CVE-2019-18256

Vulnerability

The BIOTRONIK CardioMessenger II-S T-Line and CardioMessenger II-S GSM running firmware T4APP 2.20 store per-device credentials in a recoverable format [1]. The devices also transmit these credentials in cleartext before switching to an encrypted communication channel [1]. Additionally, they do not properly enforce mutual authentication with the BIOTRONIK Remote Communication infrastructure and allow credential reuse for multiple authentication steps [1].

Exploitation

An attacker with physical access to the CardioMessenger unit can recover the stored credentials and use them for network authentication and decryption of local data in transit [1]. An attacker with adjacent (local) network access can intercept the cleartext transmission of credentials during the initial authentication phase [1]. No user interaction or elevated authentication is required (CVSS: AV:A/AC:L/PR:N/UI:N) [1].

Impact

Successful exploitation allows an attacker to obtain sensitive data, including medical data from implanted cardiac devices if the implant’s serial number is known, and to influence communications between the Home Monitoring Unit (HMU) and the Access Point Name (APN) gateway network [1]. The attacker gains the ability to authenticate to the BIOTRONIK Remote Communication infrastructure and decrypt local data in transit, leading to disclosure of sensitive information [1].

Mitigation

As of the advisory publication date (June 2020), no firmware update has been released to address these vulnerabilities [1]. BIOTRONIK recommends that users secure physical access to the CardioMessenger II device and ensure the network is protected against adjacent access [1]. The product is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog as of this writing.