Further Vulnerabilities Identified in Medtronic MyCareLink Patient Monitors

An advisory has been issued by ICS-CERT regarding vulnerabilities found in MiniMed 508 Insulin Pumps and MedTronic MyCareLink Patient Monitors. This is the 2nd advisory issued regarding vulnerabilities in MyCareLink Patient Monitors in the last 6 weeks. In June, ICS-CERT warned healthcare organizations about a hard-coded password vulnerability (CVE-2018-8870) and a dangerous method or function vulnerability (CVE-2018-8868).

The new vulnerabilities include an insufficient confirmation of data authenticity flaw (CVE-2018-10626), and password storage in a recoverable format (CVE-2018-10622). The vulnerabilities affect all Medtronic MyCareLink 24950 and 24952 Patient Monitors. The vulnerabilities were identified by security researchers at Whitescope LLC, who reported the flaws to the National Cybersecurity and Communications Integration Center (NCCIC).

If a threat actor was able to get per-product credentials from the monitor and implanted cardiac device paired with the monitor, invalid data could be uploaded to the Medtronic Carelink network due to inadequate verification of data authenticity. The vulnerability was given a CVSS v3 score of 4.4.

How passwords are saved could allow retrieval by an attacker who could use the password for network authentication and local data encryption at rest. This vulnerability was given a CVSS v3 score of 4.9.

Medtronic has taken action to correct the vulnerabilities. Server-side changes have been made to resolve the data authenticity verification issue and other mitigations are going to be applied soon to improve data integrity and authenticity. To minimize the threat of exploitation, Medtronic advises users to exercise good physical control of patient monitors in the home and only to use patient monitors that have been acquired from healthcare companies.

The Whitescope researchers also identified two vulnerabilities in the Medtronic MiniMed 508 Insulin Pump: CVE-2018-40634 – the cleartext transmission of sensitive data and CVE-2018-14781 – an authentication bypass flaw which could be exploited in a capture replay attack.

The researchers found that data exchange between wireless accessories and the insulin pump are in cleartext. An attacker could capture sensitive information such as the machine serial number. The vulnerability was given a CVSS v3 score of 4.8.

If the insulin pump is matched with a remote controller and the options for easy-bolus and remote bolus are set, the machine is prone to a capture-replay attack that could permit the wireless transmissions to be intercepted and replayed causing an extra insulin (bolus) delivery. The vulnerability was given a CVSS v3 score of 5.3.

The vulnerabilities are present in the following MiniMed insulin pumps and related products:

  • MMT – 522 / MMT – 722 Paradigm REAL-TIME
  • MMT – 523K / MMT – 723K Paradigm Revel
  • MMT – 523 / MMT – 723 Paradigm Revel
  • MMT – 551 / MMT – 751 MiniMed 530G
  • MMT 508 MiniMed insulin pump

Medtronic is not going to issue a fix to resolve the flaws because devices are only vulnerable when the remote option is activated. By default, the devices aren’t vulnerable. Users could deactivate the easy bolus and remote bolus options to prevent the flaws from being exploited. If users want to keep on using the easy bolus option, device alerts should be enabled. Medtronic suggests patients should switch off the easy bolus option if they do not intend to use the remote bolus option.