- A Medtronic patient monitor and an insulin pump were flagged this week by ICS-CERT for cybersecurity vulnerabilities that could expose sensitive data to attackers.
The Medtronic MyCareLink patient monitor suffers from insufficient verification of data authenticity and storing passwords in a recoverable format, warned an August 7 ICS-CERT advisory.
MyCareLink patient monitor is a remote monitoring system for patients with Medtronic implantable cardiac devices, which allows patients to transmit device data to the CareLink Network using a cellular connection for viewing by clinicians.
These vulnerabilities could enable an attacker with physical access to the equipment to get product credentials that are used to authenticate data uploads and encrypt data at rest, as well as upload bogus data to the CareLink network.
In a security bulletin, Medtronic stressed that the vulnerabilities do not allow modification of PHI or existing data on the CareLink network.
Medtronic is increasing the level of authentication required to upload data from the MyCareLink patient monitor to the CareLink network. In addition, increased cybersecurity monitoring has been implemented to detect and respond to any potential attempts to upload invalid data.
Medtronic recommended that users maintain physical control over their home monitor and only use home monitors obtained directly from their healthcare provider or a Medtronic representative.
This is not the first time this year that the Medtronic MyCareLink patient monitors have been dinged by ICS-CERT for cybersecurity vulnerabilities.
In June, ICS-CERT warned about vulnerabilities — hard-coded password and exposed dangerous method or function — that could enable an attacker with physical access to the monitor to use the hard-coded password to access the monitor’s operating system and product development code.
The security flaws could also enable an attacker using the monitor near the implantable cardiac device to read and write arbitrary memory values on the device.
ICS-CERT also warned this week about vulnerabilities — cleartext transmission of sensitive information and authentication bypass by capture-replay — in the Medtronic MiniMed Paradigm insulin pump and remote controller.
By exploiting these vulnerabilities, an attack could replay captured wireless communications and cause an insulin (bolus) delivery.
“An unauthorized individual in the same vicinity as the insulin pump user could potentially copy the wireless radio frequency (RF) signals emitted by the remote controller (while delivering a remote bolus) and play those back later to deliver a malicious bolus to the pump user. This could lead to potential health risks, including hypoglycemia, if too much insulin is given in a short period of time,” Medtronic warned in its security bulletin.
Medtronic stressed that several factors must be met for this exploit to succeed:
- Remote option for the pump would need to be enabled. This is not a factory-delivered default, and a user must choose this option.
- User’s remote controller ID needs to be registered to the pump.
- Easy bolus option would need to be turned on, and easy bolus step size programmed in the pump.
- Unauthorized individual would need to be close to the user, with necessary equipment to copy the RF signals activated, when the user is delivering a bolus with the remote controller.
- Unauthorized individual would need to be close to the user to play back the RF signals to deliver a malicious remote bolus.
- User would need to ignore the pump alerts, which indicate that a remote bolus is being delivered.
Medtronic does not plan a product update to address these vulnerabilities.
The easy bolus and remote options are turned off in the pump by default. In cases where users want to continue to use the remote controller, Medtronic recommended the easy bolus be turned off when users are not intending to use the remote bolus option. When the easy bolus option is turned on, users should be attentive to pump alerts.
The vulnerabilities in the patient monitor and insulin pump were discovered by Billy Rios, Jesse Young, and Jonathan Butts of Whitescope, who reported them to the National Cybersecurity and Communications Integration Center (NCCIC).