BIOTRONIK CardioMessenger II

Monitor4.6ICS-CERT ICSMA-20-170-05Jun 18, 2020

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

BIOTRONIK CardioMessenger II (versions 2.20) contains multiple authentication and encryption weaknesses (CWE-287, CWE-319, CWE-311, CWE-257) that could allow an attacker with physical or adjacent network access to extract sensitive patient data, read transmitted medical information from implanted cardiac devices, or interfere with communications between the home monitoring unit and the healthcare provider's remote monitoring network. No new patient safety risks have been identified by BIOTRONIK's assessment.

What this means

What could happen

An attacker with physical or adjacent network access to a CardioMessenger II unit could extract sensitive patient data, intercept medical device transmissions from implanted cardiac devices, or interfere with communications between the home monitoring unit and the healthcare provider's network.

Who's at risk

Patients and healthcare providers using BIOTRONIK CardioMessenger II home monitoring units for implanted cardiac devices (pacemakers, defibrillators) are affected. Home health agencies and clinics that manage remote cardiac monitoring should review their device physical security and network controls. Cardiology practices and hospital electrophysiology departments that support these devices need to ensure patients understand proper device handling and security.

How it could be exploited

An attacker must first gain physical possession of the CardioMessenger II device or adjacent network access to the communication link between the device and the Access Point Name (APN) gateway. Once positioned, the attacker can exploit weak authentication and unencrypted data transmission to read patient medical data or intercept/modify commands sent to or from the implanted cardiac device.

Prerequisites

Physical access to the CardioMessenger II device
Adjacent network access to communications between CardioMessenger II and the healthcare provider's APN gateway
No credentials required

No authentication requiredPhysical access required (limits exposure)No patch availableAffects medical/safety devicesWeak encryption (CWE-319, CWE-311)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

CardioMessenger II-S GSM T4APP: 2.202.2No fix (EOL)

CardioMessenger II-S T-Line T4APP: 2.202.2No fix (EOL)

Remediation & Mitigation

0/7

Do now

0/6

HARDENINGMaintain physical security and control over the CardioMessenger II home monitoring unit; store in a secure location accessible only to authorized household members

HARDENINGObtain CardioMessenger II units only from your healthcare provider or an authorized BIOTRONIK representative to ensure device integrity

HARDENINGDo not connect unapproved or unknown devices to the CardioMessenger II via any network or physical connections

HARDENINGUse the CardioMessenger II only in private, controlled environments such as a home or apartment; avoid public or untrusted networks

HARDENINGRestrict physical and logical access to the CardioMessenger II to authorized household members and healthcare personnel only

WORKAROUNDReport any unusual device behavior, unexpected data transmissions, or security concerns to your healthcare provider or BIOTRONIK immediately

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: CardioMessenger II-S GSM T4APP: 2.20, CardioMessenger II-S T-Line T4APP: 2.20. Apply the following compensating controls:

HARDENINGFollow proper disposal procedures when the device reaches end-of-life to prevent unauthorized access to stored sensitive patient data

CVEs (5)

CVE-2019-18246 CVE-2019-18248 CVE-2019-18252 CVE-2019-18254 CVE-2019-18256

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d414a440-714c-42d7-8420-0abb71801a4f