Medtronic MyCareLink 24950 Patient Monitor (Update A)

Risk Summary

Successful exploitation of these vulnerabilities may allow an attacker with physical access to obtain per-product credentials that are utilized to authenticate data uploads and encrypt data at rest. Additionally, an attacker with access to a set of these credentials and additional identifiers can upload invalid data to the Medtronic CareLink network.

CVEs (2)

Remediations

• Medtronic has made server-side updates to address the insufficient verification vulnerability identified in this advisory. Medtronic is implementing additional server-side mitigations to enhance data integrity and authenticity.
• Medtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, users should:
• Maintain good physical control over the home monitor.
• Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system.
• Medtronic has released additional patient focused information, at the following location:
• https://www.medtronic.com/security
• Users should follow CISA's guidance in the following areas:
• Securing the Internet of Things
• Home Network Security

Affected Vendors

Affected Products (2)

Affected Sectors

Healthcare and Public Health