Insulin pump hack delivers fatal dosage over the air
In a hack fitting of a James Bond movie, a security researcher has devised an attack that hijacks nearby insulin pumps, enabling him to surreptitiously deliver fatal doses to diabetic patients who rely on them. The attack on wireless insulin pumps made by medical devices giant Medtronic was demonstrated Tuesday at the Hacker …
That pump manufacturer would have to immediately recall all defective pumps. After all this is a dead serious problem.
What also should be communicated that this is not a problem caused by cost or computing power. It's a problem completely caused by idiocy and bad education. If the software programmers would have known the slightest bit about security, this wouldn't have happened.
Expecting your medical device to be used for murder is a "sensible world" consideration?
Whether it's a random "angel of death" or a particular person being assassinated, all the would-be killer is going to do.... is find another method.
It's far easier, to say, sneak into a hospital and manually inject patients, tamper with prescriptions, doses and prescriptions - and not get caught. Guns are often frowned upon because they make murder easy ... but this is just convoluted.
It might make for a good Columbo plot, but trying to pull off such a stunt without leaving an electronic trail (internet searches, equipment purchases and disposing of the equipment).
Oh, I'm going to kill this guy at work... all I need to do now is feed him fatty, salty foods for years so that he ends up with either a pacemaker or electronic insulin dispenser... then it's simple, dead simple!
> It's a problem completely caused by idiocy and bad education. If the software programmers would have known the slightest bit about security, this wouldn't have happened
That's right. Blame the programmer who coded the system to somebody else’s specification.
"It might make for a good Columbo plot, but trying to pull off such a stunt without leaving an electronic trail (internet searches, equipment purchases and disposing of the equipment)."
Uhm... actually it can be done without leading any electronic trail... but lets not go there.
The point is that the design didn't consider the need for security.
Let's not forget that the company blatently dismissed this guy's warnings too.... (read the Aug 25th article)
Like someone with a sniper rifle picking off random people or some script kid DDOSing a site for shits and giggles.
Programmers do not decide supported transmission protocols unless they themselves are the device manufacturer which is never the case. Maybe if the idiot medical community would learn to heal instead of medicate then there would be no need for implanted devices. And maybe in a perfect world you get to decide everything.
"Blame the programmer who coded the system to somebody else’s specification."
Yes, the programmer deserves some of the blame. Practitioners are responsible to 1) understand their industry (and for programmers that includes having a basic understanding of security risks, threat models, etc); and 2) intervene when asked to do something unsafe, unethical, or unwise.
If I asked a (competent, ethical) building contractor to remove all the interior walls of my house, I wouldn't want him to say "OK, it's your specification!". When the specs are wrong, the implementer needs to say so.
These designs are insecure by design. If they were secure than it could prevent a person from getting medical attention because of the security.
Think of the emergency brake in trains. Would you really want to encase that in reinforced steel with an electronic lock having 1024 bit keys and a pass phrase like "imabor3dcuzimanattag3tt1nnepoozi"?
Why the hell is such a device in need of a wireless connection at all?????
Come to that, why does it need a communication protocol at all!!!!
Because it's easier to increase or decrease a persons automatic dose than cutting the person open.
"... because they contain tiny radio transmitters that allow patients and doctors to adjust their functions"
Or would you prefer the patient was cut open whenever a change to the treatment regime was needed?
There would be no "cutting open". The pump is an externally worn device, only the needle pierces the skin. Presumably the wireless connection is to allow the adjustment of the control unit (also external) from a PC. I guess it integrates with monitoring sofware etc, so the patient can set the device according to historic stats of blood sugar levels. With the old fashined insulin pen, the patient must work it all out in their heads.
There must be some diabetic Reg commentards who can explain...
They don't need a wireless communication protocol. For all of the people saying it's easier than cutting the patient open you obviously don't understand what an insulin pump is and how it works, or are getting confused with the comparison to the hack on heart monitors.
An insulin pump is an external device (as pictured), with a screen and buttons on it that can be directly controlled. It then has a cannula that goes into the body. It has wireless capabilities only because people are too lazy to enter the data once into it, and once into a computer database, or connect it via a cable to the computer.
The control system of an insulin pump is *external*
There must be an external component of the system *so it can be refilled with insulin*
The only reason there is a radio control system is convenience. It could be done just as well with an interface on the control box (what, did you think that thing was actually stuck inside the patient? what on earth did you suppose the buttons were for?) or even a plug in control unit.
There is absolutely no reason for any of these kind of drug delivery devices to have a radio control system. None.
Have you even seen how diabetics administer insulin? Its usually just a tiny little needle, nothing more, that gets the insulin to where its needed: subcutaneous tissue. Why would someone need to perform invasive surgery to embed a device that can only be modified by cutting a person open that only needs to get its output to the tissues near the surface of the skin? That is madness!
I'm not sure where the idea of cutting someone open came from, but that would never be the case with regard to changing the settings on an insulin pump. The insulin pump with the wireless receiver is external to the person, it would have to be external anyway as they need to change the insulin vial it houses on a monthly basis or sooner, dependent on their dosage.
The wireless communication is provided to simplify control for the user by providing a secondary handheld device which regulates the insulin dosage and allows for the user to get instantaneous blood sugar level readings.
Surgery is not the only alternative to wireless communications.
Before implanted heart monitors/defibrillators had wireless functionality, there were models which could be read and manipulated using a sensor placed against the skin. These are generally not very easily acquired any more, however, because they've been supplanted by the far more convenient wireless models...
> It has wireless capabilities only because people are too lazy to enter the data once into it, and once into a computer database
Once people are involved in the transfer of data then human error plays a part. Incorrect data can be entered into the insulin pump and incorrect data can be entered into the computer database.
Oh, and one of the symptoms of type 1 diabetes is fatigue which means your are more likely to enter the incorrect data.
> Before implanted heart monitors/defibrillators had wireless functionality, there were models which could be read and manipulated using a sensor placed against the skin
So the sensor communicated with the heart monitor <what>erly?
I am guessing it involved RF or in induction, both of which generally lack strings of electrically conductive material. In fact the 10 year old code in the insulin shooter might be that same stuff just with a longer range wireless transceiver in it. No encryption over a 10cm range link = not a big problem; same protocol broadcast over 10m link = more of a problem.
I guess it was induction; my wife used to fit them into people and had a large programmer (a highly modified, DOS-based laptop in a tough case) that communicated with the implanted device via a large wand placed over the patient's chest. The wand had a circular loop that, I imagine, was an induction coil. I believe it's all RF of some sort now, but she's out of that game and sticking new valves into folks via their arteries these days. Clever stuff.
"There is absolutely no reason for any of these kind of drug delivery devices to have a radio control system. None"
Not quite. If you connect almost any sort of electronic equipment to a human for clinical purposes it has to undergo extraordinarily stringent safety tests to *prove* beyond almost any doubt that it cannot pass mains voltages through to the patient and thereby kill them. The pump assembly will have to be tested but as it is presumably battery powered that will not be quite so bad.
If the controlling system connects to the pump assembly wirelessly the existence of a 1 meter+ air gap allows you to say 'its safe' without any testing of the controlling PC. Which is a great advantage believe me.
Not that any of this excuses the completely insecure link design - even 10 years ago.
The reason for connectivity is to improve management of the disease. The reason for wireless is for the patient's comfort and convenience.
Using a handheld device (not implanted), I take anywhere from 6 to 12 measurements of my blood's glucose level, each day. These implanted devices take measurements anywhere from once every 3 seconds to once every 3 minutes, or so.
That's a LOT of data points.
Using that data to chart a patient's glucose levels greatly improves the ability of both doctor and patient to visualize the progression of the disease and its treatment.
Manually entering into spreadsheets the thousands of data points produced by implanted devices between consultations and then producing graphs from that data is prohibitively labor-intensive. We're talking about many, many hours, even days, of going through points, one by one, and manually typing the figures on a keyboard.
Connectivity allows the use of vendor-supplied software to (a) gather the data points and then (b) create visualizations from that data. The handheld device I use includes infrared connectivity. Many others use Bluetooth (most popular) or some other protocol.
Attaching a cable to one of these implanted devices is extremely uncomfortable, akin to sticking a syringe into your belly/back and then having someone pull it to the side for 5-10 minutes while the device and the computer handshake and get down to work. You don't want to do that.
I do agree that security has been pretty much overlooked in these devices.
And to those of you who wonder what could go wrong ... what the risk is ... well, I guess you don't know any kids, or any assholes. Some people just like to hurt other people. They don't need a reason ... just the fact that it can be done, and that someone will absolutely be hurt by it, is enough.
Simples!
A plug-in infrared led/photodector pair.
(Well two pairs, if you want to communicate both ways)
Fatigue? Since when. Maybe when the blood sugar is so high that I'm in DKA and havingI a heart attack but otherwise I'd never had been able to get my clearance if 'fatigue' was going to oaffect my performance. Check your facts next time.
>Once people are involved in the transfer of data then human error plays a part. Incorrect data can be entered into the insulin pump and incorrect data can be entered into the computer database.
This is entirely unrelated to whatever transfer medium is used.
FAIL yourself
The wireless function is for the PARENTS of a young diabetic to adjust dosage without having to keep said child still while making the modifications.
There's an old DDJ article about someone reading the serial protocol from their Insulin monitor that's more than 10 years old so the fact the *data* was available and (at least on some models) decodeable has been around for some time. IIRC they were reading the stream to do *exactly* what you are describing.
But what I think surprises a *lot* of people (including me) is being able to *adjust* it as well.
Snooping someones insulin level is odd but *relatively* harmless but who designed in a way to dump the *whole* reservoir in one go? Override the change alarm?
Either the control protocol is *very* low level (more or less bit twiddling) or someone has designed in a "remote homicide" function.
Icon shows my surprise. Incorrect insulin levels can *kill* and US insulin pump companies should be very aware of this.
This is so right! There was never a need to include this kind of connectivity but lazyness won out. First came remote monitoring, so medical professionals didn't have to go near the patient to read the device, then came small changes to allow limited control and now we're here.
If people had accepted that sometimes, you have to get off your arse, this wouldn't be possible
A far better form of communication would be through inductive loop technology with a control loop needing to be placed on a patients skin.
The location could easily be defined by blood coloured tattooed dots.
Next we'll be hearing of MURDER BY RADIO! Or CELL PHONE?
This is like if corporations allowed all & sundry to access SCADA.
Oh, wait ...
I guess the calculation is that the benefit to life far out-weighs the risk to life of leaving this vulnerability un-checked. Mind you, if the manufacturers don't come clean to all users about the risk, then I would have thought they'd be exposed to a massive law suit should anyone actually use this defect to attack someone.
The operational model for this sort of thing ought to be 'remote monitoring at any distance you like (within reason), but remote control confined to a couple of feet range' - even for a properly secured device.
I really don't think so. I'm an insulin-dependent diabetic, and can tell you that there would be absolutely no benefit to my life in having one of these pumps implanted. In fact, given that I'd have to replace a 300-unit cartridge in my body every six days instead of in my pen injector, I'd say it would be a huge detriment to my life.
You're forgetting the other option. USB. It's pretty damned difficult to plug someone's insulin pump into a USB port without them noticing. Wireless is not the only connection available to device manufacturers!
A possible if unlikely circumstance may arise where I might want to get an insulin pump installed in my body, but I'll be shagged up the arse with a splintered broomstick before I get a USB port installed...
They are a 'beltpack' which contains the insulin, pump, batteries and control electronics. It then delivers the insulin dose via a canula needle.
That's one reason why this is so unforgivable.
An optical link similar to TOSLINK would give higher data rates than 900MHz radio and with trivial covers (black tape!) would require a proposed attacker to have physical access to the beltpack.
But no, they went for radio and forgot that radio means you must assume *everybody* is an attacker, and that the attacker *will* listen in on all communications.
The worst part is that it doesn't even take the attacker to be malicious. 900MHz is an ISM band, thus is used by any number of other devices. What if one of them happened to send data your device interpreted as "Inject lots", after a 'proper' controller did the handshake?
You can't possibly test your device against every single 900MHz ISM device. You can't even test against all the other 900MHz devices that are likely to be in a hospital, let alone anywhere else.
"I'll be shagged up the arse with a splintered broomstick before I get a USB port installed..."
Let me guess... you're a firewire man..
Remember, people initially thought certain wi-fi stations had fairly short ranges until some hacker stuck a Pringles(tm) can around them and beefed up reception to a couple multiples of the vendor designed range.
it should never accept commands that are lethal. I've done work for a well known medical company in the past, and I was amazed by the amount of securitychecks in the firmware, no way you could give it a command that would be fatal. Injuries, yes, but it would catch any typo of a nurse...
> no way you could give it a command that would be fatal.
Until some hacker comes along and finds out that if you do this, this and this whilst sticking a finger up your nose it bypasses the security. At which point the original system designers slap themselves on the head and say "I never even considered that!"
Problem is its not as simple as deciding which command will kill someone. As a diabetic on insulin I use very small amounts of units between 20-30 I have a friend who is type 2 and he uses hundreds of units a day. Some people will use more than 10 times the number of units of insulin per meal that I use. There dose could easily be fatal to me. My dose would have next to no effect on them.
For those that dont understand how you use an insulin pump the number of units pumped wouldnt normally be static, normally it would be based on a profile of the food you are eating and the total amount of carbohydrate in the food. There is a need to be able to control the device on the move. Using no encryption though is very silly I would expect if it was wireless to use something akin to a VPN where encryption keys are changed regularly.
OK, am I getting de ja vu or didn't the reg already do this story earlier in the year?
Barnaby Jack had not been on the case, so the conclusion was that you needed physical access to the device to get the serial number, so the risk was relatively low.
Now it has been revealed that these devices will transmit their serial numbers, so the stakes are higher. The serial number will be used to confirm that the patient and device are the same as the medical records before adjustments are made, a requirement for medical safety, but it seems implemented with insecure protocols.
They actually mention that in the 3rd paragraph (and provide a handy clickable link). And point out that this research builds on that research so now he doesn't need to know the serial number of the device in advance and he can carry out the attack from signficiantly further away ...
Not old news, the last article about this was pooh-poohed by the manufaturer because you had to know the serial number of the targeted device and the device would alert the user that something was going on. There are soo many easier ways to kill someone so that possibillity just wasn't very feasible. But this new vuln that makes the device respond to some sort of broadcast with it's own serial number, and makes it possible to override the warning and control mechanisms make the vulnerability several orders of magintude more serious and is definately worthy of a follow-up article.
I have one of these pumps, and frankly I'm not going to lose any sleep over it. If someone wants to kill me, there are far easier ways than this. Yes, it's a flaw that should be fixed, but in my opinion the security researcher is making this out to be a bigger issue than it really is.
And for those asking above, the wireless capability is to allow a small controller to manage the device. Frankly I've never seen much need for it myself, as I use the pump directly, so I never enabled the wireless facility. Note, the device isn't inside the body, as some people seem to think!
"If someone wants to kill me, there are far easier ways than this."
If I had a device in my body that was capable of killing me, I wouldn't be worried about hackers either.
I'd be more worried about a software bug in the system.
Sign up, sign up for The Register's weekly IT security newsletter - click here
