Medtronic NGP 600 Series Insulin Pumps Vulnerability

Protection mechanism failure vulnerability affects the MiniMed NGP 600 Series Insulin Pumps

Threat ID:: CC-4176
Threat Severity:: Low
Threat Vector:: Vulnerability
Published:: 28 September 2022 3:37 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Protection mechanism failure vulnerability affects the MiniMed NGP 600 Series Insulin Pumps

Affected platforms

The following platforms are known to be affected:

Medtronic Next Generation Pump (NGP) 600 Series Insulin Pump Systems

MiniMed 620G: MMT-1710
MiniMed 630G: MMT-1715, MMT-1754, and MMT-1755
MiniMed 640G: MMT-1711, MMT-1712, MMT-1751, and MMT-1752
MiniMed 670G: MMT-1740, MMT-1741, MMT-1742, MMT-1760, MMT-1762, MMT-1762, MMT-1780, MMT-1781, and MMT-1782

Threat details

Introduction

Medtronic has internally identified and reported a protection mechanism failure vulnerability in their Next Generation Pump (NGP) 600 Series Insulin Pumps. An unauthorised attacker on an adjacent network could exploit this vulnerability, which is known as CVE-2022-32537, to deliver too much or too little insulin through delivery of an unintended insulin bolus or because insulin delivery is slowed or stopped.

Vulnerability

CVE-2022-32537 - CWE-693 - PROTECTION MECHANISM FAILURE

A vulnerability exists which could allow an unauthorised user to learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components. Exploitation requires nearby wireless signal proximity with the patient and the device; advanced technical knowledge is required for exploitation. A CVSS v3 base score of 4.8 has been calculated.

Remediation advice

Affected organisations are encouraged to review CISA Medical Advisory ICSMA-22-263-01 and Medtronic's Urgent Medical Device Correction for the MiniMed 600 Series Pump System Communication Issue.

Medtronic recommends users to take the following actions:

Turn off the "Remote Bolus" feature on the pump.
Only connect or link devices in a private place.

Note: Turning off the remote bolus feature will ensure no remote bolus is possible.

Medtronic has identified the following precautions to assist users:

Ensure the pump and connected system components are always controlled by an authorised user.
Be attentive to pump notifications, alarms, and alerts.
Immediately cancel any boluses not initiated by authorised personnel; monitor blood glucose levels closely and reach out to Medtronic 24-Hour Technical Support to report the bolus.
Disconnect the USB device from the computer when not downloading pump data.
Users should not confirm remote connection requests or any other remote action on the pump screen unless it is initiated by authorised care personnel.
Avoid sharing pump or device serial numbers with anyone other than the healthcare provider, distributors, and Medtronic.
Users should not accept, calibrate, or bolus using a blood glucose reading not initiated by authorised care personnel.
Users should not connect to or allow any third-party devices to connect to the pump
Do not use software not authorised by Medtronic as being safe for use with the pump.
Medtronic advises patients experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis to seek immediate medical attention.
Users are encouraged to reach out to Medtronic 24-Hour Technical Support (1-800-646-4633) if they suspect a pump setting or insulin delivery have changed unexpectedly, without proper knowledge.

Definitive source of threat updates

CVE Vulnerabilities

Status Reserved

CVE-2022-32537

Last edited: 28 September 2022 3:37 pm