Serious Vulnerabilities Found in Medtronic MyCareLink Smart Patient Readers

Three serious vulnerabilities were discovered in Medtronic MyCareLink (MCL) Smart Patient Readers, which can possibly be taken advantage of to acquire access to and alter patient information from the paired implanted cardiac product. Remote code execution on the MCL Smart Patient Reader can be done when exploiting the vulnerabilities together, enabling an attacker to seize control of matched cardiac gadgets. An attacker could only take advantage of the vulnerabilities if within Bluetooth signal distance to the target product.

All models of the MCL Smart Model 25000 Patient Reader are impacted by the listed vulnerabilities.

Vulnerability CVE-2020-25183 is a weakness that takes advantage of the authentication protocol. The method utilized to validate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile application may be bypassed. An attacker that has another mobile device or malicious app on the patient’s smartphone may authenticate the patient’s MCL Smart Patient Reader, fooling it into thinking it is connecting with the patient’s smartphone application. The vulnerability has a designated CVSS v3 base score of 8.0 of 10.

With vulnerability CVE-2020-27252, an authenticated attacker performing a debug command can prompt a heap-dependent buffer overflow event in the MCL Smart Patient Reader software stack. The moment it is triggered, an attacker could then wirelessly execute code on the vulnerable MCL Smart Patient Reader, possibly letting the attacker to have control of the gadget. This vulnerability has an assigned CVSS v3 base rating of 8.8.

Vulnerability CVE-2020-27252 is discovered in the software update program of MCL Smart Patient Readers. An attacker taking advantage of this vulnerability can upload and implement unsigned firmware on the Patient Reader. This vulnerability can likewise make remote execution of arbitrary code possible on the MCL Smart Patient Reader and may permit an attacker to have control of the product. This vulnerability has a designated CVSS v3 base score of 8.8.

The researchers that identified the device vulnerabilities were from the Israeli company Sternum. Researchers at the University Of Michigan Uc Santa Barbara and University of Florida also separately discovered the inappropriate authentication vulnerability.

Medtronic has already introduced a software update to resolve the vulnerabilities after getting a notification regarding the vulnerabilities. The firmware update could be employed by updating the MyCareLink Smartapp through the connected mobile application store. By updating the mobile app to version v5.2, it will make sure to implement the update on next use; but, the patch will only work when the user’s smartphone has Android 6.0 or above or iOS 10 or later version.

Users were additionally instructed to have good physical control on their devices at home and to minimize the use of home monitors to private settings. Patients must just utilize home devices that were secured direct from their healthcare center or a Medtronic consultant.

Medtronic likewise did something to strengthen security, such as using Sternum’s enhanced integrity validation (EIV) technology that offers early identification and real-time blocking of recognized vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which permits device-level recording and checking of all device activity and actions.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone