DHS warns hackers could take over defibrillators after they've been implanted and rewrite commands

Homeland Security has issued a security warning for Medtronic’s implantable cardiac devices that makes them vulnerable to hacking. 

The Department of Homeland Security said the critical flaw could allow hackers to use radio communications to hijack defibrillators and issue commands for them after they’re implanted in a patient. 

Defibrillators are small devices that are implanted in a patient’s chest and deliver electrical shocks to prevent irregular heart rhythms.

Scroll down for video 

DHS said the flaw in Medtronic defibrillators could let hackers use radio communications to hijack defibrillators and issue commands for them after they’re implanted in a patient

The vulnerabilities were also identified in Medtronic’s clinic programmers and home monitors, according to the DHS alert. 

The Star Tribune reported that as many as 750,000 devices are affected by the flaws. 

Researchers from security firm Clever Security discovered the vulnerabilities. 

It stems from how Medtronic’s devices communicate with the radios, which doctors use to keep track of and adjust the devices once they’re implanted in the user.

The alert says the Medtronic’s Conexus communications protocol isn’t encrypted and doesn’t require users to be authenticated.

This means that a nearby attacker could intercept communications and change data on the defibrillator, potentially harming the patient. 

The security flaw in Medtronic’s defibrillators stems from how they communicate with radios, which doctors use to keep track of and adjust the devices once they’re implanted in the user

‘Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,’ the alert states. 

‘The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.’ 

DHS gave the threat a 9.3 out of 10 score and said it required a ‘low skill level to exploit.’

It’s worth reiterating that in order for patients to be harmed, the attacker needs to be in close proximity to the cardiac device.

Medtronic said in a post on its website that it’s not aware of any patient whose devices have been attacked. 

The company added that it’s now ‘developing updates’ to resolve he vulnerabilities. 

‘Medtronic is conducting security checks to look for unauthorized or unusual activity that could be related to these issues,’ a Medtronic spokesperson told Threatpost. 

‘To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these issues. 

‘Medtronic is developing a series of software updates to better secure the wireless communication affected by these issues. The first update is scheduled for later in 2019, subject to regulatory approvals.’   

The FDA recommended the usage of the devices and said the medical device maker was developing updates to further mitigate those vulnerabilities. 

The health regulator said it also was not aware of any reports of patients being harmed.

Last year, Medtronic disabled internet updates for some 34,000 CareLink programming devices that healthcare providers around the world use to access implanted pacemakers, saying the system was vulnerable to cyberattacks.

Medical device makers have bolstered efforts to mitigate product security vulnerabilities in recent years following a flurry of warnings from security researchers who have identified bugs in devices like the Medtronic implant programmers.

Shares of the company were down 1 percent in after-hours trading.