Security News > 2020 > February > Medtronic Releases Patches for Cardiac Device Flaws Disclosed in 2018, 2019
Medical device company Medtronic informed customers last week that it has released patches for some cardiac device vulnerabilities disclosed in 2018 and 2019.
One of the advisories, initially published in March 2019 by both CISA and Medtronic, covers vulnerabilities affecting the Medtronic Conexus radio frequency wireless telemetry protocol used by some of the company's implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators.
The second advisory, first published in February 2018, describes security holes identified by researchers Billy Rios and Jonathan Butts in Medtronic's CareLink 2090 and CareLink Encore 29901 devices designed for programming and managing cardiac devices.
The researchers discovered that these devices have vulnerabilities that can be exploited to obtain device usernames and passwords, access files on the system, and push malicious updates via man-in-the-middle attacks.
In the case of the CareLink vulnerabilities, following the disclosure of the vulnerabilities, the company disabled access to the software deployment network used to deliver device updates.