CardioMessenger

CardioMessenger devices form an essential part of BIOTRONIK’s remote monitoring system, enabling the secure transmission of critical patient and device data to the treating physician. 

By design, it is technically impossible to transmit commands to our implants remotely which obviates the potential of reprogramming the patient's device and doing direct harm to the patient. We would like to reassure patients, healthcare providers and physicians that these devices are safe and can continue to be used as intended. There have also been no cyberattacks or privacy breaches related to CardioMessenger.

Background

In October 2019, researchers at SINTEF provided a report to BIOTRONIK describing potential cybersecurity concerns associated with CardioMessenger II devices which are no longer available on the market.

As a result of the SINTEF report, we initiated a comprehensive analysis which determined that the cybersecurity questions raised did not have an impact on patient safety. Specifically, no CardioMessenger, past or current models, can modify an implantable cardiac device’s diagnostic or therapeutic functionality. This is a deliberate design feature to ensure patient safety. We shared our findings with the researchers who also agreed that “BIOTRONIK provided sufficient information to confirm that patient harm arising from the vulnerabilities is very unlikely.”¹ 

The Cybersecurity & Infrastructure Security Agency (CISA) at the US Department of Homeland Security also confirm that “no known public exploits specifically target these vulnerabilities.” ² CardioMessenger devices are safe and, in fact, BIOTRONIK Home Monitoring has been shown to significantly reduce patient hospitalization³, stroke⁴ and mortality³.  

Technical Information

Relevant CVEs: CVE-2019-18246, CVE-2019-18248, CVE-2019-18252, CVE-2019-18254 and CVE-2019-18256

In a coordinated disclosure with SINTEF and CISA, CVE-2019-18246, CVE-2019-18248 and CVE-2019-18252 have been assigned to vulnerabilities concerning CardioMessenger II’s credentials for accessing the BIOTRONIK Home Monitoring infrastructure, each with a CVSS v3.1 score of 4.3 and CVSS vector string (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). The researchers found that a fake mobile network base station or physical access to the CardioMessenger II could allow disclosure of these credentials. The credentials are used by the CardioMessenger II to gain access to the interface for exchanging data with the BIOTRONIK Home Monitoring infrastructure. However, this data is encrypted with the individual key of the CardioMessenger II and there is no relation between the individual key and the credentials (apart from belonging to the same CardioMessenger II). Consequently, knowledge of the credentials

• does not allow decryption of the transmitted data; 
• does not allow the creation of data that the BIOTRONIK Home Monitoring infrastructure or the CardioMessenger II would interpret as valid;
• does not allow modification of any data on the CardioMessenger II, because the device will not accept any data that is not encrypted with its individual key;
• has no impact at all on the availability of the device.

In the scope of the same coordinated disclosure, CVE-2019-18254 and CVE-2019-18256 were assigned to vulnerabilities concerning encryption at rest, each with a CVSS 3.1 score of 4.6 and CVSS vector string (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The researchers found that physical access to the CardioMessenger II allows to open its housing and access unencrypted data in its memory.