Serious Vulnerabilities Discovered in Medtronic MyCareLink Smart Patient Readers

Three serious vulnerabilities were found in Medtronic MyCareLink (MCL) Smart Patient Readers, which can likely be exploited to obtain access to and change patient data from the paired implanted cardiac gadget. Remote code execution on the MCL Smart Patient Reader is possible with the exploitation of the vulnerabilities together, permitting an attacker to have control of a matched cardiac device. An attacker can only exploit the vulnerabilities if within Bluetooth signal proximity to the vulnerable product.

All versions of the MCL Smart Model 25000 Patient Reader are affected by the following vulnerabilities.

Vulnerability CVE-2020-25183 is a vulnerability that exploits the authentication protocol. The method employed to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app could be circumvented. An attacker using another mobile device or malicious application on the patient’s smartphone may authenticate the patient’s MCL Smart Patient Reader, deceiving it into believing it is conversing with the smartphone app of the patient. The vulnerability has an assigned CVSS v3 base score of 8.0 out of 10.

With vulnerability CVE-2020-27252, an authenticated attacker running a debug command could introduce a heap-based buffer overflow incident in the MCL Smart Patient Reader software stack. When prompted, an attacker can remotely execute code on the vulnerable MCL Smart Patient Reader, so that the attacker could get control of the device. This vulnerability has a designated CVSS v3 base rating of 8.8.

Vulnerability CVE-2020-27252 is identified in the software update system of MCL Smart Patient Readers. An attacker exploiting this vulnerability could upload and use unsigned firmware on the Patient Reader. This vulnerability can additionally permit remote execution of arbitrary code on the MCL Smart Patient Reader and may let an attacker take control of the system. This vulnerability has an assigned CVSS v3 base score of 8.8.

The researchers that discovered the device vulnerabilities were from the Israeli firm Sternum. Researchers at the UC Santa Barbara, University of Michigan and the University of Florida also independently identified the improper authentication vulnerability.

Medtronic has now provided a software update to correct the vulnerabilities after receiving a report about the vulnerabilities. The firmware update may be done by updating the MyCareLink Smartapp using its mobile application store. By updating the mobile app to version v5.2, it will make certain to apply the update upon next use; nevertheless, the patch will only work when the user’s smartphone is running Android 6.0 or above or iOS 10 or later version.

Device users were likewise advised to maintain strong physical control over their monitors at home and to limit the use of home devices to private settings. Patients should just use home monitors that were acquired straight from their healthcare provider or a Medtronic agent.

Medtronic likewise took steps to enhance security, including employing Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of identified vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which allows device-level logging and tracking of all device activity and tendencies.