The world's largest medical device company has acknowledged that many of its implanted cardiac defibrillators use an unencrypted wireless protocol that could allow an attacker to change the settings of the lifesaving devices, NBC News reported.
The vulnerability affects more than 20 defibrillator models, monitors and programmer units made by Medtronic Inc. of Fridley, Minnesota. The devices include implantable cardioverter defibrillators, or ICDs, which can correct dangerously fast or irregular heartbeat, and cardiac resynchronization therapy defibrillators, or CRT-Ds, which essentially are pacemakers that deliver small electrical charges to help keep the heart's ventricles pumping in sync.
In a bulletin issued late last week, the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security, assigned the flaw a vulnerability score of 9.3 — near the top of its 10-point scale. It said the flaw could allow a bad actor of "low skill level" to read and write any memory location on the implanted devices.
Medtronic acknowledged in a statement that the flaw could allow an unauthorized individual to gain access to the equipment's settings — and possibly change them. But the company and the U.S. Food and Drug Administration advised patients to continue using the devices while a fix is developed, adding that no one is known to have successfully exploited the flaw.