BLUETOOTH IMPERSONATION ATTACKS (BIAS) SECURITY BULLETIN

June 11, 2020

VULNERABILITY SUMMARY

Medtronic was notified in early April 2020 by the CERT Coordination Center of a Bluetooth^® vulnerability known as BIAS (Bluetooth Impersonation Attacks). This vulnerability could allow an attacker to impersonate a device and spoof Bluetooth^® communication.

Medtronic determined two products are impacted by this vulnerability: the FA Controller (model number 3537) and the Patient Telemetry Module (model number 97745). The FA Controller is a device used for patient evaluation for incontinence therapies. The Patient Telemetry Module is a device used for pain therapy evaluation using an external neurostimulator (ENS). Both products are used during the evaluation phase of therapy for a limited amount of time, typically less than a month. The vulnerability does not affect our neurostimulators that are made to be implanted.

Medtronic Response

Medtronic’s technical teams have assessed the product portfolio to understand the impact to products. Findings indicate an unauthorized individual could impersonate the products and initiate the Bluetooth^® communication on the products indicated above. This could allow for unauthorized changes to the stimulation settings within physician-defined ranges and/or an attempt to read therapy or patient information stored on an ENS. It’s important to note that this attack could only occur during a patient’s evaluation period, which is anywhere from 3-28 days, after which the device may be returned to the clinic.

We are evaluating through our quality systems and will take appropriate action as necessary. Medtronic recommends that patients and physicians continue to use these devices as prescribed and intended. In addition, Medtronic recommends clinicians and patients:

• Maintain strict physical control of the devices
• Collect devices at the conclusion of patient usage
• Clinicians should dispose of the ENS as directed after single patient usage

At Medtronic, we take cybersecurity seriously and have teams actively engaged in these matters, including maintaining contact with our suppliers for updates. We monitor our products and systems to assess any impact associated with cybersecurity issues and take appropriate actions as circumstances dictate.

Additionally, Medtronic will continue to follow established coordinated disclosure processes for any significant security vulnerabilities associated with our products or any updates associated with these vulnerabilities.

Additional Resources

Patients or clinicians with questions or concerns about these devices should contact:

Patients: 1-800-510-6735
Technical Services: 1-800-707-0933
Or contact your Medtronic representative.

The Bluetooth^® word mark and logos are registered trademarks owned by Bluetooth SIG, Inc. and any use of such marks by Medtronic is under license.™