Getty Images/iStockphoto

DHS CISA Alerts to MedTronic MyCareLink Medical Device Flaws

Serious vulnerabilities found in certain MedTronic MyCareLink medical devices would allow an attacker within Bluetooth signal proximity to modify or fabric patient data.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released an alert, warning healthcare organizations of serious vulnerabilities found in certain MedTronic MyCareLink (MCL) medical devices that could potentially impact patient data.

Discovered by IoT Security firm Sternum and a team of researchers from the University of California Santa Barbara, University of Florida, and University of Michigan, the flaws are found in all versions of the MCL Smart Model 25000 Patient Reader.

The patient reader is used to obtain information about an implanted cardiac device, which transmits to the MedTronic Carelink network through the patient’s mobile device to assist with care management processes.

The vulnerabilities are caused by issues with improper authentication, heap-based buffer overflow, and time-of-check or time-of-use race condition.

Specifically, the authentication method used for the MCL Smart Patient Reader and the Medtronic MyCareLink Smart Mobile app is vulnerable to bypass.

“This vulnerability enables an attacker to use another mobile device or malicious application on the patient’s smartphone to authenticate to the patient’s Medtronic Smart Reader, fooling the device into believing it is communicating with the original Medtronic smart phone application when executed within range of Bluetooth communication,” according to the alert.

“This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code,” it added.

A second flaw ranked 8.8 out of 10 allows an authenticated hacker to run a debug command able to be sent to the patient reader, which can cause a heap overflow event within the MCL Smart Patient Reader software stack. 

As a result of the heap overflow, an attacker would be able to remotely execute code on the MCL Smart Patient Reader, and potentially gain control of the medical device.

The final flaw is also ranked 8.8 and refers to a race condition in the MCL Smart Patient Reader software update system that allows unsigned firmware to be uploaded and executed onto the Patient Reader.

Upon exploit, a hacker could again remotely execute code on the MCL Smart Patient Reader device and gain control of the device.

If an attacker exploits all three flaws together, CISA warned that an attacker could modify or fabricate data from the implanted cardiac device when uploaded to the CareLink Network.

Fortunately, the attacker must initiate the exploit within Bluetooth signal proximity of the vulnerable product, in order to accomplish these nefarious activities. As such, Medtronic is currently unaware of any privacy breach, cyberattack, or patient harm as a result of the vulnerabilities.

To close these gaps, patients will need to update their MyCareLink Smart application to the Medtronic firmware update, which will eliminate the flaws from the impacted devices. Tthe update is available through the MyCareLink Smartapp via the associated mobile application store.

“Upgrading to the latest v5.2 mobile application version will ensure the Patient Reader is also updated on next use,” officials explained. “The user’s smartphone must be updated to the following operating system version for the patches to be applied: iOS 10 and above; Android 6.0 and above.”

To strengthen the security of its devices, Medtronic also implemented Sternum’s enhanced integrity validation (EIV) tool, designed to provide early detection and real-time mitigation of known vulnerabilities. 

The vendor also added Sternum’s advanced detection system, which provides “de-identified device-level logging and monitoring of all device activity and anomalous behavior.”

“Proactive monitoring of your patient reader helps Medtronic proactively detect any possible cybersecurity issues,” according to Medtronic officials.

Medtronic also recommended users take additional measures to reduce cybersecurity risks to the device, including maintaining strong physical control over home monitors. This includes only using home monitors within private environments.

Patients should be encouraged to only use home monitors directly obtained from their healthcare provider or a Medtronic representative and to ensure that their mobile device is updated to the latest OS version.

Lastly, providers should encourage patients to report any concerning behavior.

Vulnerability disclosures are a crucial part of bolstering medical device security across the healthcare sector. This is the second round of Medtronic MyCarelink vulnerabilities disclosed this year. In February, Medtronic issued a series of patches for certain implanted cardiac devices and related CareLink Encore 29901 programmers.

Next Steps

Dig Deeper on Cybersecurity strategies