A threat actor can exploit these vulnerabilities to hijack Medtronic devices and modify how much insulin should be administered to a patient.
Medtronic, a well-known medical device maker, has recalled the remote controllers used with some of the company’s insulin pumps because of inherent vulnerabilities that could lead to injury or death.
Threat actors can hijack the devices to modify how much insulin should be administered to a patient. The recall was announced about a team of cybersecurity researchers discovering a series of vulnerabilities in 2018.
A Class 1 Recall
The recall of MiniMed 508 and Paradigm series insulin pumps remote controls MMT-500, and MMT-503 was decided in June 2019. This is a huge blow to Medtronic as it comprises 60% of the insulin pump market currently.
The Food and Drug Administration (FDA) stated that it is a Class 1 recall, which is the most serious and urgent kind of threat as such devices can cause severe injuries to the patient or may even lead to death.
“Using specialized equipment, an unauthorized person could instruct the pump to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis, even death,” the FDA noted.
However, it is worth noting that these are old models that aren’t produced anymore. These models utilize last-generation technology and only work with the MiniMed 508 and MiniMed Paradigm series insulin pumps.
About the Attack
Reportedly, there is an issue with the wireless communication between the insulin pumps and their remote controllers. The victim should have enabled the remote controller, registered the controller to the pump, and had the name Easy Bolus enabled to exploit the flaw.
Furthermore, the attacker should be close to the victim, and the victim should ignore the pump’s alerts indicating that a remote bolus is being delivered.
According to the advisory, unauthorized individuals could record/replay the wireless radio frequency the remote uses to communicate with the insulin pumps. The remote allows setting the amount of insulin a patient would need without requiring the manual pressing of any of the pump’s buttons. But, due to the vulnerability, a hacker can tamper with the insulin amount administered to a diabetes patient, which could be life-threatening.
Over 31,000 Devices to be Recalled
According to the FDA, more than 31,000 devices in the United States have been recalled. Medtronic and the FDA also noted that users whose devices were under warranty were informed about the issues back in August 2018. Medtronic further explained that the recall would be expanded to the optional remote controllers compatible with the affected insulin pumps.
The device users have been sent updated instructions and informed about the issue with impacted controllers. The company urges the users of these pumps to stop using the controllers and return them to Medtronic. Medtronic also explained that the risks associated with MiniMed remote controller “outweigh the benefits of its continued use.”