Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Vulnerabilities in Medtronic Product Can Allow Hackers to Control Cardiac Devices

Vulnerabilities discovered in Medtronic’s MyCareLink Smart 25000 Patient Reader product could be exploited to take control of a paired cardiac device.

Vulnerabilities discovered in Medtronic’s MyCareLink Smart 25000 Patient Reader product could be exploited to take control of a paired cardiac device.

Designed to obtain information from a patient’s implanted cardiac device, the MCL Smart Patient Reader then sends the data to the Medtronic CareLink network, to facilitate care management, through the patient’s mobile device.

Three vulnerabilities discovered by researchers at IoT security firm Sternum in the MCL Smart Model 25000 Patient Reader could be exploited to modify or fabricate data that is transmitted from the implanted patient device to the CareLink network. Medtronic MyCareLink Smart vulnerabilities

Furthermore, they could allow an attacker to execute code remotely on the MCL Smart Patient Reader, essentially taking control of the paired cardiac device. Exploitation of the flaws, however, requires for the attacker to be within Bluetooth range of the vulnerable product.

Tracked as CVE-2020-25183 (CVSS score of 8.0), the first of the bugs is an authentication protocol issue that allows an attacker to bypass the method used to authenticate between the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app.

“This vulnerability enables an attacker to use another mobile device or malicious application on the patient’s smartphone to authenticate to the patient’s Medtronic Smart Reader, fooling the device into believing it is communicating with the original Medtronic smart phone application when executed within range of Bluetooth communication,” CISA notes in an advisory.

Tracked as CVE-2020-25187 and featuring a CVSS score of 8.8, the second flaw is triggered when an authenticated attacker runs a debug command sent to the patient reader. This could cause a heap overflow, resulting in remote code execution, potentially allowing the attacker to control the device.

Also with a CVSS score of 8.8, the third vulnerability (CVE-2020-27252) is a race condition that could be leveraged to upload and execute unsigned firmware on the Patient Reader. This could allow an attacker to remotely execute code, thus taking control of the device.

Medtronic has already released a firmware update to address the vulnerabilities, and it can be applied via the MyCareLink Smart app through the associated mobile app store. Updating the application (to version 5.2.0 or higher) also ensures that the Patient Reader is automatically updated on next use. The company has published step-by-step details on how to apply the update.

Advertisement. Scroll to continue reading.

As additional mitigation steps, Medtronic has implemented Sternum’s enhanced integrity validation (EIV) technology and advanced detection system technology, which allow it to detect vulnerabilities and monitor for anomalous device activity.

“To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with these vulnerabilities,” Medtronic explains.

Related: DHS Warns of Vulnerabilities in Medtronic Defibrillators

Related: FDA Approves Use of New Tool for Medical Device Vulnerability Scoring

Related: Unprotected Medical Systems Expose Data on Millions of Patients

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.