Recall of Medtronic Insulin Pumps Because of Cybersecurity Vulnerabilities

Alerts regarding the cybersecurity vulnerabilities discovered in several Medtronic insulin pumps were released by the United States Computer Emergency Readiness Team (US-CERT) and the Food and Drug Administration (FDA).

The vulnerable insulin pumps connect to other medical devices, for instance, blood glucose meters, CareLink USB devices, and glucose sensor transmitters via wireless RF. Vulnerabilities were identified in several MiniMed Paradigm and MiniMed 508 insulin pumps. Should an attacker have adjacent access to a vulnerable device, he could intercept, alter, or interfere with the RF communications to and from the device.

Because of this, it is possible to read data transmitted to and from the device, alter the insulin pump configurations, and control insulin delivery. This could potentially lead to diabetic ketoacidosis, hypoglycemia or death.

The communications protocol incorrectly implements the authentication or authorization setting, thus resulting to the CVE-2019-10964 vulnerability, which has CVSS v3 base score of 7.1. Security experts Nathanael Paul, Billy Rios, Jay Radcliffe, Barnaby Jack, Jesse Young, and Jonathan Butts discovered the vulnerability with the assistance of Medtronic.

The vulnerable devices include:

  • all models of MiniMed 508 pump
  • MiniMed Paradigm (511 pump, 512/712 pumps, 712E pump, 515/715 pumps, 522/722 pumps, 522K/722K pumps)
  • MiniMed 523/723 and 523K/723K pumps – Software program versions 2.4A or less
  • MiniMed Paradigm Veo 554CM and 754CM models – Software program versions 2.7A or less
  • MiniMed Paradigm Veo 554/754 pumps – Software program versions 2.6A or less

The FDA deputy director of strategic partnerships and technology innovation, Suzanne Schwartz, talked of a substantial risk of patient harm when the vulnerability is not resolved. At this time, the vulnerability has not been exploited yet.

Though the available mitigations could help reduce the risk of exploitation, Medtronic was unable to develop a patch or a software update to fix the vulnerability. Thus, Medtronic opted to recall vulnerable insulin pumps and give new devices having better cybersecurity protections.

Medtronic said that around 4,000 patients in America use vulnerable insulin pumps. It is recommended for patients to contact their care providers right away to acquire their insulin pump replacement.