Medtronic MyCareLink Smart

Plan Patch8.8ICS-CERT ICSMA-20-345-01Dec 8, 2020

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Multiple vulnerabilities (CWE-287 authentication, CWE-122 memory bounds, CWE-367 race condition) in the Medtronic MyCareLink Smart Patient Reader allow an attacker within Bluetooth proximity to modify data from implanted cardiac devices or execute remote code on the patient reader. Successful exploitation could allow control of a paired cardiac device. The attack requires proximity but no authentication. Medtronic is unaware of actual exploitation or patient harm to date.

What this means

What could happen

An attacker within Bluetooth range could modify data transmitted from an implanted heart device or remotely execute commands on the patient's mobile reader, potentially allowing them to alter heart device settings or control its operation.

Who's at risk

Patients using Medtronic MyCareLink Smart Patient Reader devices and the associated mobile app for remote monitoring of implanted cardiac devices (pacemakers, defibrillators, etc.). Healthcare providers and clinical staff who manage patients with these devices should ensure patient guidance is provided for timely updates.

How it could be exploited

An attacker with Bluetooth proximity to the MyCareLink Smart Patient Reader can exploit weak authentication or memory safety flaws to intercept or fabricate device data being sent to the CareLink Network. The attacker could then execute code on the reader app itself, potentially gaining control over the paired cardiac device's behavior.

Prerequisites

Bluetooth signal proximity to the vulnerable MyCareLink Smart Patient Reader (within typical Bluetooth range, roughly 30–100 feet)
No valid credentials required; exploitation does not require authentication
Patient reader device with MyCareLink Smart mobile application version older than v5.2

Remotely exploitable via BluetoothNo authentication requiredAffects safety-critical medical deviceLow exploitation complexity

Exploitability

Moderate exploit probability (EPSS 1.3%)

Affected products (1)

ProductAffected VersionsFix Status

Smart Model 25000 Patient Reader: all versionsAll versionsMyCareLink Smart mobile application v5.2 or later

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGReview Medtronic security bulletin for additional defensive measures and monitoring recommendations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MyCareLink Smart mobile application to v5.2 or later via iOS App Store (iOS 10 or above) or Google Play (Android 6.0 or above)

HOTFIXEnsure patient's smartphone meets minimum OS requirements: iOS 10+ or Android 6.0+

CVEs (3)

CVE-2020-25183 CVE-2020-25187 CVE-2020-27252

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/865928b8-9b3e-4801-8fbb-e1989bc62408