Medtronic Recalls Insulin Pump Remote Controllers Due to Cybersecurity Risks
Medtronic has recalled remote controllers for its MiniMed 508 and MiniMed Paradigm insulin pumps. The affected devices were distributed between August 1999 and July 2018. The remote controller devices are vulnerable to a capture-replay attack, which could be used to alter the level of insulin the pump dispenses.
This vulnerability was discovered, and the initial limited recall announced, back in 2018. I hope the Medtronic Board of Directors, especially the members of the Medtronic Board’s Quality Committee read the opening line of the FDA medical device recall announcement “The FDA has identified this as a Class I recall, the most serious type of recall. Use of these devices may cause serious injuries or death.” While the attack path is not simple, avoiding life threatening vulnerabilities and the cost of product recalls should be pretty high on the Product Quality priority list but does not seem to have been.
It is estimated that 31,000 devices need to be replaced. The balance between life-safety and security always comes down on the life-safety side. In the past, we’ve seen security flaws in medical devices which didn’t warrant this level of response; as exploitation of medical devices can be fatal, it is hoped that the threat of recalls like this will push suppliers to implement higher levels of security.
My biggest fear with medical devices is not cyber attackers targeting and exploiting these vulnerabilities, but some random malware accidentally infecting and spreading through medical devices, causes unintended havoc and harm. In the military we called this “collateral damage.”
Read more in
Bleeping Computer: Medtronic urgently recalls insulin pump controllers over hacking concerns
Gov Infosecurity: Patient Safety Concerns Grow Over Medical Gear Security