Serious vulnerabilities found in MedTronic MyCareLink medical devices


December 14, 2020

Serious vulnerabilities found in certain MedTronic MyCareLink medical devices would allow an attacker within Bluetooth signal proximity to modify or fabric patient data.

The flaws are found in all versions of the MCL Smart Model 25000 Patient Reader, used to obtain information about an implanted cardiac device, which transmits to the MedTronic Carelink network through the patient's mobile device to assist with care management processes.  Discovered by IoT Security firm Sternum and a team of researchers from the University of California Santa Barbara, University of Florida, and University of Michigan, Homeland Security Cybersecurity and Infrastructure Security Agency issued an alert warning of serious vulnerabilities found in certain MedTronic MyCareLink (MCL) medical devices that could potentially impact patient data.

The vulnerabilities include:

  • The authentication method used for the MCL Smart Patient Reader and the Medtronic MyCareLink Smart Mobile app is vulnerable to bypass.

The vulnerability enables an attacker to use another mobile device or malicious application on the patient's smartphone to authenticate to the patient's Medtronic Smart Reader, tricking the device into believing it is communicating with the original Medtronic smart phone application when executed within range of Bluetooth communication, which can lead to exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.

  • An authenticated hacker could run a debug command able to be sent to the patient reader, which can cause a heap overflow event within the MCL Smart Patient Reader software stack.

As a result of the heap overflow, an attacker would be able to remotely execute code on the MCL Smart Patient Reader, and potentially gain control of the medical device.

  • A race condition in the MCL Smart Patient Reader software update system that allows unsigned firmware to be uploaded and executed onto the Patient Reader.

A hacker could again remotely execute code on the MCL Smart Patient Reader device and gain control of the device.

If hackers are within Bluetooth range, and exploits all three flaws together, CISA warned that an attacker could modify or fabricate data from the implanted cardiac device when uploaded to the CareLink Network.

Medtronic is currently unaware of any privacy breach, cyberattack, or patient harm as a result of the vulnerabilities. Patients can address these issues by updating their MyCareLink Smart application with a Medtronic firmware update, which will eliminate the flaws from the impacted devices (v5.2)

Medtronic also implemented Sternum's enhanced integrity validation (EIV) tool, designed to provide early detection and real-time mitigation of known vulnerabilities, and Sternum's advanced detection system, providing de-identified device-level logging and monitoring of all device activity and anomalous behavior.

In February, Medtronic also issued a series of patches for certain implanted cardiac devices and related CareLink Encore 29901 programmers.

Click here for more information on this issue:

CISA Alert Details