DHS reveals some Medtronic heart defibrillators are vulnerable to hacking

An attacker could mess with the settings of defibrillators, the warning noted.

Sean Keane
Sean Keane Former Senior Writer
Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.
Expertise Culture, Video Games, Breaking News
Medtronic Medical equipment company logo seen displayed on a

The US government issued a warning about some Medtronic products.

Igor Golovniov/SOPA Images/LightRocket via Getty Images

The Department of Homeland Security warned on Thursday that 20 Medtronic products are vulnerable to short-range hacking.

The list of hackable products includes 16 implantable heart defibrillators -- an attacker could alter the settings of someone's device by manipulating its radio link, the warning said. The others are in-home bedside monitors for the defibrillators and programming computers used by doctors.

The vulnerability may impact up to 750,000 devices, the Star Tribune reported. The defibrillators in question are inserted beneath the skin and can shock a patient's heart back to a normal rhythm if it becomes irregular.

Researchers found that Medtronic's proprietary Conexus radio-frequency wireless telemetry protocol, which is used by the devices, doesn't have any kind of authentication, our sister site ZDNet noted.

In an emailed statement, Medtronic wrote that the problem doesn't impact its pacemakers, insertable cardiac monitors or other devices.

"To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these issues," a company spokesperson said.

"Medtronic is developing a series of software updates to better secure the wireless communication affected by these issues.  The first update is scheduled for later in 2019, subject to regulatory approvals."

Watch this: We tested the Apple Watch EKG against a hospital EKG

First published at 5:10 a.m. PT.
Updated at 5:50 a.m. PT: Adds more details.