Implanted defibrillator can be hacked over the air

Implanted defibrillator can be hacked over the air

Implanted defibrillator can be hacked over the air: US government's Dept of Homeland Security issued an alert over two CVE-listed vulnerabilities in Medtronic's wireless communications system Conexus, which is used by some of its heart defibrillators and their control units. Conexus exchanges data between implanted devices and their control units over the air using radio-waves, with a range of roughly 25 feet without any signal boosting.

The more serious of the flaws, CVE-2019-6538, can be potentially exploited by an attacker to meddle with data flying between the device and its controller. The Conexus protocol does not include any checks for this kind of tampering, nor performs any form of authentication. This means transmissions can be intercepted, spoofed, and modified by hackers and their nearby equipment, which can also masquerade as a control unit and manipulate the operation of the vulnerable implant over the airwaves, potentially harming or perhaps even ultimately killing the patient.

See full article from The Register:

Don't have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead)