Medtronic MiniMed Insulin Pump Authentication Vulnerability

Medtronic has released details of a vulnerability in their MiniMed range of insulin pumps. An unauthenticated user in radio range could exploit this to alter device settings, or intercept, modify and inject sensitive information.

Threat ID:: CC-3126
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 28 June 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Threat details

The vulnerability lies in the proprietary radio frequency protocol MiniMed insulin pumps use to communicate with control systems and peripheral devices. This protocol does not adequately implement suitable authorisation and authentication methods, which can result in an attacker with knowledge of the protocol data format retrieving patient data or altering pump settings, including controlling insulin delivery.

For further information:

Remediation steps

Type	Step
	At the time of publication, Medtronic have indicated that this vulnerability cannot be fully remediated in the affected products. They have stated they will be contacting affected organisations directly to provide additional guidance. Further information can be found on Medtronic's June 27, 2019 Security Bulletin or their security site. Medtronic have also suggested users and organisations follow the below partial mitigation steps: Be attentive to pump notifications, alarms, and alerts. Disconnect CareLink USB devices from computers when not being used to download data from the pump. Do not connect to any third-party devices or use any unauthorised software. Do not share pump serial numbers. Get medical help immediately when experiencing symptoms of severe Hypoglycemia or diabetic ketoacidosis; or suspect an insulin pump settings, or insulin delivery have changed unexpectedly Immediately cancel any unintended dosages (known as boluses). Maintain tight physical control of affected pumps and peripheral devices. Monitor blood glucose levels closely and act as appropriate.

Type

Step

At the time of publication, Medtronic have indicated that this vulnerability cannot be fully remediated in the affected products. They have stated they will be contacting affected organisations directly to provide additional guidance. Further information can be found on Medtronic's June 27, 2019 Security Bulletin or their security site.

Medtronic have also suggested users and organisations follow the below partial mitigation steps:

Be attentive to pump notifications, alarms, and alerts.
Disconnect CareLink USB devices from computers when not being used to download data from the pump.
Do not connect to any third-party devices or use any unauthorised software.
Do not share pump serial numbers.
Get medical help immediately when experiencing symptoms of severe Hypoglycemia or diabetic ketoacidosis; or suspect an insulin pump settings, or insulin delivery have changed unexpectedly
Immediately cancel any unintended dosages (known as boluses).
Maintain tight physical control of affected pumps and peripheral devices.
Monitor blood glucose levels closely and act as appropriate.

Last edited: 17 January 2022 5:51 pm