FDA warns of vulnerabilities in Medtronic insulin pumps

• A security flaw discovered in certain Medtronic insulin pumps could be exploited by attackers.
• Although no incidents are reported, the FDA has identified 4000 U.S. patients who were using these insulin pumps.

The U.S. Food and Drug Administration (FDA) has identified numerous insulin pumps by Medtronic to be vulnerable to cyber attacks. The agency has planned to recall Medtronic’s MiniMed 508 and the Paradigm series of insulin pumps. According to FDA, a security flaw present in these pumps could allow attackers to connect to them wirelessly, read and modify data, as well as change pump settings meant for controlling insulin delivery.

What is the security flaw?

• In an advisory, the US-CERT describes the flaw as an improper access control vulnerability (CVE-2019-10964) present in the affected devices. It has a CVSS v3 score of 7.1.
• The flaw emerged due to a faulty implementation of authentication in the wireless RF communication protocol used by the devices.
• As a result, attackers could access any of the affected insulin pump models and subsequently inject, replay, modify, or intercept data. Similarly, this flaw could allow them to change pump settings meant for controlling insulin delivery.

What can you do to protect yourself?

Medtronic has acknowledged the flaw in the insulin pumps and has recommended its affected patients to change to a newer model by requesting their healthcare providers. As per the FDA, around 4000 patients are affected by this issue. Since Medtronic could not correctly patch this flaw with updates, it has suggested patients go for device replacements.

“The FDA is working to assure that Medtronic addresses this cybersecurity issue, including helping patients with affected insulin pumps switch to newer models with better cybersecurity controls. The FDA will keep the public informed if significant new information becomes available,” the agency said in a press release.