Biotronik CardioMessenger Vulnerabilities
Biotronik has released details of a number of vulnerabilities affecting their CardioMessenger II cardiac implant monitoring products. They claim that an attacker with physical access to an affected system could exploit some or all of these vulnerabilities to obtain patient medical or sensitive data, impair implant functionality, or gain access to connected medical systems.
Summary
Biotronik has released details of a number of vulnerabilities affecting their CardioMessenger II cardiac implant monitoring products. They claim that an attacker with physical access to an affected system could exploit some or all of these vulnerabilities to obtain patient medical or sensitive data, impair implant functionality, or gain access to connected medical systems.
Affected platforms
The following platforms are known to be affected:
- Biotronik CardioMessenger II-S GSM T4APP 2.20
- Biotronik CardioMessenger II-S T-Line T4APP 2.20
Threat details
The vulnerabilities are the result of several different faults in CardioMessenger devices:
- CVE-2019-18246 - CWE-287 - CardioMessenger devices do not enforce mutual authentication when connecting to Biotronik Remote Communication systems.
- CVE-2019-18248 - CWE-319 - CardioMessenger devices transmit credentials in cleartext prior to switching to an encrypted channel.
- CVE-2019-18252 - CWE-287 - Credentials can be reused for multiple authentication purposes.
- CVE-2019-18254 - CWE-311 - Sensitive medical data is not encrypted at rest by vulnerable CardioMessenger devices.
- CVE-2019-18256 - CWE-257 - CardioMessenger devices use per-device credentials that are stored in a recoverable format.
For further information:
Remediation steps
CVE Vulnerabilities
Last edited: 29 June 2021 12:01 pm