The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has issued an alert that some Medtronic implanted defibrillators contain vulnerabilities that would allow them exploited by attackers who had the right knowledge of the devices and close proximity to an individual possessing one. The Star Tribune reported Thursday that as many as 750,000 devices could be vulnerable.
Implanted defibrillators are small devices that help prevent potentially deadly heart issues by administering electric shocks to treat irregular heartbeats. The agency said Thursday that if exploited, the vulnerabilities in some Medtronic would allow an attacker to intercept and potentially impact the functionality of certain models of defibrillators and monitoring devices.
According to Ars Technica, the vulnerabilities were flagged to Medtronic in January of last year by researchers with security firm Clever Security, which made a number of alarming findings:
A proof-of-concept attack developed by the researchers was able to take control of the implanted devices in a manner previously unseen in most exploits affecting lifesaving medical devices. With physical access to either a MyCareLink or CareLink console, the researchers could make modifications that would pull patient names, physician names, and relevant phone numbers out of the device and make unauthorized and potentially fatal changes to the shocks the devices delivered. Even more stunning, the attack was able to read and rewrite all the firmware used to operate the implant.
DHS listed more than a dozen Medtronic cardiac devices affected by the flaws—including implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators—but the company said that they do not affect other Medtronic devices such as pacemakers.
Medtronic said in a statement to Gizmodo that it is currently looking into unusual or unauthorized activity pertaining to the vulnerability but that it has found no incident of successful exploitation of the flaws up to this point. The company added it’s working on security fixes for the flaws, the first of which it said should arrive later this year.
Despite the federal advisory, the company’s VP of medical affairs Robert Kowal told the Star Tribune that the vulnerability “would be very hard to exploit to create harm.” The DHS also noted that an attacker would need to have “short-range access” to one of the affected Medtronic devices to pull off an exploit, a distance Kowal told the paper would amount to within roughly 20 feet.
In a statement by email, a spokesperson for Medtronic said that both it and the Food and Drug Administration “recommend that patients and physicians continue to use devices and technology as prescribed and intended, as this provides for the most efficient way to manage patients’ devices and heart conditions.”
According to Medtronic, patients should also only use defibrillator monitoring devices provided to them by either Medtronic or their physician. The company also advised people to maintain “good physical control” over their monitors and avoid linking them to unapproved devices.