Medtronic, the world’s largest medical device manufacturer has discovered a pretty substantial flaw within their defibrillators. The Department of Homeland Security and Infrastructure Security Agency have sent out an alert that lets users know the flaw could be exploited if the attacker has knowledge of the device and is in close range of someone who uses the device. It is possible that 750,000 devices could be vulnerable. If the flaw is exploited correctly, the vulnerabilities would allow for an attacker to alter the functionality of the devices, which could cause major problems for those that rely on them for everyday health. Researchers stated, “A proof-of-concept attack developed by the researchers was able to take control of the implanted devices in a manner previously unseen in most exploits affecting lifesaving medical devices. With physical access to either a MyCareLink or CareLink console, the researchers could make modifications that would pull patient names, physician names, and relevant phone numbers out of the device and make unauthorized and potentially fatal changes to the shocks the devices delivered. Even more stunning, the attack was able to read and rewrite all the firmware used to operate the implant.” Medtronic is keeping a close eye to make sure no suspicious activity takes place and they say none has occurred at this point. Security fixes for the flaws should be arriving within the next few months.
Analyst Notes
Users should continue to use their devices as prescribed. Patients should use defibrillator monitoring services provided by Medtronic or their doctor. Physical control of the devices should be maintained, and they should not be linked to any other devices that aren’t approved by Medtronic.
