On 21st of March 2019 (Thursday), the U.S. Department of Homeland Security has issued an advisory that is meant to be warning the people of the severe vulnerabilities in more than a dozen of the defibrillators that could permit the attackers to completely hijack the defibrillators remotely putting the lives of the millions of the patients at risk. The Cardioverter Defibrillators is a petite surgically implanted device that is installed in the chest of the patients providing the patients’ hearts with an electric shock that is often termed as the counter shock to re-establish a normal heartbeat. The device has been designed to curb the sudden death of the hearty patients, but the Medtronic’s defibrillators have been detected with two of the serious vulnerabilities.
The vulnerabilities have been discovered by the researchers from the security firm named by Clever Security are believed to allow the threat actors having knowledge of the medical devices to intercept and impact the functionality of the life-saving devices. The vulnerabilities are found to reside in the Conexus Radio Frequency Telemetry Protocol that is a wireless communication system used by some of the defibrillators from the company Medtronic and their control units to connect wirelessly to the implanted devices using radio waves over the air.
The first flaw that has been detected is CVE-2019-6538 which is believed to be more critical occurs due to the Conexus telemetry protocol does not include the data tampering checks and also does not perform any form of the authentication or authorization. The second flaw is that the Conexus telemetry protocol provides no encryption to secure the telemetry communications that makes it possible for the attackers within the range to intrude the communication and the issue has been assigned as CVE-2019-6540.