A popular brand of heart pacemaker is still vulnerable to compromise more than a year and a half after the company that makes them was told of weaknesses in its security.

The product in question is the Medtronic CareLink 2090 monitor, used by doctors to control pacemaker settings.

the pair underscored by demonstrating a separate attack on Medronic’s MiniMed insulin pump.

As reported by journalists who attended the demo, the vulnerability that makes it possible for an attacker to run malware on the CareLink 2090 is down to poor software design, primarily that software updates aren’t signed or encrypted.

Mitigations

- turning off the device when not in use

- connecting to it via VPN,

Medtronic was the company that followed this up by publishing a warning regarding the MyCareLink Patient Monitor models 24950 and 24952.