Assessment
CFSE Consequence Paths assesses Medtronic MiniMed 508 / Paradigm insulin pumps - unauthenticated RF allows insulin delivery control at CRITICAL — the worst of 2 risk paths (safety, perception). The dominant consequence is influence over a safety-relevant actuation.
Vulnerability
Medtronic MiniMed 508 / Paradigm insulin pumps - unauthenticated RF allows insulin delivery control.
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → CRITICAL
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:2/EX:2/PH:4/DP:3/AT:3/CH:3/SR:4/SX:2/OR:4/EV:2/LS:MITIGATED
Exposure EX=2 (reachability and complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=HIGH → base CRITICAL · uplift recall-class recovery → assessed CRITICAL.
Adjacent RF only, no internet exposure -> RE:2 (proximity/RF). Execution requires specialized RF equipment + proprietary protocol knowledge but is researcher-reproducible (AC:H) -> EC:2 advanced-but-reproducible. No auth/authz means in-range attacker issues commands as a legitimate paired controller, controlling delivery and settings = command/control authority over the device but not signing-root/OTA-root -> AT:3. Altering insulin delivery causes hypoglycemia or hyperglycemia/DKA, credibly fatal therapy mistreatment -> PH:4. Manipulated/forged dosing commands drive therapy actuation; this is command injection rather than exposed perception, but I do not mark perception_feeds_action because the consequence is direct actuation, not a perception/world-model feed (per definition, dosing command falsification is actuation control). Crosses RF/protocol -> device -> physical/safety boundaries -> boundary_crossing true, CH:3. Protocol weakness is shared across an entire product family (same unauthenticated proprietary RF), reusable knowledge -> SR:4. Not remotely scalable; per-patient proximity required -> SX:2. No software patch possible for legacy pumps; recall and hardware replacement / migration to newer models -> OR:4, recovery_needs_fleet_action true. Report-backed advisory, no in-the-wild exploitation -> EV:2, active_exploitation false.
DATA_PRIVACY → CRITICAL
CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:2/EC:2/EX:2/PH:4/DP:3/AT:2/CH:2/SR:4/SX:2/OR:4/EV:2/LS:MITIGATED
Exposure EX=2 (reachability and complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=ELEVATED → base CRITICAL · uplift recall-class recovery · caps privacy-only cap → assessed CRITICAL.
Same adjacent-RF position and proprietary-protocol skill requirement -> RE:2, EC:2. Confidentiality rated Low (C:L): attacker can intercept and read patient/device RF data including health/device operational state -> DP:3 (health + sensitive device/dosing state). Reading-only consequence here gives bounded session/component exposure of patient data, not config/firmware control -> AT:2. No physical/safety effect on the pure-read path -> PH:0. Crosses RF -> device/app data boundary -> boundary_crossing true, CH:2. Same family-wide unauthenticated protocol enables reuse of interception technique -> SR:4. Per-patient proximity, not remotely scalable -> SX:2. No patch; legacy hardware replacement -> OR:4, recovery_needs_fleet_action true. Report-backed -> EV:2, not exploited in wild -> active_exploitation false.
Published baseline
- v3.1 7.1 HIGH —
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H — CISA/ICS-CERT via NVD
- v3.0 8.8 HIGH —
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources