CVE-2019-18246

Vulnerability

The BIOTRONIK CardioMessenger II home monitoring units (CardioMessenger II-S T-Line T4APP 2.20 and CardioMessenger II-S GSM T4APP 2.20) do not properly enforce mutual authentication with the BIOTRONIK Remote Communication infrastructure [1]. This improper authentication vulnerability (CWE-287) allows an unauthenticated attacker with adjacent network access to influence the communication channel between the Home Monitoring Unit (HMU) and the Access Point Name (APN) gateway [1].

Exploitation

To exploit this vulnerability, an attacker must have adjacent network access to the CardioMessenger II (e.g., within the same wireless network). No authentication or user interaction is required. The attacker can interfere with the mutual authentication process, potentially impersonating the legitimate communication endpoints [1].

Impact

Successful exploitation allows the attacker to influence communications between the HMU and the BIOTRONIK Remote Communication infrastructure. This could lead to manipulation of transmitted data, disruption of device functionality, or potential disclosure of sensitive information transmitted by implanted cardiac devices [1]. The CVSS v3 base score is 4.3, with low confidentiality impact and no integrity or availability impact per the vector string [1].

Mitigation

As of the publication date, no specific patch or mitigation is disclosed in the available reference. Users are advised to contact BIOTRONIK directly for updates and to review the CISA advisory [1] for further recommendations.