August 7, 2018
Updated: March 13, 2019
Updated: October 5, 2021

Vulnerability summary

An external security researcher has identified a potential vulnerability related to Medtronic’s MiniMed™ Paradigm™ family of insulin pumps and corresponding remote controller.

When used together, the Paradigm™ insulin pump and remote controller (similar to a key fob) allow a diabetes patient to easily self-deliver a bolus (a dose of insulin given by a pump) without physically accessing their insulin pump. This enables users to discretely deliver a bolus around meals to help keep their blood glucose in range. The researcher’s report details that an unauthorized individual in the same vicinity as the insulin pump user could potentially copy the wireless radio frequency (RF) signals emitted by the remote controller (while delivering a remote bolus) and play those back later to deliver a malicious bolus to the pump user. This could lead to potential health risks, including hypoglycemia, if additional insulin is delivered beyond the user’s insulin requirements, or hyperglycemia if insulin delivery is suspended through a similar play back.

Medtronic first communicated this issue in August 2018. The company provided instructions on how to disable the remote bolus feature when not in use to protect the security of the pump when using the optional remote controller. Upon further review, Medtronic is now expanding the notification to all users who Medtronic believe may still be using the MiniMed™ 508 insulin pump or the MiniMed™ Paradigm™ family of insulin pumps and have purchased a remote controller, due to the potential, associated risks.

Users should immediately stop using and disconnect the remote controller, disable the remote feature, and return the remote controller to Medtronic.

Affected products

The vulnerability was identified in the following remote controllers, listed with the corresponding MiniMed™ pumps.

MMT-500 Remote Controller

  • MMT- 508 - MiniMed™ pump (no longer manufactured by Medtronic)

MMT-503 Remote Controller

  • MMT – 511 pump Paradigm™
  • MMT – 512 / MMT – 712 Paradigm™ x12
  • MMT – 515 / MMT – 715 Paradigm™ x15
  • MMT – 522 / MMT – 722 Paradigm™ REAL-TIME
  • MMT – 522(K) / MMT – 722(K) Paradigm™ REAL-TIME
  • MMT – 523 / MMT – 723 Paradigm™ Revel
  • MMT – 523(K) / MMT – 723(K) Paradigm™
  • MMT – 554 / MMT – 754 MiniMed™ Veo
  • MMT – 551 / MMT – 751 MiniMed™ 530G

Mitigations

Medtronic has assessed this vulnerability per our internal process and found that several factors must be met for this exploit to occur:

  1. The remote option for the pump would need to be enabled. This is not a factory-delivered default, and a user must choose this option.
  2. The user’s remote controller ID needs to be registered to the pump.
  3. The easy bolus option would need to be turned on and easy bolus step size programmed in the pump.
  4. An unauthorized individual would need to be within close proximity to the user, with necessary equipment to copy the RF signals activated, when the user is delivering a bolus using the remote controller.
  5. The unauthorized individual would need to be within the vicinity of the user to play back the RF signals to deliver a malicious remote bolus.
  6. The user would need to ignore the pump alerts, which indicates that a remote bolus is being delivered.

Users who have never programmed a remote controller ID in their pump AND never enabled the remote option, are not susceptible to this type of attack. Additionally, if the user disables the remote option and deletes the programmed remote controller IDs, they are also not susceptible to this type of attack. By default, the remote option is turned off in brand-new pumps, so a user would need to proactively turn it on to be susceptible.

All patients should stop using and disconnect the remote controller and return it to Medtronic. To disconnect the remote controller from your insulin pump, patients must disable the radio frequency function and delete all remote controller IDs that are programmed into your pump.

Get instructions to disconnect the remote controller.

Until the remote controller function is disabled and disconnected from the pump, the following security precautions should be taken to minimize risk:

  • Turn off easy bolus when not intending to use the remote bolus option
  • Be attentive to the pump alerts, especially when the easy bolus option is turned on

The remote controllers impacted by this vulnerability are older models that use previous-generation technology. These remote controllers are no longer being manufactured or distributed by Medtronic.

Additional resources

Patients looking for more information can contact our 24-hour helpline at 800‑646‑4633 or visit medtronicdiabetes.com/services/24-hour-helpline.

Click here to view or download a copy of the field safety notification letter.

The full ICS-CERT security advisory can be found here.

Opt in to receive bulletins.

Sign up