Medtronic has made server-side updates to address insufficient verification of data authenticity and storing passwords in a recoverable format vulnerabilities in its MyCareLink Patient Monitor, according to a report with NCCIC.
Successful exploitation of these vulnerabilities, discovered by Billy Rios, Jesse Young, and Jonathan Butts of Whitescope LLC, may allow an attacker with physical access to obtain per-product credentials utilized to authenticate data uploads and encrypt data at rest. Additionally, an attacker with access to a set of these credentials and additional identifiers can upload invalid data to the Medtronic CareLink network.
The following versions of the Medtronic MyCareLink 24950 Patient Monitor suffer from the vulnerabilities:
• 24950 MyCareLink Monitor, all versions
• 24952 MyCareLink Monitor, all versions
In one vulnerability, the affected product’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.
CVE-2018-10626 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.4.
In addition, the affected products use per-product credentials stored in a recoverable format. An attacker can use these credentials for network authentication and encryption of local data at rest.
CVE-2018-10622 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.9.
The product sees use mainly in the healthcare and public health sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. High skill level is needed to exploit.
Ireland-based Medtronic has made server-side updates to address the insufficient verification vulnerability identified in this advisory. Medtronic is implementing additional server-side mitigations to enhance data integrity and authenticity.
Medtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, users should:
• Maintain good physical control over the home monitor
• Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system
Medtronic released additional patient focused information.