Assessment
CFSE Consequence Paths assesses Medtronic Conexus RF telemetry protocol lacks authentication/encryption (implantable cardiac devices) at CRITICAL — the worst of 2 risk paths (safety, perception). The dominant consequence is influence over a safety-relevant actuation.
Vulnerability
Medtronic Conexus RF telemetry protocol lacks authentication/encryption (implantable cardiac devices).
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → CRITICAL
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:2/EX:2/PH:4/DP:3/AT:3/CH:3/SR:3/SX:2/OR:4/EV:2/LS:PARTIALLY_MITIGATED
Exposure EX=2 (reachability and complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=HIGH → base CRITICAL · uplift recall-class recovery → assessed CRITICAL.
Adjacent short-range RF only, device must be in listening state (RE:2). Exploitation is advanced-but-reproducible: needs specialized RF gear and protocol knowledge; researchers demonstrated it (EC:2). The Conexus protocol allows read/write to implanted-device memory with no auth/authz, so an attacker can alter therapy/settings on an ICD/pacemaker -> credible injury/wrong therapy (PH:4, perception_feeds_action true since written state drives therapy delivery). Authority gained is effectively unauthenticated control over telemetry-exposed device functions/config, not the cryptographic root-of-trust or OTA signing root, so AT:3 not 4. Crosses RF/device/physical/safety boundaries (boundary_crossing). Data exposed is device/health/operational state (DP:3). Reuse: the protocol weakness is shared across a broad model class (portable knowledge/technique), SR:3. Execution is one-at-a-time per-device proximity, no fleet remote scaling (SX:2). Many legacy implants cannot be field-patched; mitigation partial/ongoing and recovery would require model-level updates/replacement (OR:4, recovery_needs_fleet_action). Report-backed, no in-the-wild exploitation or observed harm (EV:2, active_exploitation false). LS partially mitigated.
DATA_PRIVACY → CRITICAL
CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:2/EC:2/EX:2/PH:4/DP:3/AT:2/CH:2/SR:3/SX:2/OR:4/EV:2/LS:PARTIALLY_MITIGATED
Exposure EX=2 (reachability and complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=ELEVATED → base CRITICAL · uplift recall-class recovery · caps privacy-only cap → assessed CRITICAL.
Same adjacent-RF position with device in listening state (RE:2) and advanced-but-reproducible interception of unencrypted Conexus telemetry (EC:2). No encryption means sensitive implant/patient device and health data can be intercepted; injected/replayed/modified telemetry can falsify device data (DP:3 health/sensitive-op-state). This terminal is confidentiality/integrity of telemetry rather than therapy actuation, so physical impact is limited to measurement/data-falsification disruption without direct severe harm (PH:2); the falsified data does not by itself drive safety actuation in this path (perception_feeds_action false). Authority consequence is bounded read of session/telemetry channel (AT:2). Crosses RF/device boundaries (boundary_crossing). Knowledge/technique portable across the device class (SR:3); execution per-device proximity, not remote/fleet (SX:2). Legacy implants unpatchable so protocol-level fix needs broad updates (OR:4, recovery_needs_fleet_action). Report-backed, NVD scored C:N at protocol level but disclosure notes interception possible; no observed exploitation (EV:2, active_exploitation false).
Published baseline
- v3.1 9.3 CRITICAL —
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H — CISA/ICS-CERT via NVD (CVE-2019-6538)
- v3.1 6.5 MEDIUM —
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N — NVD (CVE-2019-6538)
- v3.1 6.5 MEDIUM —
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N — CISA/ICS-CERT via NVD / NVD (CVE-2019-6540)
The published baseline above is retained for source review. Paths decomposes the consequence into authority, perception, safety, scale, and recoverability paths rather than using the baseline score as the primary registry frame.
Sources