Medtronic Issues Recall of MiniMed Insulin Pumps Due to Vulnerability

Medtronic issued a recall affecting MiniMed 508 and Paradigm series insulin pumps. A vulnerability (CVE-2019-10964) in these pumps could allow an attacker with adjacent access to change the insulin pump’s settings by connecting wirelessly to the device. Though the vulnerability cannot be remotely exploited and requires a high skill level to accomplish execution, the recall has been implemented due to the inability of the pumps to receive updates. At the time of this writing, there have been no known public exploits targeting this vulnerability. Please see the Medtronic security bulletin for a complete listing of affected devices. The NJCCIC advises users to stay attentive to pump notifications, alarms, and alerts, and maintain physical control of their pump and any attached devices. Additionally, users are encouraged to consider only using internet-connected devices that have the ability to receive updates. Medtronic recommends users of the affected products to consider upgrading to a newer insulin pump model with their healthcare provider. For technical details and mitigations please see the ICS-CERT Medical Advisory and the FDA News Release.