Unencrypted and Unauthenticated Implantable Medical Devices Hackable

2019, Breaches, March

Who: Medtronic

When: 21 March 2019

# of records involved:

What happened: Critical flaw lets hackers control lifesaving devices implanted inside patients

How did it happen: The federal government on Thursday warned of a serious flaw in Medtronic cardio defibrillators that allow​ attackers to use radio communications to surreptitiously take full control of the lifesaving devices after they are implanted in a patient. No encryption, no authentication, and a raft of other flaws. Conexus Radio Frequency Telemetry Protocol (Medtronic’s proprietary means for the monitors to wirelessly connect to implanted devices) provides no encryption to secure communications.

Outcome: To date, no cyber attack, privacy breach, or patient harm has been observed or associated with these issues. An unauthorized user would need comprehensive and specialized knowledge of medical devices, wireless telemetry, and electrophysiology to fully exploit these vulnerabilities in order to harm a specific patient.