Medtronic MiniMed Remote Controllers Recalled Because of Critical Cybersecurity Vulnerability

The Food and Drug Administration (FDA) has released an alert to customers of Medtronic wireless insulin pumps regarding a critical security vulnerability affecting selected remote controllers.

MiniMed insulin pumps are used to deliver insulin to help manage diabetes. The pumps have an optional remote controller device for communicating wirelessly with the insulin pump. A security expert discovered a cybersecurity vulnerability in older models of remote controllers that utilize previous-generation technology that can possibly be taken advantage of to cause problems to end-users of the pumps.

An unauthorized person could exploit the cybersecurity vulnerability to log and replay the wireless communication between the MiniMed insulin pump and the remote. Utilizing specialized equipment, an unauthorized individual in the area of the insulin pump user can send out radio frequency signals to the insulin pump to instruct it to over-supply insulin to a patient or cease insulin delivery. Over-delivering insulin may bring about alarmingly low blood sugar levels and halting insulin delivery may end in diabetic ketoacidosis and perhaps death.

Medtronic MiniMed 508 insulin pumps and the MiniMed Paradigm family of insulin pumps were currently the topics of a product recall. There were cybersecurity problems that were earlier identified in the pumps, which can’t be sufficiently mitigated via updates or patches.

The most recent security problem has seen Medtronic increase the product recall, which now includes all MiniMed Remote Controllers (models MMT-500 and MMT-503), which are utilized with the Medtronic MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps.

Medtronic has not been producing or distributing the vulnerable remote controllers since July 2018, however, certain patients, healthcare providers, and caregivers still use the devices.

This product recall is a Class 1, which means the most critical category since the problems with the remote controllers can bring about major harm or loss of life. The FDA states there were no reported instances of exploitation of vulnerabilities in the devices that led to injury to patients.

The FDA states users ought to quickly stop utilizing the impacted remote controller, de-activate the easy bolus feature, switch off the radio frequency function, erase all remote controller IDs configured into the pump, detach the remote controller from the insulin pump, and return to Medtronic the remote controller.