ICS-CERT Publishes 1 Advisory and 1 Update for Medtronic Products

Today the DHS ICS-CERT published a medical device security advisory for products from Medtronic. They also updated a previously published medical device security advisory for products from the same company.

Medtronic Advisory

This advisory describes two vulnerabilities in the Medtronic MyCareLink Patient Monitor. The vulnerabilities were reported by Peter Morgan of Clever Security. Medtonic will be installing an automatic update to mitigate the vulnerabilities. There is no indication that Morgan has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Use of hard-coded password - CVE-2018-8870; and

• Exposed dangerous method or function - CVE-2018-8868

The Medtronic advisory makes a very important point about these vulnerabilities in particular that may include an important lesson to learn for all medical devices:

“Medtronic encourages patients to only use home monitors obtained directly from Medtronic or their clinician. Patients should not use a pre-owned MyCareLink Patient Monitor or one that is purchased secondhand or online. Monitors obtained through unofficial means are at an increased risk for exploitation associated with the vulnerabilities identified.”

ICS-CERT reports that an uncharacterized attacker with physical access to the monitor can exploit these vulnerabilities to allow privileged access to the monitor’s operating system.

Medtronic Update

This update provides new information on an advisory that was originally published on February 27^th, 2018. The update includes:

• A change in format of the advisory;

• New information in the ‘Risk Evaluation’ section (formerly the ‘Impact’ section);

• Removal of the second and third paragraphs from the old ‘Impact’ section;

• Addition of a new vulnerability (Improper restriction of communication channel to intended endpoints - CVE-2018-10596); and

• Addition of a new work around (disconnecting the programmer from the network).

The revised Medtronic advisory contains some information that does not entirely match up with the new information in ICS-CERT update. They note, for instance that: “After issuing this advisory on Feb. 27, 2018, Medtronic was made aware of additional vulnerabilities [emphasis added] in the CareLink 2090 Programmer and its accompanying software deployment network.” Since Medtronic does not name the ‘vulnerabilities’ it is possible that they have been lumped into the single vulnerability listed in the ICS-CERT report.