U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Vulnerability in Medtronic insulin pumps allow hacking devices

Medtronic and the US government have warned that some Medtronic MiniMed insulin pumps are vulnerable to cyber attacks. Medtronic and the United States government have warned of a security vulnerability affecting some Medtronic MiniMed insulin pumps that could be exploited by hackers. The Department of Homeland Security (DHS) and Medtronic, and the Food and Drug […]

MiniMed 508 insulin pumps

The logo of Medtronic Inc. is displayed at Medtronic Singapore Operations (MSO), the company’s new manufacturing facility in Singapore, on Thursday, March 10, 2011. Medtronic, the world’s largest maker of heart devices, plans to hire about 600 people in India and China as it seeks to double the sales contribution from emerging markets within five years.

Medtronic and the US government have warned that some Medtronic MiniMed insulin pumps are vulnerable to cyber attacks.

Medtronic and the United States government have warned of a security vulnerability affecting some Medtronic MiniMed insulin pumps that could be exploited by hackers.

The Department of Homeland Security (DHS) and Medtronic, and the Food and Drug Administration (FDA) have published a press release of a high-severity flaw affecting models of insulin pumps belonging to MiniMed 508 and Paradigm series.

The flaw, tracked as CVE-2019-10964, is an improper access control issue that could be exploited by an attacker with adjacent access to one of the vulnerable insulin pumps to interfere with the wireless RF (radio frequency) communications to or from the product.

An attacker can exploit the flaw to inject, replay, modify, and/or intercept data, the flaw could also allow hackers to change pump settings and control insulin delivery.

“Successful exploitation of this vulnerability may allow an attacker with adjacent access to one of the affected products to intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the product.” reads the security advisory published by the US-CERT. “This may allow attackers to read sensitive data, change pump settings, or control insulin delivery.”

According to FDA, in the U.S., Medtronic has identified 4,000 patients who are potentially using insulin pumps affected by the flaw.

The company is providing alternative insulin pumps to patients, these devices implement enhanced cybersecurity capabilities.

The vulnerability was discovered by Medtronic after security experts conducted some studies on these types of devices. Experts that conducted the researches are Nathanael Paul, Jay Radcliffe, Barnaby Jack, Billy Rios, Jonathan Butts and Jesse Young.

The vulnerable insulin pumps communicate with other devices such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices, with wireless RF.

Experts discovered that the wireless RF communication protocol does not properly implement authentication or authorization.

“The vulnerability allows a potential attacker with special technical skills and equipment to potentially send radiofrequency (RF) signals to a nearby insulin pump to change settings, impacting insulin delivery. This change could result in a patient experiencing hypoglycemia (if additional insulin is delivered) or hyperglycemia (if not enough insulin is delivered),” reads the advisory published by Medtronic.

The good news is that Medtronic is not aware of attacks in the wild.

Patients in the US using the vulnerable insulin pumps urge to contact their healthcare provider to discuss replacing the devices with a newer model.

For individuals living outside the US where newer pumps model is not available, the vendor suggests customers adopt mitigations for preventing cyberattacks.

“Medtronic is unable to adequately update the MiniMed 508 and Paradigm insulin pumps with any software or patch to address the devices’ vulnerabilities.” concludes the FDA. “The FDA is working to assure that Medtronic addresses this cybersecurity issue, including helping patients with affected insulin pumps switch to newer models with better cybersecurity controls.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Medtronic, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]