heart device

A flaw in Medtronic MyCareLink could allow an attacker to take over an implanted heart device

Experts report that Medtronic’s MyCareLink Smart 25,000 Patient Reader Reader product is defective and can be used to control paired heart devices.
Experts at Internet of Things security firmSternum have discovered vulnerabilities found in Medtronic’s MyCareLink Smart 25,000 Patient Reader products that can be used to control paired heart devices.

MyCareLink Smart 25000 Patient Reader is a platform designed by Medtronic to collect data from patient-implanted heart devices and transfer it to the Metronic CareLink network.

Vulnerabilities (CVE-2020-25183, CVE-2020-25187, CVE-2020-27252) can only be exploited by within the Bluetooth range of the product.

Experts found three flaws that could be used to modify or falsify data received from implanted heart devices. These defects can also enable a remote to control the paired heart device and execute arbitrary code on the MCL Smart Patient Reader.

CVE-2020-25183 is an incorrect authentication issue that could be used by an to bypass authentication between the MCL Smart Patient Reader and the Metronic MyCareLink Smart mobile app.

“Using this vulnerability, an could use other mobile devices on the patient’s smartphone or a malicious app to authenticate the patient’s Metronic Smart Reader, making the device think it was communicating with the original Metronic smartphone app when it was performing within Bluetooth communication range,” read the recommendations published by DHS CISA.

The second vulnerability, CVE-2020-25187, is a heap-based buffer overflow that an authenticated attacker can use to execute code remotely on an MCL Smart Patient Reader.

When an authenticated attacker runs a debug command, the affected product is vulnerable to attack, which can be sent to the patient reader and cause a heap overflow event within the MCL Smart Patient Reader software stack. Heap overflows can allow an attacker to execute code remotely on the MCL Smart Patient Reader, which could lead to control of the device.

The third vulnerability, CVE-2020-27252, is a competitive condition that allows unsigned firmware to be uploaded and executed on Thepatient Reader. An attacker could exploit the flaw to remotely execute the code that took over the device.

“Affected products are vulnerable to competition in the MCL Smart Patient Reader software update system, which allows unsigned firmware to be uploaded and executed on ThePatient Reader. If exploited, an attacker could remotely execute code on the MCL Smart Patient Reader device to gain control of the device. Statement consultation.

Medtronic addressed the flaw by releasing a firmware update that can be applied through the associated mobile app store through the MyCareLink Smart app.

At the time of the consultation, Medtron was not aware of the field attacks that had been carried out using the defects.