Medtronic MyCareLink Patient Monitor

MyCareLink Patient Monitor

MyCareLink Patient Monitor - a line of devices for remote monitoring of the condition of patients.

Thanks to a special monitor MyCareLink patients can independently, without waiting for a queue to the doctor, transfer data from their device for viewing and analyzing diagnostic data to medical specialists.

Such a scheme saves both the patient and the doctor time, allowing timely identification of situations requiring medical intervention and providing assistance to those who really need it. At the same time, regular monitoring of patients is provided and queues are reduced.

Interface Android-Appendices MyCareLink

2020: Detection of vulnerabilities associated with the patient monitor

In early December 2020, the US Department of Homeland Security warned of cyber-vulnerabilities associated with the patient monitor MyCareLink manufactured by Medtronic. It became known that hackers can easily hack these devices and change the data being read, thereby harming the patient.

According to the report, the device for monitoring of patients of MyCareLink (MCL) Smart Model 25000 of the Medtronic company is potentially vulnerable because of errors of authentication, the expressed overflow of the buffer and development of "race" between time a check/usage time. If the attacker exploits the identified vulnerabilities, he will be able to modify or create from scratch data, usually coming from an implanted heart device from the CareLink network. In addition, the hacker will be able to remotely activate any code on the intelligent MCL monitoring device, which will allow him to directly control the paired heart device.

Medtronic patient monitor vulnerabilities warned in US

Vulnerability can only be exploited when working in close proximity to the device through Bluetooth. Medtronic has not yet identified such cyber attacks and has not heard about privacy violations in connection with such cases. The company has already developed a firmware update to fix vulnerabilities that will be installed when upgrading the MyCareLink application. However, to apply patches, the user's smartphone must be updated to iOS10 and above or to Android 6.0 and above.

In addition, Medtronic has introduced controls to monitor and respond to the misuse of an intelligent device. Nevertheless, the company recommends that users not allow outsiders to home monitors, use only home monitors received directly from the attending physician or Medtronic representative, as well as upgrade the operating system of the smartphone to the latest available version.^[1]

2018: Dangerous vulnerabilities in models MyCareLink 24950 and 24952

On August 8, 2018, it became known that medical equipment Medtronic two dangerous vulnerabilities were found in the Patient Monitor MyCareLink, designed to monitor the condition of patients. Their operation can allow an attacker with physical access to obtain credentials used for authentications downloading enciphering and data on all devices. Having obtained the data, hacker he will be able to upload incorrect information to the Medtronic CareLink network.

Medtronic MyCareLink Patient Monitor

The first vulnerability of CVE-2018-10626 is associated with incorrect verification of authentication data. The Medtronic device update service incorrectly authenticates the downloaded data, allowing an attacker to upload arbitrary information to the Medtronic CareLink network.

The second vulnerability of CVE-2018-10622 is manifested in the ability to store a password in a recoverable format. By exploiting this vulnerability, an attacker can authenticate to the network to encrypt local data.

Vulnerabilities reportedly affect all Medtronic MyCareLink 24950 and Medtronic MyCareLink 24952 models. As of August 8, the manufacturing company has already released the corresponding corrections.^[2]

Notes