Medtronic Insulin Pump Devices Recalled Due to Serious RisksFDA Warns Exploitation of Security Flaw Could Cause Death
The Food and Drug Administration on Tuesday issued a warning notifying patients that medical device maker Medtronic has expanded a recall of remote controllers for certain wireless insulin pumps.
The FDA has classified the recall as "Class I" - the most serious type -because of issues that could result in serious injury or death, the agency warns.
The recalled remote controllers are used with either the Medtronic's MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps, due to potential cybersecurity risks, the FDA says.
In a security bulletin also issued Tuesday about the recall, Medtronic says an external security researcher identified a potential vulnerability related to the MiniMed Paradigm family of insulin pumps and corresponding remote controller.
"When used together, the Paradigm insulin pump and remote controller - similar to a key fob - allow a diabetes patient to easily self-deliver a bolus - a dose of insulin given by a pump - without physically accessing their insulin pump," Medtronic says.
"This enables users to discretely deliver a bolus around meals to help keep their blood glucose in range," the company says.
The researcher found, however, that an unauthorized individual in the same vicinity as the insulin pump user could potentially copy the wireless radio frequency signals emitted by the remote controller - while delivering a remote bolus - and play those back later to deliver a malicious dose of insulin to the pump user, the company says.
Exploiting the vulnerability "could instruct the pump to either over-deliver insulin to a patient, leading to low blood sugar - hypoglycemia - or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis, even death," the FDA warned.
The FDA says those affected by the recall include any person who uses the remote controller feature with either the MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps.
Also affected are healthcare providers and caregivers who treat people with diabetes who use remote controllers associated with either the MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps, the FDA says.
"The remote controllers impacted by this issue are older models that use previous-generation technology," the FDA says. As of July 2018, Medtronic was no longer manufacturing or distributing these remote controllers, the agency notes.
The Department of Homeland Security's Cybersecurity Infrastructure and Security Agency also issued an updated advisory Tuesday about the Medtronic products vulnerabilities.
DHS says the vulnerabilities include cleartext transmission of sensitive information and authentication bypass by capture-replay.
Researchers Billy Rios, Jesse Young, and Jonathan Butts of Whitescope LLC reported the vulnerabilities to CISA, the advisory notes.
The Medtronic pumps were the subject of a previous recall due to a security issue (see: Certain Insulin Pumps Recalled Due to Cybersecurity Issues).
"Upon further review, Medtronic is now expanding the notification to all users who Medtronic believes may still be using the MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps and have purchased a remote controller, due to the potential, associated risks," Medtronic says.
"Users should immediately stop using and disconnect the remote controller, disable the remote feature, and return the remote controller to Medtronic," the manufacturer warns.
To date, the FDA says, it is not aware of any reports of patient harm related to these potential cybersecurity risks.