Vulnerability in Medtronic insulin pumps allow hacking devices

Pierluigi Paganini June 30, 2019

Medtronic and the US government have warned that some Medtronic MiniMed insulin pumps are vulnerable to cyber attacks.

Medtronic and the United States government have warned of a security vulnerability affecting some Medtronic MiniMed insulin pumps that could be exploited by hackers.

The Department of Homeland Security (DHS) and Medtronic, and the Food and Drug Administration (FDA) have published a press release of a high-severity flaw affecting models of insulin pumps belonging to MiniMed 508 and Paradigm series.

The flaw, tracked as CVE-2019-10964, is an improper access control issue that could be exploited by an attacker with adjacent access to one of the vulnerable insulin pumps to interfere with the wireless RF (radio frequency) communications to or from the product.

An attacker can exploit the flaw to inject, replay, modify, and/or intercept data, the flaw could also allow hackers to change pump settings and control insulin delivery.

“Successful exploitation of this vulnerability may allow an attacker with adjacent access to one of the affected products to intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the product.” reads the security advisory published by the US-CERT. “This may allow attackers to read sensitive data, change pump settings, or control insulin delivery.”

According to FDA, in the U.S., Medtronic has identified 4,000 patients who are potentially using insulin pumps affected by the flaw.

The company is providing alternative insulin pumps to patients, these devices implement enhanced cybersecurity capabilities.

The vulnerability was discovered by Medtronic after security experts conducted some studies on these types of devices. Experts that conducted the researches are Nathanael Paul, Jay Radcliffe, Barnaby Jack, Billy Rios, Jonathan Butts and Jesse Young.

The vulnerable insulin pumps communicate with other devices such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices, with wireless RF.

Experts discovered that the wireless RF communication protocol does not properly implement authentication or authorization.

“The vulnerability allows a potential attacker with special technical skills and equipment to potentially send radiofrequency (RF) signals to a nearby insulin pump to change settings, impacting insulin delivery. This change could result in a patient experiencing hypoglycemia (if additional insulin is delivered) or hyperglycemia (if not enough insulin is delivered),” reads the advisory published by Medtronic.

The good news is that Medtronic is not aware of attacks in the wild.

Patients in the US using the vulnerable insulin pumps urge to contact their healthcare provider to discuss replacing the devices with a newer model.

For individuals living outside the US where newer pumps model is not available, the vendor suggests customers adopt mitigations for preventing cyberattacks.

“Medtronic is unable to adequately update the MiniMed 508 and Paradigm insulin pumps with any software or patch to address the devices’ vulnerabilities.” concludes the FDA. “The FDA is working to assure that Medtronic addresses this cybersecurity issue, including helping patients with affected insulin pumps switch to newer models with better cybersecurity controls.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Medtronic, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment