Medtronic Fixing Patient Monitor

Tuesday, August 7, 2018 @ 04:08 PM gHale

Medtronic has made server-side updates to address insufficient verification of data authenticity and storing passwords in a recoverable format vulnerabilities in its MyCareLink Patient Monitor, according to a report with NCCIC.

Successful exploitation of these vulnerabilities, discovered by Billy Rios, Jesse Young, and Jonathan Butts of Whitescope LLC, may allow an attacker with physical access to obtain per-product credentials utilized to authenticate data uploads and encrypt data at rest. Additionally, an attacker with access to a set of these credentials and additional identifiers can upload invalid data to the Medtronic CareLink network.

RELATED STORIES
AVEVA Updates Wonderware License Server
AVEVA Clears InTouch Access Anywhere Hole
WECON Mitigation for LeviStudioU Holes
Johnson Controls’ Error Message Mitigation

The following versions of the Medtronic MyCareLink 24950 Patient Monitor suffer from the vulnerabilities:
• 24950 MyCareLink Monitor, all versions
• 24952 MyCareLink Monitor, all versions

In one vulnerability, the affected product’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.

CVE-2018-10626 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.4.

In addition, the affected products use per-product credentials stored in a recoverable format. An attacker can use these credentials for network authentication and encryption of local data at rest.

CVE-2018-10622 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.9.

The product sees use mainly in the healthcare and public health sectors. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. High skill level is needed to exploit.

Ireland-based Medtronic has made server-side updates to address the insufficient verification vulnerability identified in this advisory. Medtronic is implementing additional server-side mitigations to enhance data integrity and authenticity.

Medtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, users should:
• Maintain good physical control over the home monitor
• Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system

Medtronic released additional patient focused information.



Leave a Reply

You must be logged in to post a comment.