Medtronic, the world’s largest medical device company, has issued a recall of some of its insulin pumps because they can be tampered with by attackers.
About the vulnerable devices
The affected devices are insulin pumps from the MiniMed 508 and Paradigm series (more specific info here).
“The potential risks are related to the wireless communication between Medtronic’s MiniMed insulin pumps and other devices such as blood glucose meters, continuous glucose monitoring systems, the remote controller and CareLink USB device used with these pumps,” the US Food and Drug Administration noted in the recall announcement.
“The FDA is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings. This could allow a person to over deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis (a buildup of acids in the blood).”
The vulnerability (CVE-2019-10964) is not exploitable remotely, and a high skill level is needed to exploit it.
The FDA says that they are “not aware of any confirmed reports of patient harm related to these potential cybersecurity risks” and ICS-CERT added that there are currently no known public exploits for targeting this vulnerability.
But the affected pumps can’t be adequately updated or patched and that’s the reason for the recall.
“Medtronic recommends U.S. patients who are currently using the affected products talk to their healthcare provider about changing to a newer model insulin pump with increased cybersecurity protection. Patients outside the U.S. will receive a notification letter with instructions based on the country where they live,” ICS-CERT noted.
“Additionally, Medtronic will be sending a letter to all patients who are current known users of these pumps further detailing the risks and defensive measures.”
The FDA says that there are 4,000 confirmed U.S. patients that use one of the affected pumps, and that Medtronic is working with distributors to identify additional patients potentially using these pumps.
Medtronic: Related security news
The company has said that previous research work by a slew of external researchers (Nathanael Paul, Jay Radcliffe, Barnaby Jack, Billy Rios, Jonathan Butts, and Jesse Young) has lead their internal research team to the discovery of this latest vulnerability.
Medtronic is one of the medical device manufacturers that, as part of the #wehearthackers initiative, pledged to work with security researchers to ensure their devices are secure.
It’s interesting to note that many of the vulnerable Medtronic MiniMed insulin pumps are highly prized by diabetes sufferers because they have a security flaw that allows them to modify the firmware.
This makes it possible to load the OpenAPS (“open artificial pancreas”) software into them to automate the process of monitoring the user’s blood sugar, calculating the right insulin dose and administering it, sparing users from the trouble of doing that themselves multiple times per day and per night.