ICS-CERT has given an announcement concerning two vulnerabilities recently discovered in Medtronic MyCareLink patient monitors. Patients who have implantable cardiac devices use these devices to send the data of their heart rhythm directly to their physicians. The patients monitors are built with safety controls and transfer data over a protected Web connection, however, there’s a potential risk that a malicious actor might exploit the vulnerabilities to access the devices’ operating system.
The vulnerabilities discovered are existent on all models of 24950 and 24952 MyCareLink patient monitors. It was Peter Morgan, a security researcher of Clever Security, who discovered the vulnerabilities and reported them to NCCCIC. The vulnerabilities are:
- CWE-259 / CVE-2018-8870 is a hard-coded password vulnerability with a CVSS v3 score of 6.4.
- CWE-749 / CVE-2018-8868 is an open dangerous method of function vulnerability with a CVSS v3 score of 6.2.
Exploiting the hard-coded password vulnerability requires physical access to the device. When the case is removed, a malicious actor can hook up to the debug port and utilize the hard-coded password to access the operating system. The debug code in the device is utilized to test the operation of the communications interfaces, which include the interface between the implanted cardiac device and the monitor. The malicious actor could access the debug function after using the hardcoded password. Then he could read and write arbitrary memory values, but only if he is near the patient who has the implanted cardiac device.
While it is possible to exploit the vulnerabilities, Medtronic believes that the risks of patient harm is sufficiently low. In order for the attacker to gain control, he must have physical access to the device and must be close to the patient as well. Remote access will not allow exploitation of the vulnerabilities. Medtronic is employing mitigations and will be providing automatic software upgrades to stop attackers from exploiting the vulnerabilities. The updates will be available together with the regular update process. Medtronic remarks that no case of the vulnerabilities being exploited has been received.
Patients can lessen the chance of exploitation of these vulnerabilities by maintaining good physical controls and making sure that no unauthorized persons can access their patient monitor. Medtronic also mentioned that there is a higher chance of exploitation with secondhand MyCareLink patient monitors and devices acquired from unofficial vendors. It is highly recommended to acquire MyCareLink patient monitors only from Medtronic or their health professionals. Regarding patient monitors that have suspicious behavior, please report it to your healthcare provider or Medtronic.