Three critical vulnerabilities have been found in Medtronic MyCareLink (MCL) Smart Patient Readers, which could be exploited by threat actors to gain access to protected health information, modify patient data, and take control of the paired cardiac device.
The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been assigned a CVSS v3 base score of 8.0 out of 10.
A heap-based buffer overflow event can be triggered in the MCL Smart Patient Reader software stack by an authenticated attacker running a debug command. Once used, an attacker could then easily execute code on the vulnerable MCL Smart Patient Reader, possibly allowing the attacker to take control of the device. The vulnerability is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.
The devices are also vulnerable to a race condition in the update system which could be exploited to upload and execute unsigned firmware to the Patient Reader. This vulnerability could also allow remote execution of arbitrary code on the MCL Smart Patient Reader and could give an attacker control of the device. The flaw is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.
The vulnerabilities were identified by researchers at the Israeli firm Sternum, with UC Santa Barbara, University of Florida, and University of Michigan researchers independently identifying the improper authentication vulnerability.
These weaknesses were reported to Medtronic who released an update to fix the issues. The firmware update can be applied by updating the MyCareLink Smartapp via the associated mobile application store. Updating to mobile application version v5.2 will ensure the update is applied on the next use; however, in order for the patch to work, the user’s smartphone must be running iOS 10 or above or Android 6.0 or above.
Users have also been advised to maintain strong physical control over their home monitors and to restrict use of the home monitors to private environments. Patients should only use home monitors that have been obtained directly from their healthcare provider or a Medtronic representative.
Medtronic has also taken steps to enforce security – implementing Sternum’s enhanced integrity validation (EIV) technology, which provides early detection and mitigation of exploitation of known vulnerabilities in real time.