← back
CVE-2019-10964

Medtronic MiniMed 508 and Paradigm Series Insulin Pumps Improper Access Control

CVSS 7.1 HIGHEPSS 1.2%CWE-284
Medtronic MiniMed Insulin Pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
Affected products
Medtronic · MiniMed 508 pumpMedtronic · MiniMed Paradigm 511 pumpMedtronic · MiniMed Paradigm 512/712 pumpsMedtronic · MiniMed Paradigm 515/715 pumpsMedtronic · MiniMed Paradigm 522/722 pumpsMedtronic · MiniMed Paradigm 522K/722K pumpsMedtronic · MiniMed Paradigm 523/723 pumpsMedtronic · MiniMed Paradigm 523K/723K pumpsMedtronic · MiniMed Paradigm 712E pumpMedtronic · MiniMed Paradigm Veo 554/754 pumpsMedtronic · MiniMed Paradigm Veo 554CM/754CM pumps

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://global.medtronic.com/xg-en/product-security/security-bulletins/minimed-508-paradigm.htmlhttps://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-178-01https://www.us-cert.gov/ics/advisories/icsma-19-178-01http://www.securityfocus.com/bid/108926