Flaws in Medtronic MyCareLink can allow attackers to take over implanted cardiac devices

Experts reported flaws in Medtronic ’s MyCareLink Smart 25000 Patient Reader product that could be exploited to take control of a paired cardiac device.

Experts from IoT security firm Sternum discovered vulnerabilities discovered in Medtronic’s MyCareLink Smart 25000 Patient Reader product that could be exploited to take control of a paired cardiac device.

MyCareLink Smart 25000 Patient Reader is a platform designed by Medtronic to gather data from patients ’ implanted cardiac devices and transfer it to Medtronic CareLink network.

The vulnerabilities ((CVE-2020-25183, CVE-2020-25187, CVE-2020-27252)) could be only exploited by an attacker within the Bluetooth range of the vulnerable product.

The experts found three flaws that could be exploited to modify or forge data that is received from the implanted cardiac devices. The flaws could also allow remote attackers to taking control of the paired cardiac device and execute arbitrary code on the MCL Smart Patient Reader.

The CVE-2020-25183 is an improper authentication issue that could be exploited by an attacker to bypass the authentication between the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app.

“This vulnerability enables an attacker to use another mobile device or malicious application on the patient’s smartphone to authenticate to the patient’s Medtronic Smart Reader, fooling the device into believing it is communicating with the original Medtronic smart phone application when executed within range of Bluetooth communication,” reads the advisory published by DHS CISA.

The second flaw, tracked as CVE-2020-25187, is a heap-based buffer overflow that could be exploited by an authenticated attacker to remotely execute code on the MCL Smart Patient Reader.

“The affected products are vulnerable when an authenticated attacker runs a debug command, which can be sent to the patient reader and cause a heap overflow event within the MCL Smart Patient Reader software stack. The heap overflow could allow an attacker to remotely execute code on the MCL Smart Patient Reader, potentially leading to control of the device” continues the advisory

The third vulnerability, tracked as CVE-2020-27252, is a race condition that could be leveraged to upload and execute unsigned firmware on the Patient Reader. The flaw could be exploited by an attacker to remotely execute code taking over the device.

“The affected products are vulnerable to a race condition in the MCL Smart Patient Reader software update system, which allows unsigned firmware to be uploaded and executed on the Patient Reader. If exploited, an attacker could remotely execute code on the MCL Smart Patient Reader device, leading to control of the device.” states the advisory.

Medtronic addressed the flaw with the release of a firmware update that can be applied via the MyCareLink Smart app through the associated mobile app store.

At the time of the advisory, Medtronic is not aware of attacks in the wild exploiting the above flaws.

“Medtronic is currently unaware of any cyberattack, privacy breach, or patient harm as a result of these vulnerabilities.” states the advisory.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Medtronic)

[adrotate banner=”5″]

[adrotate banner=”13″]