BootHole Vulnerability SECURITY BULLETIN

July 30, 2020

Background

Medtronic is aware of and is evaluating a cybersecurity vulnerability known as BootHole that was publicly disclosed on July 29 by security research firm Eclypsium. This vulnerability impacts computers used in nearly every industry which use UEFI (Unified Extensible Firmware Interface) Secure Boot. This vulnerability could allow an attacker who already has access to the device to make arbitrary changes. Keeping good physical control of a device limits the exposure to this vulnerability.

To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with these vulnerabilities.

Medtronic Response

Our technical teams areassessing the situation to understand any potential impact to Medtronic products. We will continue to follow established coordinated disclosure processes for anysignificant security vulnerabilities associated with our products or any updates associated with these vulnerabilities.

At Medtronic, we have teams actively engaged in these matters, including maintaining contact with our suppliers for updates. We monitor our products and systems to assess any impact associated with cybersecurity issues and take appropriate actions as circumstances dictate.

For More Information

Customers needing additional information should contact security@medtronic.com