Bluetooth In-Office (BTIO) Security Vulnerability Patch SECURITY BULLETIN

September 10, 2020

Purpose

This Medtronic Security Bulletin is intended to provide product specific cybersecurity information regarding our Medtronic BlueSync™ implantable cardiac devices and the Medtronic CareLink SmartSync™ Device Manager products. This Medtronic Security Bulletin contains a General/High Level Summary, Technical User Information and List of Affected Products relative to our Bluetooth In-Office (BTIO) Security Vulnerability Patch.

General / High-Level Summary

Through Medtronic’s proactive internal cybersecurity testing, two cybersecurity vulnerabilities involving the Bluetooth Low Energy (BLE) communication between certain Medtronic BlueSync™ cardiac devices and the Medtronic CareLink SmartSync™ Device Manager were discovered and subsequently remediated.

Both vulnerabilities are the result of potential disruption to the BLE communication session initiation process between the BlueSync cardiac device and the SmartSync Device Manager. They cannot be used to change or modify programming and cannot be used to intercept any information transmitted. Exploitation of these vulnerabilities requires an unauthorized user to stay within normal BLE communication range. Any potential disruption does not persist beyond that range.

Medtronic Response

Medtronic has addressed and remediated these issues. Medtronic remediations for these internally identified vulnerabilities were included in a routine software update deployed in June 2020. The update remediates and removes these vulnerabilities through improved communication protocols, communication timeouts, and inductive telemetry fallback. The BTIO update is available at your clinician’s office and delivered during device interrogation through their use of the SmartSync programmer. Your clinician will be able to determine if the firmware has been applied by looking at the RAMware ID on their programmer screen.

To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with these vulnerabilities.

These vulnerabilities do not impact normal therapy delivery or the remote monitoring functionality of the cardiac device.

Technical Information

Medtronic has scored the vulnerabilities using the Common Vulnerability Scoring System (CVSS). This scoring system, which is the standard system used by any entity evaluating a vulnerability, scores vulnerabilities from a 0 (no impact) to a 10 (highest impact).

The Denial of Service Attack(DoS) vulnerability has a CVSS Base Score of 7.1 with an accompanying vector of (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). The “Battery Drain” vulnerability received a CVSS Base Score of 5.1 with an accompanying vector of AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.

The Denial of Service Attack(DoS) vulnerability could allow an unauthorized user to prevent a programming communication session initiation between the BlueSync cardiac device and the SmartSync Device Manager by monopolizing the BLE connection during the session initiation process. This communication disruption also interrupts the inductive telemetry communication with the cardiac device, thereby disrupting all communication methods with the cardiac device. All cardiac therapy functions will continue to operate as normal.

The second, related vulnerability identified could allow an unauthorized user to cause unintended cardiac device battery power consumption by monopolizing the BLE connection during the session initiation process and leaving the BLE communication channel open for an extended period longer than 12 hours.

To date, neither a cyberattack nor patient harm has been observed or associated with these vulnerabilities.

These vulnerabilities do not impact normal therapy delivery or the remote monitoring functionality of the cardiac device.

For More Information

Customers needing additional information should contact security@medtronic.com

List of Affected Products

Type of Device Models

Pacemaker

Azure™ S DR MRI
Azure S SR MRI
Azure XT DR MRI
Azure XT SR MRI

Cardiac Resynchronization Therapy Pacemaker (CRT-P)

Percepta™ Quad CRT-P MRI  
Percepta CRT-P MRI  
Serena™ Quad CRT-PMRI  
Serena™ CRT-P MRI  
Solera™ QuadCRT-P MRI  
Solera™ CRT-P MRI

Device Programmer

CareLink SmartSync™ Device Manager (Model 24970A)

Patients or clinicians with questions or concerns about these devices should contact:

US: Medtronic Patient and Technical Services is available to answer questions Monday-Friday 7am – 6pm Central Time at 1-800-551-5544 International: Contact your local Medtronic representative.