"DHS CISA Alerts to Medtronic MyCareLink Medical Device Flaws"

The U.S. Homeland Security Department's Cybersecurity & Infrastructure Security Agency (CISA) released an alert about vulnerabilities found in Medtronic MyCareLink (MCL) medical devices. The vulnerabilities were discovered by the Internet of Things (IoT) security firm Sternum and a team of researchers from the University of California Santa Barbara, University of Florida, and the University of Michigan. The flaws impact all versions of the MCL Smart Model 25000 Patient Reader. This device is used to obtain information about a patient's implanted cardiac device and transmit the information through the patient's mobile device to the Medtronic CareLink network to assist in managing the patient's care. According to the researchers, the flaws stem from improper authentication, heap-based buffer overflow, as well as time-of-check or time-of-use race condition. The authentication method used by the MCL Smart Patient Reader and the Medtronic MyCareLink Smart Mobile app is vulnerable to being circumvented by attackers. One of the flaws could result in the exposure of resources or functionality, which could lead to unauthorized access to sensitive information or the execution of arbitrary code. This article continues to discuss the security flaws impacting the MCL Smart Patient Reader, how Medtronic has responded to this discovery, and the importance of vulnerability disclosures in the improvement of medical device security.

HealthITSecurity reports "DHS CISA Alerts to Medtronic MyCareLink Medical Device Flaws"