CVE-2018-10634

Summary

Communications between Medtronic MiniMed MMT pumps and wireless accessories are transmitted in cleartext. A sufficiently skilled attacker could capture these transmissions and extract sensitive information, such as device serial numbers.

Affected Software

VendorProductVersion RangeStatus
MedtronicMMT- 508 - MiniMed pumpAll versionsaffected
MedtronicMMT – 511 pump ParadigmAll versionsaffected
MedtronicMMT – 512 / MMT – 712 Paradigm x12All versionsaffected
MedtronicMMT – 515 / MMT – 715 Paradigm x15All versionsaffected
MedtronicMMT – 522 / MMT – 722 Paradigm REAL-TIMEAll versionsaffected
MedtronicMMT – 522(K) / MMT – 722(K) Paradigm REAL-TIMEAll versionsaffected
MedtronicMMT – 523 / MMT – 723 Paradigm RevelAll versionsaffected
MedtronicMMT – 523(K) / MMT – 723(K) ParadigmAll versionsaffected
MedtronicMMT – 554 / MMT – 754 MiniMed VeoAll versionsaffected
MedtronicMMT – 551 / MMT – 751 MiniMed 530GAll versionsaffected

Weaknesses

  • CWE-319: CWE-319 Cleartext Transmission of Sensitive Information

Workarounds

The remote option is turned off in the pump by default.  

Medtronic is directing all users to stop using their remote controllers, disable the remote option on their insulin pump, and to return the remote controllers to Medtronic.

Medtronic has released additional patient focused information https://www.medtronic.com/security .

Additionally, Medtronic will be sending a letter to patients who may still be actively using the remotes in order to inform patients about these security risks, and request patients stop using the remote and return them to Medtronic.

ADP Enrichment

CVE Program Container

Additional References

References