Security bulletins
September 10, 2020
Purpose
This Medtronic Security Bulletin is intended to provide product specific cybersecurity information regarding our Medtronic BlueSync™ implantable cardiac devices and the Medtronic CareLink SmartSync™ device manager products. This Medtronic Security Bulletin contains a General/High Level Summary, Technical User Information, and List of Affected Products relative to our Bluetooth In-Office (BTIO) security vulnerability patch.
Medtronic response
Medtronic has addressed and remediated these issues. Medtronic remediations for these internally identified vulnerabilities were included in a routine software update deployed in June 2020. The update remediates and removes these vulnerabilities through improved communication protocols, communication timeouts, and inductive telemetry fallback. The BTIO update is available at your clinician’s office and delivered during device interrogation through their use of the SmartSync™ programmer. Your clinician will be able to determine if the firmware has been applied by looking at the RAMware ID on their programmer screen.
To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with these vulnerabilities.
These vulnerabilities do not impact normal therapy delivery or the remote monitoring functionality of the cardiac device.
Technical information
Medtronic has scored the vulnerabilities using the Common Vulnerability Scoring System (CVSS). This scoring system, which is the standard system used by any entity evaluating a vulnerability, scores vulnerabilities from a 0 (no impact) to a 10 (highest impact).
The Denial of Service Attack (DoS) vulnerability has a CVSS Base Score of 7.1 with an accompanying vector of (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). The “Battery Drain” vulnerability received a CVSS Base Score of 5.1 with an accompanying vector of AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.
The Denial of Service Attack (DoS) vulnerability could allow an unauthorized user to prevent a programming communication session initiation between the BlueSync™ cardiac device and the SmartSync™ device manager by monopolizing the BLE connection during the session initiation process. This communication disruption also interrupts the inductive telemetry communication with the cardiac device, thereby disrupting all communication methods with the cardiac device. All cardiac therapy functions will continue to operate as normal.
The second, related vulnerability identified could allow an unauthorized user to cause unintended cardiac device battery power consumption by monopolizing the BLE connection during the session initiation process and leaving the BLE communication channel open for an extended period longer than 12 hours.
To date, neither a cyberattack nor patient harm has been observed or associated with these vulnerabilities.
These vulnerabilities do not impact normal therapy delivery or the remote monitoring functionality of the cardiac device.
For more information
Customers needing additional information should contact security@medtronic.com.
List of affected products
| Type of device | Models |
|---|---|
| Pacemakers | Azure™ S DR MRI Azure™ S SR MRI Azure™ XT DR MRI Azure™ XT SR MRI |
| Cardiac resynchronization therapy pacemaker (CRT-P) | Percepta™ Quad CRT-P MRI Percepta™ CRT-P MRI Serena™ Quad CRT-PMRI Serena™ CRT-P MRI Solera™ QuadCRT-P MRI Solera™ CRT-P MRI |
| Device programmer | CareLink SmartSync™ Device Manager (Model 24970A) |
Patients or clinicians with questions or concerns about these devices should contact:
U.S.: Medtronic Patient and Technical Services is available to answer questions Monday through Friday 7 a.m.–6 p.m. Central Time at 800-551-5544.
International: Contact your local Medtronic representative.