Medtronic’s MyCareLink (MCL) Smart Model 25000 patient reader is potentially vulnerable to improper authentication, heap-based buffer overflow and the time-of-check/time-of-use race condition, according to a notice from DHS.
Successful exploitation of the vulnerabilities could result in an attacker being allowed to modify or fabricate data from the implanted cardiac device being uploaded to the CareLink network and remotely execute code on the MCL smart patient reader device, which could allow control of a paired cardiac device.
The vulnerability requires initiation within Bluetooth signal proximity of the vulnerable product and Medtronic is currently unaware of any cyberattack, privacy breach or patient arm as a result of the vulnerabilities at this time.
Medtronic has developed a firmware update to eliminate the vulnerabilities that is available by updating the MyCareLink smart app. Additionally, the user’s smartphone must be updated to iOS10 and above or Android 6.0 and above for the patches to be applied.
Additionally, Medtronic applied controls for monitoring and responding to improper use of the smart patient reader, while the company recommends that users maintain good physical control over home monitors, use only home monitors obtained directly from their healthcare provider or a Medtronic representative and ensure that the operating system of their phone is updated to the latest version available.