CVE-2019-6540 in MyCareLink Monitor
Summary
by MITRE
The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/22/2025
The Conexus telemetry protocol vulnerability identified as CVE-2019-6540 represents a critical security flaw in Medtronic's cardiac device ecosystem that directly impacts patient safety and data confidentiality. This vulnerability affects numerous cardiac rhythm management devices including various CRT-D and ICD models across multiple product lines, creating a widespread security concern for healthcare providers and patients alike. The protocol's complete absence of encryption mechanisms creates a fundamental weakness in the communication architecture that was designed to transmit sensitive medical data between implanted devices and external monitoring systems.
The technical flaw stems from the protocol's design philosophy that prioritized communication reliability over security considerations. The Conexus protocol operates using unencrypted radio frequency communications that are susceptible to interception by adversaries with physical proximity to the target device. This vulnerability falls under CWE-310, which specifically addresses cryptographic weaknesses in communication protocols, and represents a classic example of insufficient encryption implementation in medical device security architectures. The lack of encryption means that all data transmitted between the implanted device and external programmers or monitors can be captured and analyzed by unauthorized parties within the device's operational range.
The operational impact of this vulnerability extends far beyond simple data exposure, as it creates potential pathways for malicious actors to manipulate device settings or extract sensitive patient information. Attackers with adjacent short-range access can eavesdrop on communications that may include device configuration parameters, patient medical history, therapy delivery data, and other confidential information. This exposure creates risks for medical device security that aligns with ATT&CK technique T1046, which involves the use of network service scanners to identify and exploit communication vulnerabilities. The threat landscape for medical devices has evolved significantly, with adversaries increasingly targeting healthcare infrastructure for both financial gain and potential harm to patients.
The security implications of this vulnerability are particularly severe given that these devices are implanted within patients and continuously transmit critical health data. The absence of encryption means that sensitive information such as device settings, patient therapy parameters, and medical history can be intercepted without requiring sophisticated technical skills or expensive equipment. Healthcare organizations must consider this vulnerability as part of their broader cybersecurity risk assessment and implement appropriate mitigations to protect patient data and device integrity. The vulnerability also highlights the need for comprehensive security testing of medical device communication protocols and adherence to established security standards that ensure proper encryption implementation in all patient-facing medical technologies.