This vulnerability is described by CVE2019-10964 and has been assigned a score of 7.1 out of 10, designating it as a high severity vulnerability. The core of the vulnerability revolves around improper access control when associating with other devices. The researchers state that the wireless RF communication protocol doesn’t properly implement authentication or authorization, two important factors that mediate network access. In computer security, authentication refers to the mechanism by which a device is proven to be a legitimate user and authorization refers to the resources that the device has access to. The researchers found that an attacker with sufficient access can inject, replay, alter, or interpret data from the vulnerable insulin pumps. Medtronic is urging patients affected by this vulnerability to talk to their healthcare provider about exchanging their insulin pump for a newer model with appropriate security measures.
While this exploit has not been seen in the real world and there are no known reports of patient harm resulting from it, there are precautions that users of wirelessly connected medical equipment can take to protect themselves. Ensuring that no one tampers with the medical device or other devices connected to it, refrain from sharing the serial number, noticing any alarms or alerts made by the device, and immediately canceling any unintended actions that are made by the medical device are all good steps to take. While it is always important for companies to implement proper security protocols in their devices, it’s even more important when there is the potential for serious harm to an end user, such as in the medical field. As more of these important systems become connected, the need for good security implementation becomes more and more important.