Medtronic Conexus Radio Frequency Telemetry Protocol (Update C)

Plan Patch9.3ICS-CERT ICSMA-19-080-01Mar 21, 2019

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Medtronic implanted cardiac devices (ICDs, CRT-Ds) and their associated programmers and monitoring systems are vulnerable to wireless RF protocol attacks. An attacker with RF transmission capability and physical proximity to an affected device can intercept, modify, or inject commands into Conexus telemetry communication, potentially altering device settings, disabling safety features, or reading patient data from device memory. Exploitation requires no authentication and can occur during clinic programming sessions, post-implant procedures, or during the device's periodic automated RF transmissions. Medtronic has confirmed that patches are available for only a subset of affected models; patches for remaining models are in development and subject to regulatory approval.

What this means

What could happen

An attacker within radio range could intercept, modify, or inject commands into the wireless communication between implanted cardiac devices and programming monitors, potentially altering device settings, disabling alarms, or reading patient data stored on the implant.

Who's at risk

Hospitals, clinics, and care facilities using Medtronic implanted cardiac devices (ICDs, CRT-Ds) and their associated programming/monitoring equipment (MyCareLink, CareLink monitors, CareLink 2090 Programmer). All models and software versions of the 22 listed Medtronic implant types are affected, making this relevant to any facility with active Medtronic cardiac device patients.

How it could be exploited

An attacker with an RF transmitter/receiver (commercial programmer, monitor, or software-defined radio) positioned within short range (typically 1-2 meters) of an implanted device can intercept or craft malicious Conexus protocol messages. During clinic visits, post-implant procedures, or when the device's scheduled RF communication window is active, the attacker can read/write device memory to alter therapy settings, disable safety notifications, or exfiltrate patient data.

Prerequisites

RF transmitter/receiver device capable of Conexus protocol (programmer, monitor, or SDR)
Physical proximity to implanted device (1-2 meters, adjacent/near-field range)
Implanted device RF radio must be active (during clinic session, procedure, or scheduled follow-up transmission)
No valid credentials or authentication required

no authentication required for RF communicationlow complexity attackno patch available for most device modelsaffects safety-critical implanted medical devicesadjacent/short-range access only (limits but does not prevent exploitation)sensitive patient data exposure risk

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (22)

2 pending20 EOL

ProductAffected VersionsFix Status

CareLink 2090 Programmer: (all models)All versionsNo fix (EOL)

Viva CRT-D: (all models)All versionsNo fix (EOL)

Protecta ICD and CRT-D: (all models)All versionsNo fix (EOL)

MyCareLink Monitor:24950 | 24952No fix yet

CareLink Monitor:2490CNo fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict physical access to device programming areas and monitor rooms; limit presence to authorized clinical staff only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXContact Medtronic to determine if your device model has a patch available and schedule installation during your next clinic office visit

HOTFIXCoordinate with Medtronic to deploy future patches for device models not yet addressed and establish regular firmware update schedule as patches become available

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: CareLink 2090 Programmer: (all models), Viva CRT-D: (all models), Protecta ICD and CRT-D: (all models), Brava CRT-D: (all models), Amplia CRT-D: (all models), Concerto CRT-D: (all models), Evera ICD: (all models), Mirro ICD: (all models), Virtuoso II ICD: (all models), Concerto II CRT-D: (all models), Visia AF ICD: (all models), Mirro MRI ICD: (all models), Virtuoso ICD: (all models), Claria CRT-D: (all models), Secura ICD: (all models), Primo ICD: (all models), Consulta CRT-D: (all models), Maximo II CRT-D and ICD: (all models), Compia CRT-D: (all models), Nayamed ND ICD: (all models). Apply the following compensating controls:

HARDENINGImplement facility-level RF shielding (Faraday cage or shielded room) around device programming/monitoring areas to prevent unauthorized RF access during clinic sessions

HARDENINGEducate clinical staff to monitor for unexpected device behavior, alerts, or parameter changes that may indicate tampering

CVEs (2)

CVE-2019-6538 CVE-2019-6540

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/966e9ffd-72d8-4019-b931-bf9a8f8e1f52