Security firm Clever Security has discovered a serious and potentially highly dangerous vulnerability in Medtronic defibrillator implants. It affects 16 models, with a total of about 750, 000 copies already installed on different patients. Hackers can connect to such implants and disrupt their work, but the manufacturer denies the danger to the lives of patients.
Defibrillators from Medtronic are located under the human skin in the region of the heart, and if it fails, they can create an electrical impulse to normalize the functioning of the organ. A wireless connection is used to configure devices and download patient health data from them. It uses the Conexus radio frequency telemetry protocol and, as it turned out, the developers forgot to add a user authentication mechanism to it.
This means that if you have the necessary equipment, you can easily connect to the implant and gain access to confidential data. And also, in theory, cause the device to malfunction. However, Medtronic points out two issues. First, you need to approach the defibrillator wearer at a distance of less than 7 m to establish communication. Secondly, the system blocks the connection when receiving non-standard requests.
According to experts, a smart hacker will still be able to launch an attack and create a risk to the health or even life of the implant wearer. But this requires meeting a number of conditions, which is not so easy. Medtronic promises to release a patch that will close the vulnerability before the end of this year. It is not planned to recall the products and remove them from the bodies of patients.
Device for reading data from an implant