Medtronic MyCareLink Smart

Risk Summary

Successful exploitation of these vulnerabilities together could result in the attacker being able to modify or fabricate data from the implanted cardiac device being uploaded to the CareLink Network and remotely execute code on the MCL Smart Patient Reader device, which could allow control of a paired cardiac device. The exploitation must be initiated within Bluetooth signal proximity of the vulnerable product. Medtronic is currently unaware of any cyberattack, privacy breach, or patient harm as a result of these vulnerabilities.

CVEs (3)

Remediations

• A firmware update to eliminates these vulnerabilities has been developed by Medtronic and is available by updating the MyCareLink Smartapp via the associated mobile application store. Upgrading to the latest v5.2 mobile application version will ensure the Patient Reader is also updated on next use. The user 's smart phone must be updated to the following operating system version for the patches to be applied: iOS 10 and above; Android 6.0 and above.
• Medtronic has released additional patient focused information:
• https://www.medtronic.com/xg-en/product-security/security-bulletins.html
• In response to these vulnerabilities, Medtronic has applied additional controls for monitoring and responding to improper use of the MCL Smart Patient Reader:
• Medtronic recommends that users take additional defensive measures to minimize risk. Specifically, users should:
• Report any concerning behavior regarding these products to your healthcare provider or a Medtronic representative.

Affected Vendors

Affected Products (1)

Affected Sectors

Healthcare and Public Health