Medical equipment provider Medtronic has issued an urgent recall order for insulin pump controllers belonging to their “MiniMed Paradigm” family. The company cited serious cyber security risks as the reason for the recall.
The models in question are MMT-500 and MMT-503 which is used in conjunction with the Medtronic MiniMed 508 pump.
Overall more than 31,000 of these devices were sold between August 1999 and July 2018. These devices are used by diabetics all over the country to stop, start, or change the amount of insulin delivered to the user.
Medtronic was made aware of a security risk that could allow an unauthorised individual to record and replay the wireless signal generated any time the user presses a button on the controller. The controller sends commands to the insulin pump. An attacker could then over-deliver the desired amount of insulin or stop it from being delivered entirely. In the case of an insulin overdose or a denied dose this could lead to the death of the patient.
According to the latest data available to the company there have been no reports of this security flaw being exploited in the wilds. That is fortunate but as the security flaw becomes more widely known the worry is that it’s just a matter of time.
Medtronic issued a formal statement which contained the following recommendation:
“You should immediately stop using and disconnect the remote controller, disable the remote feature, and return the remote controller to Medtronic. See the Appendix attached to this letter for detailed instructions.”
Unfortunately this is not the first time Medtronic has had issues with this model. In 2019 the FDA warned users of the MiniMed 508 that these pumps were vulnerable to attack. Back then the issue the FDA was warning about was a man in the middle attack that could allow an attacker to take control over the device.
It appears that things haven’t gotten any better. If you, or anyone you know uses one of the devices referenced above don’t delay. Send it back for a replacement as soon as possible.