CVE-2019-6540

Name of the Vulnerable Software and Affected Versions Medtronic MyCareLink Monitor versions 24950 through 24952 CareLink Monitor version 2490C CareLink 2090 Programmer Amplia CRT-D Claria CRT-D Compia CRT-D Concerto CRT-D Concerto II CRT-D Consulta CRT-D Evera ICD Maximo II CRT-D and ICD Mirro ICD Nayamed ND ICD Primo ICD Protecta ICD and CRT-D Secura ICD Virtuoso ICD Virtuoso II ICD Visia AF ICD Viva CRT-D

Description The Conexus telemetry protocol used in the affected devices does not implement encryption. This allows an attacker with adjacent short-range access to listen to communications, including the transmission of sensitive data.

Recommendations For Medtronic MyCareLink Monitor versions 24950 and 24952, consider implementing additional security measures to protect data transmission. For CareLink Monitor version 2490C, restrict access to the device to minimize the risk of exploitation. For CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D, at the moment, there is no information about a newer version that contains a fix for this vulnerability.