The software failure incident in the article is not related to a crash where the system loses state and does not perform any of its intended functions. The vulnerability in the Medtronic defibrillators allows attackers to interfere with and collect sensitive data from the devices, indicating that the system is still operational but compromised [82238]. (b) omission: The software failure incident is not related to an omission where the system omits to perform its intended functions at an instance(s). The vulnerability in the Medtronic devices does not involve the system failing to perform its functions but rather being susceptible to unauthorized interference [82238]. (c) timing: The software failure incident is not related to timing issues where the system performs its intended functions correctly but too late or too early. The vulnerability in the Medtronic devices does not involve timing-related failures but rather a security flaw in the communication protocol [82238]. (d) value: The software failure incident is related to a value failure where the system performs its intended functions incorrectly. The vulnerability in the Medtronic defibrillators allows attackers to inject, replay, modify, and intercept data within the telemetry communication, indicating that the system is not functioning as intended in terms of data security [82238]. (e) byzantine: The software failure incident is not related to a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. The vulnerability in the Medtronic devices does not involve inconsistent responses but rather a clear security vulnerability that can be exploited by attackers [82238]. (f) other: The software failure incident is related to a security vulnerability in the communication protocol of the Medtronic defibrillators. The flaw in the Conexus telemetry system used by the devices does not implement authentication or authorization, allowing attackers with short-range access to interfere with the data communication [82238].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence theoretical_consequence (a) death: People lost their lives due to the software failure - The article does not mention any deaths resulting from the software vulnerability in Medtronic's defibrillators [82238]. (b) harm: People were physically harmed due to the software failure - The article states, "To date, no cyber attack, privacy breach, or patient harm has been observed or associated with these issues" related to the vulnerability in Medtronic's devices [82238]. (c) basic: People's access to food or shelter was impacted because of the software failure - The article does not mention any impact on people's access to food or shelter due to the software vulnerability in Medtronic's devices [82238]. (d) property: People's material goods, money, or data was impacted due to the software failure - The article mentions that an attacker could potentially collect sensitive data from the affected devices, but it does not specify any actual impact on people's material goods, money, or data [82238]. (e) delay: People had to postpone an activity due to the software failure - The article does not mention any activities being postponed due to the software vulnerability in Medtronic's devices [82238]. (f) non-human: Non-human entities were impacted due to the software failure - The vulnerability in Medtronic's devices could potentially allow an attacker to interfere with and collect sensitive data from the devices, but the article does not specify any impact on non-human entities [82238]. (g) no_consequence: There were no real observed consequences of the software failure - The article mentions that to date, no cyber attack, privacy breach, or patient harm has been observed or associated with the identified vulnerability in Medtronic's devices [82238]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The article discusses the potential risks associated with the vulnerability in Medtronic's devices, such as data interception and modification, but it notes that no actual cyber attacks, privacy breaches, or patient harm have been observed so far [82238]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - There are no other consequences mentioned in the article related to the software vulnerability in Medtronic's devices [82238].
Domain health (a) The failed system in this incident is related to the health industry. The software failure incident involves implantable defibrillators made by Medtronic, which are used in life-threatening cardiac events to reset the electrical state of the heart [Article 82238]. The vulnerability in the Conexus telemetry system used by certain models of these devices could allow attackers to interfere with and collect sensitive data from the devices, posing a significant risk to patient safety and privacy within the healthcare sector.

Sources

Back to List