ICSMA-18-219-02
·
Published 2021-10-05
·
View on CISA ICS-CERT ↗
Medtronic MiniMed MMT-500/MMT-503 Remote Controllers (Update A)
CVSS 5.3
MEDIUM
Risk Summary
Successful exploitation of these vulnerabilities may allow an attacker to replay captured wireless communications and cause an insulin (bolus) delivery. This is only possible when non-default options are configured. Additionally, the pump will annunciate this by providing a physical alert, and the user has the capability to suspend the bolus delivery.
CVEs (2)
Remediations
- The remote option is turned off in the pump by default.
- Medtronic is directing all users to stop using their remote controllers, disable the remote option on their insulin pump, and to return the remote controllers to Medtronic.
- Medtronic has released additional patient focused information.
- Additionally, Medtronic will be sending a letter to patients who may still be actively using the remotes in order to inform patients about these security risks, and request patients stop using the remote and return them to Medtronic.
Affected Vendors
Medtronic
Affected Products (10)
Medtronic
·
MMT-503 Remote Controller
MMT-512 / MMT-712 Paradigm x12
Medtronic
·
MMT-503 Remote Controller
MMT-523 / MMT-723 Paradigm Revel
Medtronic
·
MMT-503 Remote Controller
MMT-523(K) / MMT-723(K) Paradigm
Medtronic
·
MMT-503 Remote Controller
MMT-515 / MMT-715 Paradigm x15
Medtronic
·
MMT-503 Remote Controller
MMT-551 / MMT-751 MiniMed 530G
Medtronic
·
MMT-500 Remote Controller
MMT-508 MiniMed pump
Medtronic
·
MMT-503 Remote Controller
MMT-511 pump Paradigm
Medtronic
·
MMT-503 Remote Controller
MMT-554 / MMT-754 MiniMed Veo
Medtronic
·
MMT-503 Remote Controller
MMT-522(K) / MMT-722(K) Paradigm REAL-TIME
Medtronic
·
MMT-503 Remote Controller
MMT-522 / MMT-722 Paradigm REAL-TIME
Affected Sectors
Healthcare and Public Health
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more