Warnings about the cybersecurity vulnerabilities found in some Medtronic insulin pumps were issued by the United States Computer Emergency Readiness Team (US-CERT) and the Food and Drug Administration (FDA).
The vulnerable insulin pumps are linked to other devices like CareLink USB devices, blood glucose meters and glucose sensor transmitters using wireless RF. Vulnerabilities were discovered in some MiniMed Paradigm and MiniMed 508 insulin pumps. An attacker having adjacent access to a affected device could intercept, change, or meddle with the RF communications to or from the device.
As a result, reading of data sent to and from the device, changing the insulin pump settings, and controlling insulin delivery are possible. An attack has the potential to cause diabetic ketoacidosis, hypoglycemia or loss of life.
The CVE-2019-10964 vulnerability is caused by the improper implementation by the communications protocol of the authentication or authorization setting. It has an assigned CVSS v3 base rating of 7.1 out of 10.
The vulnerability was discovered by security experts Nathanael Paul, Jay Radcliffe, and Billy Rios, Barnaby Jack, Jesse Young, and Jonathan Butts, with the help given by Medtronic.
The following is the list of vulnerable devices:
- all versions of MiniMed 508 pump
- MiniMed Paradigm (511 pump, 512/712 pumps, 712E pump, 515/715 pumps, 522/722 pumps, 522K/722K pumps
- MiniMed 523/723 and 523K/723K pumps – Software versions 2.4A or lower
- MiniMed Paradigm Veo 554CM and 754CM models only – Software versions 2.7A or lower
- MiniMed Paradigm Veo 554/754 pumps – Software versions 2.6A or lower
Suzanne Schwartz, the FDA deputy director of strategic partnerships and technology innovation, said that there is significant risk of patient harm if the vulnerability is not addressed. At this point, there is no report yet of exploitation of the vulnerability.
Although there are mitigations that could help lower the threat of exploiting the vulnerability, Medtronic was not able to create a patch or an update of the software that could fix the flaw. Therefore, Medtronic decided to recall all impacted insulin pumps and provide new devices with stronger cybersecurity protections.
According to Medtronic, about 4,000 patients use the vulnerable insulin pumps in America. All patients need to get in touch with their care providers immediately in order to get the replacement for their insulin pump.