Medtronic recalls some controllers used with some of its insulin pumps over cyberattack risks

Medical device maker Medtronic recalled the remote controllers used with some of its insulin pumps because of dangerous vulnerabilities.

Medical device maker Medtronic has recalled the remote controllers used with some of its insulin pumps because of they are affected by severe vulnerabilities that could lead to injury or death of the patients.

An attacker can exploit the vulnerabilities to modify the quantity of insulin that the pumps provide to the patient.

“The MiniMed™ remote controller, which uses a wireless radio frequency (RF) to communicate with your insulin pump, helps to program a set amount of insulin (or bolus) into your Medtronic pump without pressing any insulin pump buttons.” states the URGENT MEDICAL DEVICE RECALL published by the medical equipment vendor.

“In May 2018, an external cybersecurity researcher identified a potential risk related to the MiniMed™ Paradigm™ family of insulin pumps and corresponding remote controller. The researcher’s report stated that an unauthorized individual in close proximity of an insulin pump user could potentially copy the wireless RF signals from the user’s remote controller (for example, while the user is in the process of delivering a remote bolus) and play those back later to deliver an additional bolus of insulin to the pump user. This could lead to potential health risks such as hypoglycemia if additional insulin is delivered beyond the user’s insulin requirements, or hyperglycemia if insulin delivery is suspended through a similar play back.”

The company pointed out that to date, it has not received reports of any injuries resulting from this issue.“

The company first communicated the recall to some users in August 2018 recommending to disable the remote bolus feature, when not in use, to prevent cyberattacks when using an optional remote controller.

The company recalls MiniMed 508 and Paradigm series insulin pumps remote controls MMT-500, and MMT-503, the impacted devices represent 60% of the insulin pumps on the market. Anyway, both device families are no more produced by the vendor.

The Food and Drug Administration (FDA) also issued an alert about the Class 1 recall warning of the risks to the patients, the exploitation of the flaws could potentially lead to death. According to the FDA, the number of devices recalled in the U.S. is 31,310.

“An unauthorized person (someone other than a patient, patient caregiver, or health care provider) could potentially record and replay the wireless communication between the remote and the MiniMed insulin pump. Using specialized equipment, an unauthorized person could instruct the pump to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis, even death.” states the FDA. “If you have never programmed a remote controller ID into the pump and never programmed the easy bolus option, you are not impacted by this vulnerability.”

Patients using the remote controller feature with either the MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps are potentially affected along with Health care providers and caregivers who treat people with diabetes who use remote controllers associated with either the MiniMed 508 or the MiniMed Paradigm devices.

Early October, Medtronic began notifying patients that are still using impacted MiniMed 508 insulin pumps or the MiniMed Paradigm family of insulin pumps and have purchased a remote controller of the expanded recall.

Below are the instructions provided by the vendor:

If you use a recalled remote controller:

• Stop using the remote controller.
• Turn off the easy bolus feature.
• Disconnect the remote controller from your insulin pump:
  • First, you must turn off the radio frequency function and delete all remote controller IDs that are programmed into your insulin pump.
  • Then, follow the instructions in the appendix attached to Medtronic’s letter. The steps to disconnect the remote controller will vary by insulin pump model.
• Contact Medtronic to return the remote controller in one of three ways:
  • Visit medtronicdiabetes.com/RemoteControlExternal Link Disclaimer
  • Call Medtronic’s 24-Hour Technical Support line at 1-800-378-2292, or
  • Complete and return the Customer Confirmation Form.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, insulin pumps)

[adrotate banner=”5″]

[adrotate banner=”13″]