BIOTRONIK Statement on the Log4Shell Vulnerability Updated December 21, 2021
The discovery of a high-severity vulnerability known as Log4Shell was disclosed publicly on December 9, 2021, while a related lower-severity vulnerability was disclosed on December 14, 2021. These vulnerabilities are present in a software library used by many servers worldwide (see Background for details). In light of this recent discovery, BIOTRONIK has carefully analyzed all of its provided services. The analysis concluded that the conditions for exploitation of the Log4Shell vulnerability and the related CVE-2021-45046 and CVE-2021-45105 vulnerabilities do not exist in any of BIOTRONIK’s medical devices (see Technical Information for details of the systems analyzed).
A very limited condition for exploitation of the Log4Shell vulnerability exists for the BIOTRONIK EHR DataSync Adapter, if a non-default configuration for logging is set as described in the technical information below. This condition is further limited by the fact that data input required for exploitation could only be conducted by authorized users of the Home Monitoring Service Center who have the rights to change patient data. To eliminate this very low risk of exploitation, BIOTRONIK has taken immediate action and will provide an update for the EHR DataSync Adapter by December 22, 2021. Until then, clinic IT administrators should ensure that the log level settings of their EHR DataSync Adapter system are set to default as described in the technical information below.
Background
A high-severity vulnerability known as Log4Shell (CVE-2021-44228, CVSSv3 10.0) present in a software library used by many servers worldwide was disclosed publicly on December 9, 2021. The affected library is “Apache Log4j2” in versions 2.0 to 2.14.1 from the Apache Foundation. It is an open source Java logging framework that allows software developers to write log entries (i.e. text describing an action that the application has just performed) to files or dedicated log servers. The vulnerability allows for unauthenticated remote code execution and is therefore highly critical if conditions for its exploitation are present.
A related vulnerability (CVE-2021-45046, CVSSv3 9.0) affecting Log4j in versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 has been disclosed on December 14, 2021. This vulnerability allows for exfiltration of information and unauthenticated remote code execution in some environments and unauthenticated local code execution in all environments.
- Update 20 December, 2021 -
Another related vulnerability (CVE-2021-45105, CVSSv3 7.5) affecting Log4j in versions from versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) has been disclosed on December 18, 2021. This vulnerability allows for a denial of service attack.
- Update 21 December, 2021 -
Updated the information on CVE-2021-45046 and CVE-2021-45105 as published by NIST.
Technical Information
The following systems comprise the services provided by BIOTRONIK and have been thoroughly analyzed:
Home Monitoring Service Center
Not affected by either vulnerability. Log4j2 is not used
Implantable Device Programmer Renamic & Renamic Neo
Not affected by either vulnerability. Log4j2 is not used
BIOTRONIK Cloud Service infrastructure
Not affected by either vulnerability. Log4j2 is not used
Patient App Interface
Not affected by either vulnerability. Log4j2 is not used
ProMRI System Check Web Site
Not affected by either vulnerability. Log4j2 is not used
BIOTRONIK EHR DataSync Adapter
Not affected by CVE-2021-45046 or CVE-2021-45105. Adapter does not use a non-default pattern layout.
Affected by Log4Shell. The EHR DataSync Adapter uses Log4j2 in a version that is affected by the Log4Shell vulnerability. To exploit the vulnerability the following conditions must exist:
Mitigation Measures:
At BIOTRONIK, we take cybersecurity very seriously and we are strongly committed to providing safe and reliable cardiovascular devices and systems that improve the lives of millions of patients. Our cybersecurity management process is carefully designed according to the recommendations of the US FDA’s guidance to identify and control risks in all relevant devices and systems.
We continue to monitor, test and analyze the safety of our devices and systems regularly.
For any questions, please do not hesitate to contact your local BIOTRONIK representative or email us at info@biotronik.com.
About BIOTRONIK:
At BIOTRONIK, patient well-being is our top priority and has been for 60 years. BIOTRONIK is a leading global medical technology company with products and services that save and improve the lives of millions suffering from heart and blood vessel diseases as well as chronic pain. Driven by a purpose to perfectly match technology with the human body, we are dedicated innovators who develop trusted cardiovascular, endovascular and neuromodulation solutions. BIOTRONIK is headquartered in Berlin, Germany, and is represented in over 100 countries.
More Statements
-
Image
BIOTRONIK Statement on the FDA’s Safety Communication “URGENT/11”
On October 1, the US Food and Drug Administration (FDA) issued a Safety Communication regarding a set of cybersecurity vulnerabilities, referred to as “Urgent/11” that — if exploited by a remote attacker — may introduce risks for medical devices and hospital networks. According to the communication: “These vulnerabilities may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.” These vulnerabilities exist in a third-party software component known as IPnet
-
Image
StatementBIOTRONIK Statement on CardioMessenger II Cybersecurity
CardioMessenger devices form an essential part of BIOTRONIK’s remote monitoring system, enabling the secure transmission of critical patient and device data to the treating physician. As the company that pioneered remote monitoring, we have taken cybersecurity design seriously since 2001. It is integrated into our quality management system, all relevant business processes and prioritized at every step of the product life cycle. Our cardiac implants do not accept programming modifications or commands via any form of long-distance communication. By design, it is technically impossible to
-
Image
StatementBIOTRONIK Statement on the Cybersecurity Updates Affecting Medtronic Implantable Cardiac Device Programmers
On October 11, the US Food and Drug Administration (FDA) issued a Safety Communication regarding cybersecurity updates affecting Medtronic implantable cardiac device programmers, based on an NCCIC Advisory. 1 According to the FDA’s communication, Medtronic is issuing a software update to address a safety risk caused by cybersecurity vulnerabilities associated with the internet connection in two models of programmers used to download software from the manufacturer’s software distribution network (SDN). Successful exploitation of these vulnerabilities would allow an adversary to influence this
-
Image
StatementBIOTRONIK Statement on the Publication ‘Security Testing of the Pacemaker Ecosystem’
The work ‘Security Testing of the Pacemaker Ecosystem’ was recently published as a master’s thesis, authored by Mr. Anders Been Wilhelmsen and Mr. Eivind Skjelmo Kristiansen. This publication investigates the state of cybersecurity of BIOTRONIK’s ICS 3000 – a programmer for BIOTRONIK implantable cardiac pacemakers, defibrillators and monitors that is used by healthcare professionals during the implantation procedure and follow-ups. ICS 3000 programmers were distributed between 2001 and 2012. In the publication, the authors report about several cybersecurity weaknesses such as: The central
-
Image
StatementBIOTRONIK Statement on “SweynTooth” Cybersecurity Vulnerabilities
The US Food and Drug Administration has issued a Safety Communication regarding a family of cybersecurity vulnerabilities known as SweynTooth, which may introduce risks for certain medical devices that use Bluetooth Low Energy (BLE) wireless communication technology. If exploited, these vulnerabilities can allow unauthorized users to potentially cause a device to stop working, stop it from working correctly and/or bypass security to access certain device functions. The FDA has said it is not aware of any confirmed adverse events related to these vulnerabilities although software to exploit
-
Image
StatementStatement on the Cybersecurity of BIOTRONIK Solutions Following WIRED Magazine’s Article on Vulnerabilities in Pacemaker Programmer Systems
On August 9, WIRED magazine reported that researchers discovered cybersecurity vulnerabilities in the way pacemaker programmers connected to the software delivery network of a specified manufacturer. The researchers claim that “digital code signing”—the cryptographic validation of the legitimacy and integrity of software—is lacking in the manufacturer’s infrastructure, allowing an attacker to potentially take control of device programmers through malicious updates that can subsequently be spread to implanted pacemakers. 1 None of BIOTRONIK’s devices, programmers or networks are affected by
-
Image
StatementBIOTRONIK Statement on the Medical Advisory and Safety Communication Regarding Medtronic’s Conexus Radio Frequency Telemetry Protocol
The Department of Homeland Security and the US FDA have issued a Medical Advisory and Safety Communication respectively describing two types of cybersecurity vulnerabilities affecting multiple Medtronic devices that utilize the Conexus telemetry protocol. BIOTRONIK utilizes substantially different protocols for both the clinical and the home environment. Moreover, by design, the remote communication system via BIOTRONIK Home Monitoring® does not have the functionality to transmit or alter therapeutic commands to the implant.