CVE-2018-14781
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Medtronic MiniMed MMT
devices when paired with a remote controller and having the “easy bolus” and “remote bolus” options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller and the pump and replay them to cause an insulin (bolus) delivery.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Medtronic | MMT- 508 - MiniMed pump | All versions | affected |
| Medtronic | MMT – 511 pump Paradigm | All versions | affected |
| Medtronic | MMT – 512 / MMT – 712 Paradigm x12 | All versions | affected |
| Medtronic | MMT – 515 / MMT – 715 Paradigm x15 | All versions | affected |
| Medtronic | MMT – 522 / MMT – 722 Paradigm REAL-TIME | All versions | affected |
| Medtronic | MMT – 522(K) / MMT – 722(K) Paradigm REAL-TIME | All versions | affected |
| Medtronic | MMT – 523 / MMT – 723 Paradigm Revel | All versions | affected |
| Medtronic | MMT – 523(K) / MMT – 723(K) Paradigm | All versions | affected |
| Medtronic | MMT – 554 / MMT – 754 MiniMed Veo | All versions | affected |
| Medtronic | MMT – 551 / MMT – 751 MiniMed 530G | All versions | affected |
Weaknesses
- CWE-294: CWE-294 Authentication Bypass by Capture-replay
Workarounds
The remote option is turned off in the pump by default.
Medtronic is directing all users to stop using their remote controllers, disable the remote option on their insulin pump, and to return the remote controllers to Medtronic.
Medtronic has released additional patient focused information https://www.medtronic.com/security .
Additionally, Medtronic will be sending a letter to patients who may still be actively using the remotes in order to inform patients about these security risks, and request patients stop using the remote and return them to Medtronic.
ADP Enrichment
CVE Program Container
Additional References
References
- https://global.medtronic.com/xg-en/product-security/security-bulletins/minimed.html
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02
- http://www.securityfocus.com/bid/105044
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.