Share this article on:
An advisory has been issued by ICS-CERT about vulnerabilities in MedTronic MyCareLink Patient Monitors and the MiniMed 508 Insulin Pump. This is the second advisory to be issued about MyCareLink Patient Monitors in the past six weeks. In June, ICS-CERT issued a warning about the use of a hard-coded password (CVE-2018-8870) and an exposed dangerous method or function vulnerability (CVE-2018-8868).
The latest vulnerabilities to be discovered are an insufficient verification of data authenticity flaw (CVE-2018-10626) and the storage of passwords in a recoverable format (CVE-2018-10622). The vulnerabilities are present in all versions of the Medtronic MyCareLink 24950 and 24952 Patient Monitors.
If an attacker were to obtain per-product credentials from the monitor and the paired implanted cardiac device, it would be possible for invalid data to be uploaded to the Medtronic Carelink network due to insufficient verification of the authenticity of uploaded data. The vulnerability has been assigned a CVSS v3 score of 4.4 (medium severity).
The way that passwords are stored could allow them to be recovered by an attacker and used for network authentication and encryption of local data at rest. This vulnerability has been assigned a CVSS v3 score of 4.9 (medium severity).
The vulnerabilities were identified by security researchers at Whitescope LLC, who reported them to the National Cybersecurity and Communications Integration Center (NCCIC).
Medtronic has already taken steps to address the vulnerabilities. Server-side updates have been made to correct the data authenticity verification issue and further mitigations will be implemented shortly to enhance data integrity and authenticity. To reduce the risk of exploitation, Medtronic recommends users maintain good physical control over their home monitors and only use monitors that have been obtained from healthcare providers.
Two vulnerabilities have also been identified in the Medtronic MiniMed 508 Insulin Pump by the Whitescope researchers. The first is the cleartext transmission of sensitive information (CVE-2018-40634) and the second is an authentication bypass flaw that could be exploited in a capture replay attack (CVE-2018-14781).
The researchers discovered that communications between the insulin pump and wireless accessories are sent in cleartext, which could allow sensitive information such as the device serial number to be captured by an attacker. The vulnerability has been assigned a CVSS v3 score of 4.8 (medium severity).
When the insulin pump is paired with a remote controller and the easy-bolus and remote bolus options are set, the device is vulnerable to a capture-replay attack which would allow the wireless transmissions to be captured and replayed resulting in an additional insulin (bolus) delivery. The vulnerability has been assigned a CVSS v3 score of 5.3 (medium severity).
The vulnerabilities affect the following MiniMed insulin pumps and associated products: MMT 508 MiniMed insulin pump, MMT – 522 / MMT – 722 Paradigm REAL-TIME, MMT – 523 / MMT – 723 Paradigm Revel, MMT – 523K / MMT – 723K Paradigm Revel, and MMT – 551 / MMT – 751 MiniMed 530G.
Medtronic will not be issuing a fix to correct the flaws as devices are only vulnerable if the remote option is enabled. Devices are not vulnerable in their default configuration. Users can disable to easy bolus and remote bolus options if they have been set. If users wish to continue to use the easy bolus option, they should be attentive to device alerts when enabled and should turn off the easy bolus option when they are not intending to use the remote bolus option.