Medtronic MiniMed MMT-500/MMT-503 Remote Controllers (Update A)
MonitorCVSS 5.3ICS-CERT ICSMA-18-219-02Aug 7, 2018
Medtronic
Attack path
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
The MMT-500 and MMT-503 remote controllers for Medtronic insulin pumps are vulnerable to wireless communication replay attacks. An attacker with the ability to capture wireless communications between the remote and pump could replay those signals to trigger unwanted insulin bolus (dose) delivery. The remote option is disabled by default on the pumps. Affected devices include various Paradigm, MiniMed, and Paradigm Revel pump models paired with these remotes. No firmware patches are available for any affected pump model.
What this means
What could happen
An attacker within wireless range could replay captured remote commands to deliver unintended insulin doses to a patient wearing an affected pump. While the pump will alert the patient and allow suspension of the bolus, this vulnerability poses a risk to patient safety if exploited without the patient's knowledge.
Who's at risk
Patients using Medtronic insulin pumps with remote controllers, specifically those with Paradigm, Paradigm Revel, Paradigm REAL-TIME, and MiniMed pump models (including 530G and Veo versions) paired with MMT-500 or MMT-503 remotes. Affected patients include those with MMT-512, MMT-523, MMT-515, MMT-551, MMT-508, MMT-511, MMT-554, and MMT-522 pump variants. Healthcare providers managing diabetic patients on these pump systems should be aware of the vulnerability.
How it could be exploited
An attacker would need to capture wireless communications between an active remote controller and its paired pump, then replay those captured signals from within wireless range of the pump. The pump must have the remote option enabled (non-default configuration) for this to succeed. The attacker does not need authentication credentials, only proximity to the wireless signal and a device capable of capturing and replaying the wireless protocol.
Prerequisites
- Wireless proximity to the insulin pump (typically short-range radio communication)
- Remote delivery option must be enabled on the pump (non-default configuration)
- Ability to capture and replay wireless communications in the pump's protocol
- No authentication or credentials required
Remotely exploitableLow attack complexityAffects medical devicesNo patch availableWireless protocol vulnerability
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (10)
10 EOL
ProductAffected VersionsFix Status
MMT-503 Remote Controller: MMT-523 / MMT-723 Paradigm RevelMMT-523 / MMT-723 Paradigm RevelNo fix (EOL)
MMT-503 Remote Controller: MMT-523(K) / MMT-723(K) ParadigmMMT-523(K) / MMT-723(K) ParadigmNo fix (EOL)
MMT-503 Remote Controller: MMT-515 / MMT-715 Paradigm x15MMT-515 / MMT-715 Paradigm x15No fix (EOL)
MMT-503 Remote Controller: MMT-551 / MMT-751 MiniMed 530GMMT-551 / MMT-751 MiniMed 530GNo fix (EOL)
MMT-500 Remote Controller: MMT-508 MiniMed pumpMMT-508 MiniMed pumpNo fix (EOL)
MMT-503 Remote Controller: MMT-511 pump ParadigmMMT-511 pump ParadigmNo fix (EOL)
MMT-503 Remote Controller: MMT-554 / MMT-754 MiniMed VeoMMT-554 / MMT-754 MiniMed VeoNo fix (EOL)
MMT-503 Remote Controller: MMT-522 / MMT-722 Paradigm REAL-TIMEMMT-522 / MMT-722 Paradigm REAL-TIMENo fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2WORKAROUNDDisable the remote option on all affected insulin pumps immediately
WORKAROUNDDiscontinue use of MMT-500 and MMT-503 remote controllers
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
WORKAROUNDReturn all MMT-500 and MMT-503 remote controllers to Medtronic
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/50ae3131-5a26-4488-b666-242d0f81af9dGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.