The Department of Homeland Security and Medtronic are advising people with the latter’s implantable defibrillators to keep their monitors and programmers updated and in sight. A warning issued by the department says over 20 Medtronic products are afflicted with vulnerabilities that could be exploited by attackers nearby. Sixteen of the products are implantable defibrillators — some still sold around the world today — while the others are the defibrillators’ bedside monitors and programmers. According to the Star Tribune, as many as 750,000 devices for the heart come with the flaws.
(This is one of the affected Medtronic programmers, which allow doctors to tweak the implant’s settings.)
Implantable defibrillators are placed under the skin to monitor the patient’s heart. If they detect a wildly irregular rhythm, they shoot out electric shocks to restore the person’s normal heartbeat. The vulnerabilities allow bad actors to change or inject data sent between a defib and its programming device. Medtronic’s affected products don’t use use formal authentication or authorization protections, which means attackers can alter the implant’s settings and potentially harm the patient.
Since the hacker has to be in close proximity to the affected devices, though, the company told Star Tribune that the risk of physical harm to patients with implants appears to be low. It also said that it’s now monitoring its network for signs of exploit attempts, and it ensured patients that its defibrillators will automatically shut down wireless communications if they receive unusual commands.
Even so, the company is reminding patients to only use devices obtained directly from healthcare providers and to keep wireless communications open so they’d receive the security patch when it rolls out. Also, in addition to physically keeping monitors and programmers safe, Medtronic is discouraging patients from plugging USB sticks and other unapproved accessories into the devices.