The Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an alert in regards to a lately uncovered vulnerability that impacts a number of Medtronic insulin pumps. A malicious actor can exploit the vulnerability to change patients’ insulin dosages, causing excessive or inadequate insulin delivery.
The vulnerability impacts the Medtronic NGP 600 Series Insulin Pumps along with their accessory parts listed below:
- MiniMed 620G: MMT-1710
- MiniMed 640G: MMT-1711, MMT-1712, MMT-1751, MMT-1752
- MiniMed 630G: MMT-1715, MMT-1754, MMT-1755
- MiniMed 670G: MMT-1740, MMT-1741, MMT-1742, MMT-1760, MMT-1762, MMT-1762, MMT-1780, MMT-1781, MMT-1782
The vulnerability is present in the communication program utilized by the pump system to match with other system parts. A threat actor successfully exploiting the vulnerability could slow down or end insulin delivery or bring about an unintentional insulin bolus. A threat actor cannot exploit the vulnerability remotely yet could control it if close to the wireless signal accessibility to the patient and system. The medium severity vulnerability is monitored as CVE-2022-32537 and was given an assigned CVSS severity report of 4.8 out of 10.
Sophisticated technical expertise is necessary to manipulate the vulnerability. The vulnerability could be exploited if the pump is being matched with other system parts, and the attacker should be close to the pump, which restricts the possibilities for exploitation. The FDA states it does not know of any instances of exploiting the vulnerability.
Medtronic has released an immediate medical device correction alert concerning the vulnerability and has advised all end users of the impacted insulin pumps to do something to stop vulnerability exploitation. In their default settings, the vulnerability affects all of the Medtronic NGP 600 Series Insulin Pumps listed above.
To avoid exploitation, Medtronic asks all end users to deactivate the Remote Bolus function on the pump when switched on, and users must not
connect devices in public. End users are encouraged to maintain their pumps and related system parts under their control all the time, to be mindful of pump notices, alarms, and warnings, to remove the USB device from the computer whenever it isn’t being utilized to download pump information, and do not verify remote connection requests or any type of other distant actions except if they are individually started or were started by their care partner.
More details on mitigations are available in Medtronic’s important healthcare device correction notification.