Valleylab™ FT10 energy platform DDS Vulnerability Security Bulletin

Original post date: June 9, 2022

Updated on July 11, 2023: The mitigation section has been changed to reflect that a software update is now available.

Impacted Product

Valleylab FT10 product images

The Valleylab™ FT10 energy platform is used in operating rooms to power energy devices that assist healthcare providers1 during surgical procedures. The FT10 has a Covidien label on the top of the generator, as Covidien is owned by Medtronic.

Covidien Valleylab FT10

Vulnerability Summary

Through routine monitoring, Medtronic identified security vulnerabilities2 in the Data Distribution Service (DDS) software component used in Medtronic’s ValleylabFT10 energy platform (all pervious software versions). These vulnerabilities could allow an unauthorized individual, either through a network connection or through physical access to the device, cause the generator to not function. If these vulnerabilities were to be exploited3, the FT10 display would show the “Fail Safe” mode and indicate that the generator is inoperable.

To date, no patient harm, cyberattack or data breach involving a Medtronic product has been observed or associated with this vulnerability.

Medtronic recommends that healthcare providers continue to use these devices as intended.

Mitigation

These vulnerabilities are exploitable if the devices are connected to a network. The FT10 cannot be connected to a network during clinical use and is only connected to a network when actively undergoing system updates or servicing. Therefore, there are no intraoperative safety risks to the patient.  Potential patient risk is limited to a minor delay of treatment prior to initiation of surgical procedure while obtaining another device

A software update to address this vulnerability is available as of July 2023. The software update should be applied at the time of servicing to align with how organizations regularly have their FT10 generators maintained. This may be through the hospital’s biomedical engineering team, Medtronic sales or service representative, or by sending the device to a Medtronic service center. Devices can continue to be used until the software update is available. Customers with multiple Valleylab™ generators will need to update each system individually.

In the meantime, the following items are actions that a healthcare organization can take to mitigate the risk of these vulnerabilities: 

  • When connecting these devices to a service laptop for system updates or servicing, ensure any network connections are secure.
  • Maintain good physical security controls around the product to prevent access by an unauthorized user.

Only connect the FT10 to the service laptop when updating the FT10. The FT10 should never be connected to any other system or network. When not in use, the FT10 should be disconnected and powered off. Ensure the service laptop is secure. Ensure the service laptop is connected to a secure local network.

View larger image


Customers should contact their local sales representative for additional information.

If you suspect a security issue has occurred with this device or have questions about the future update, please contact Medtronic at rs.assurancequality@medtronic.com.

If you have other product security questions, please contact Medtronic’s Product Security Office at security@medtronic.com.

Additional technical details

The exposed vulnerability is a memory corruption that can be triggered by sending a malformed network packet to the running DDS application, which requires network connection to the target node. An attack could result in the devices becoming inoperable. This has a CVSS 3.0 score of 5.3 as it is implemented in the FT10 with the previous software versions. The score of 5.3 is the unmitigated score before the patch is applied. The CVE number is CVE-2021-43547.

Definition of terms

  1. Healthcare provider – A healthcare provider is any person or organization that furnishes healthcare services and supplies, bills for them, or is paid for them. In this case, healthcare providers can be individuals (doctors or nurses) or organizations (hospitals, clinics, practice groups, along with their administrative staff). Healthcare researchers are also considered providers. 
  2. Vulnerability - A vulnerability is a weakness in systems, software or products that compromises security. A vulnerability allows people to perform bad actions on those same systems, software, and products. 
  3. Exploit – An exploit is a program or methodology created to take advantage of a vulnerability in a system or product to gain unauthorized access or negatively affect proper operation.