Medical device manufacturer Medtronic plc took the unusual step of issuing a recall for several of its insulin pump products due to serious hacking concerns that were detailed in a pair of security alerts from the Food and Drug Administration (FDA) and ICS-CERT.
The root cause of the scare is an improper access control vulnerability that, according to the FDA, Medtronic cannot adequately fix with a software patch. In essence, the wireless RF communication protocol that the pumps use to communicate with companion devices fail to properly authenticate or authorize users. Such devices include remote controllers, blood glucose meters, glucose sensor transmitters and CareLink USB devices for storing glucose level data.
Malicious actors could exploit this flaw to intercept and interfere with the wireless communications, thereby allowing them to connect to the devices, read sensitive data, change pump settings and control insulin delivery while connected to a patient. Such an attack could trigger potentially fatal conditions in victims such as hypoglycemia, high blood sugar or diabetic ketoacidosis.
Roughly 4,000 patients use the affected pump products, which were identified as the MiniMed508 and MiniMed Paradigm series insulin pumps. The Paradigm pumps include the following models: 511, 512/712, 712E, 515/715, 522/722, 522K/722K, 523/723 (software versions 2.4A or lower), 523K/723K (software versions 2.4A or lower), Veo 554/754 (software versions 2.6A or lower), and Veo 554CM/754CM (software versions 2.7A or lower).
It was researchers at Medtronic who actually discovered the problem and reported it to the Department of Homeland Security's National Cybersecurity and Communications Integration Center (home to the ICS-CERT). The company, which is headquartered in Dublin, Ireland, but operates out of Minneapolis, also sent a notification letter to potentially affected patients, recommending that they change to a newer model pump with more robust cybersecurity protections.
"At this time, we have received no confirmed reports of unauthorized persons changing settings or controlling insulin delivery," said the letter, which was posted on Medtronic website.
Medtronic, the NCCIC and the FDA also suggested a series of mitigations that users could apply to their vulnerable pumps until they can replace them. These steps include restricting access and control of pumps and connected devices to authorized personnel; following a least privilege approach; being careful not to share pump serial numbers; paying mind to pump notifications, alarms and alerts; immediately cancelling any unintended large single insulin doses (known as boluses); avoiding the use of third-party devices and non-Medtronic software; disconnecting CareLink USB devices when not in use; monitoring glucose levels closely; and looking out for any dangerous medical symptoms that emerge while using the pumps.
"The FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risk, and to be proactive about disclosing vulnerabilities and mitigations to address them," said
Suzanne Schwartz, deputy director of the Office of Strategic Partnerships and Technology Innovation and acting division director for All Hazards Response, Science and Strategic Partnerships in the FDA’s Center for Devices and Radiological Health.
"Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users," Schwartz continued, in an official FDA press release. "However, at the same time it’s important to remember that the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery."
Designated CVE-2019-10964, the vulnerability has been assigned a CVSS v3 base score of 7.1. According to the ICS-CERT alert, Medtronic said that its research that led to CVE-2019-10964's discovery was based on previous work performed by external researchers Nathanael Paul, Jay Radcliffe, Barnaby Jack, Billy Rios, Jonathan Butts and Jesse Young.