Security company researchers IoT Sternum discovered three vulnerabilities in the product MyCareLink Smart 25000 Patient Reader Medtronic, which could be exploited by hackers to control heart devices. Having been designed to receive information from the implanted cardiac device of a patient, the MCL Smart Patient Reader sends the data on network Medtronic CareLink to facilitate care management through the patient's mobile device.
Hackers could exploit these vulnerabilities to modify or reconstruct data transmitted from implanted patient heart devices to the CareLink network. In addition, they could remotely execute code in the MCL Smart Patient Reader and take control of a heart device. To exploit these vulnerabilities, however, hackers must be within the Bluetooth range of the vulnerable product.
Η first vulnerability located as CVE-2020-25183 and has received severity score 8/10, is a control protocol issue identity which allows an attacker to bypass the authentication method between the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile application.
CISA states in a consultation that this vulnerability allows an attacker to use another mobile device or malware application on smartphone of the patient for authentication in the patient's Medtronic Smart Reader, "tricking" the device into communicating with the authentic Medtronic smartphone application when running within communication range Bluetooth.
Η second vulnerability located as CVE-2020-25187 and has received severity score 8,8/10, is triggered when an attacker executes a debug command sent to Patient Reader. This could allow remote execution code, and take control of the device.
Η third vulnerability located as CVE-2020-27252 and has also received severity score 8,8/10, could be used for upload and unsigned execution firmware in the Patient Reader product. This could allow an attacker to execute remote code and take control of the device.
Medtronic has already released a firmware update for vulnerabilities, which can be implemented through the MyCareLink Smart application, through the relevant mobile app store. Updating the application (version 5.2.0 or later) also ensures that the Patient Reader is automatically updated the next time you use it. The company also published detailed details on how to apply the update.
As additional mitigation steps, Medtronic has implemented technology Sternum enhanced validation integrity (EIV) and advanced detection system technology, which allows it to detect vulnerabilities and monitor abnormalities in the operation of the device.
Finally, Medtronic pointed out that so far no unauthorized access to patient data and no harm to patients as a result of these vulnerabilities.