The Food and Drug Administration (FDA) has issued an emergency alert, warning that Medtronic MiniMed insulin pumps are vulnerable to potentially life-threatening cyberattacks.
Specifically impacted are Medtronic’s MiniMed insulin pumps, the MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps. Up to 4,000 patients in the U.S. have been identified using vulnerable insulin pumps – Medtronic, which has issued a recall for the products, is still working to identify more users.
According to the FDA’s Thursday warning, the security flaw could enable a bad actor to connect wirelessly to a MiniMed insulin pump and change the pump’s settings, allowing them to either deliver too much insulin, or not enough – with potentially fatal results for patients. No fix or update for the impacted products exists.
“Medtronic is unable to adequately update the MiniMed 508 and Paradigm insulin pumps with any software or patch to address the devices’ vulnerabilities,” according to the FDA. “The FDA is working to assure that Medtronic addresses this cybersecurity issue, including helping patients with affected insulin pumps switch to newer models with better cybersecurity controls. The FDA will keep the public informed if significant new information becomes available.”
In a letter to patients, the medical device firm advised that patients keep their insulin pump in their control at all times; to not connect to third-party devices or unauthorized software; and to not share their pump serial numbers.
“To summarize, today, Medtronic started notifying customers of a potential cybersecurity risk in the MiniMed 508 and MiniMed Paradigm series of insulin pumps; these models are from 2012 and earlier,” a Medtronic spokesperson told Threatpost. “Medtronic provided its customers and their doctors with recommended security precautions when using their insulin pump. In some countries, Medtronic will have programs in place to exchange one of these older pumps for a newer model.”
The insulin pumps are small, computerized devices that deliver insulin to patients – typically with type 1 or type 2 diabetes who need insulin to maintain acceptable blood glucose levels –through a catheter (a small tube) implanted under patients’ skin. The MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps both wirelessly connect to a remote controller and CareLink USB device that allows users to interact with the Medtronic pumps. (For a full list of impacted devices click here).
While the FDA noted that it is not aware of any confirmed reports of patient harm due to the security risks, the stakes are high. The pumps have a newly-disclosed high-severity flaw (CVE-2019-10964) that stems from the wireless radio frequency communications to or from the impacted insulin pumps and its other components.
Attackers “with adjacent access” to one of the affected products could modify or interfere with the wireless communications, allowing them to read sensitive data, change pump settings, or control insulin delivery.
“The affected insulin pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices,” according to the advisory. “This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.”
The flaw’s discovery was based on earlier work performed by external researchers including Nathanael Paul, Jay Radcliffe, and Barnaby Jack, and from recent work performed by external researchers Billy Rios, Jonathan Butts, Carl Schuett, and Jesse Young.
“I’m actually relieved to see the recall of the insulin pumps,” Rios told Threatpost on Friday. “The authentication used for the insulin pumps is really weak. Jesse [Young] and Carl [Schuett] wrote an exploit to take over any pump near them. Taking over a pump means they can deliver unexpected insulin or prevent the delivery of insulin at crucial moments. … The pump itself has no update mechanism, so there is no way for users to patch for fix the vulnerabilities. At this point, they are left with an insulin pump that will be forever vulnerable to the exploits we wrote. The recall will help protect those patients.”
Rios and other researchers have previously disclosed several other serious vulnerabilities in Medtronic products (including insulin pumps). A proof-of-concept exploit attack was released by researchers in March 2018 — after which the manufacturer issued advisories for the flaws on August 7. That’s more than 570 days after they were first reported.
“It’s disappointing to know these have been out there for a long time,” said Rios at Black Hat 2018. “For the last two years, we’ve been increasingly frustrated with how our research was dealt with.” (See Threatpost’s interview with Rios about the medical device landscape at RSA Conference 2018).
Other medical devices continue to be plagued by security issues: In 2016, researchers warned patients who use insulin pumps made by Johnson & Johnson that vulnerabilities in the devices could be exploited to trigger an overdose. In 2018, a flaw was disclosed in Medtronic’s CareLink 2090 and CareLink Encore 29901 programmers, that could allow remote code implantation over Medtronic’s dedicated Software Deployment Network (SDN).