Medtronic MyCareLink Patient Monitor

Monitor6.4ICS-CERT ICSMA-18-179-01Jun 28, 2018

Attack VectorPhysical

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The MyCareLink Monitor (models 24952 and 24950) contains vulnerabilities (CWE-259 hardcoded credentials, CWE-749 improper control of interaction frequency) that could allow privileged access to the monitor's operating system with physical access. Additionally, when operated in close proximity to implantable cardiac devices (pacemakers, defibrillators), the monitor can read and write arbitrary memory values in those devices. Medtronic has stated rolling over-the-air updates will mitigate these issues through standard automatic update processes and has increased security monitoring of affected infrastructure.

What this means

What could happen

An attacker with physical access to the MyCareLink monitor could gain privileged control of the device's operating system and read or modify memory values in nearby implantable cardiac devices, potentially altering pacemaker or defibrillator settings or stopping device operation.

Who's at risk

Healthcare organizations using Medtronic MyCareLink Patient Monitors (models 24952 and 24950) for remote monitoring of implantable cardiac devices (pacemakers and defibrillators). This affects hospital cardiac care units, outpatient cardiology clinics, and home monitoring programs that depend on these devices for patient surveillance.

How it could be exploited

An attacker would need to physically access the MyCareLink monitor and exploit hardcoded credentials or weak authentication to gain privileged access to the operating system. Once inside, they could then exploit proximity-based wireless communication with implantable cardiac devices to read or write arbitrary memory values, altering device settings or functionality.

Prerequisites

Physical access to the MyCareLink monitor
Monitor must be in close physical proximity to an implantable cardiac device (pacemaker or defibrillator) to exploit device memory
Knowledge of exploitation technique for hardcoded or weak credentials (CWE-259)

Hardcoded or default credentials (CWE-259)Affects safety-critical implantable medical devicesNo patch currently available for all versionsRequires physical access to exploit (moderate barrier)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

24952 MyCareLink Monitor: all versionsAll versionsNo fix yet

24950 MyCareLink Monitor: all versionsAll versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict physical access to MyCareLink monitors to authorized clinical staff only; store devices in locked, secure locations when not in use

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply Medtronic over-the-air security updates when available as part of standard device update processes

HARDENINGMonitor Medtronic security advisories and patient communications for specific update timelines and guidance

Long-term hardening

0/1

HARDENINGReview and audit access logs for MyCareLink monitors to detect unauthorized physical access attempts

CVEs (2)

CVE-2018-8870 CVE-2018-8868

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/49ae3685-6a30-4fdd-8e4a-c7b854c3c24b