In a hack fitting of a James Bond movie, a security researcher has devised an attack that hijacks nearby insulin pumps, enabling him to surreptitiously deliver fatal doses to diabetic patients who rely on them. The attack on wireless insulin pumps made by medical devices giant Medtronic was demonstrated Tuesday at the Hacker …
No, they got it right.
Low blood sugar is called a hypo, or hypoglycaemia.
High blood sugar is a hyper, hyperglycaemia.
A hypo is more dangerous than a hyper.
Also, slow news day? I seem to recall this very same story being reported earlier on this year. Along with a statement from the company admitting the vulnerability but saying theres no evidence of the attack ever being performed, so they weren't going to action it.
No, that is correct. They are talking about insulin levels, but I think that you are thinking from the perspective of blood sugar levels. When insulin is too low, blood sugar levels rise, leading to hyperglycemia. When insulin is too high, blood sugar levels drop leading to hypoglycemia. Excessively high insulin levels (as in the case of the attack in question) could lead to fatal case of hypoglycemia.
Nope. Hypoglycaemia is low sugar, hyperglycaemia is high sugar.
It's just worded confusingly, when *insulin* levels are too high, there's a risk of hypoglycaemia (low blood sugar), when *insulin* levels are too low there's a risk of hyperglycaemia (high blood sugar) - it's a little bit more complicated than that, but that's the gist (btw, insulin dependant diabetic here... but i don't have a pump, oo-err missus)
No, it's correct...
...but not worded particularly clearly. Too much insulin = low blood sugar levels which can result in hypoglycemia. Not enough insulin = high blood sugar levels which leads to hyperglycemia. It's not as simple as that though unfortunately as activity is a huge factor in sugar levels. A type one diabetic can suffer either hyper or hypoglycemia without having made any change to their usual dose of insulin. My son's a keen sportsman and type 1 diabetic.
I've never understood why two opposing descriptions of blood sugar levels have names that sound almost completely the same. In our house we don't tend to use them - "high" or "low" make much more sense.
On the topic of the article, we've looked into pumps. I'm really uncomforatble with the idea of a device deciding on insulin dosage, when it contains enough to be lethal. The article, on top of the fear I already have, implies human error could send the device an incorrect (lethal) instruction. I don't want to be hearing that apology from my GP.
I fail to believe that there is no software sanity checking on the receiving unit, or other physical interlocks built into the pump itself to prevent lethal doses being administered. Didn't software engineers learn anything from the Therac-25? A safety-of-life system should never be totally reliant on a single software component to function correctly. What if a bug in the unit (rather than a hack) sent or parsed a 'deliver insulin' message in an infinite loop? Or the owner mashed the button repeatedly cos he left it in a trouser pocket? The mind boggles if this story is true.
as has been pointed out by others, this isn't like radiation exposure, where we all have a smiler limit. The limit for any individual is variable, dependent on their type and degree of diabetes.
Therapeutic for one person is fatal for another.
"the benefits of the therapy outweigh the risk of an individual criminal attack"
Well, the benefits of taking insulin outweight the risks of someone using your new killswitch functionality, that much I'll agree with. Insulin pumps are pretty good, especially if you're less than brilliant at dosing yourself with insulin effectively.
But exactly what are the benefits of using a radio control system, again? Perhaps the 900mhz radiation makes the insulin more effective, hmm?
Why is everyone so keen to cut diabetics open to change the dose? The pumps are worn on the outside and are connected to user via a cannula.
The main reason for the wireless commands I would guess would be for a glucose sensor on another part of the body to send the pump readings so it can administer the correct amount of insulin.
Facts from a Medtronic User
My wife has one of these pumps - a Medtronic 719. Her life depends on it, and trust me, diabetes is not fun to have. Some of the comments are not very helpful, even offensive, implying that the wireless is there just to save some time getting data out.
The facts: The wireless feature does help to get data out of the device which helps with setting the dosage curve (annoyingly you need a PC with IE and Java), but more importantly the wireless feature is used to help regulate the insulin intake, more or less continuously. An electronic strip tester can take the blood-sugar level from a pin-prick of blood and send the level to the pump - this can happen up to 10 times a day. Another device which my wife has been piloting has a sensor that sits in the skin, and continually measures the sugar level, again radioing in the numbers only this time every few minutes. This gets the whole setup to something like an artificial pancreas, which if you think about it, is pretty cool.
The downside is that the pump is plumbed into your body. You wear it under clothes - and the wireless trick is useful as it helps you lead a more normal life.
Actually I tried to read data from the Medtronic device myself - the fact that it can't be read from a Mac is not in my mind a helpful feature so I earlier this year I tried to set up a 900Mhz radio to read from it, or to intercept the USB dongle, so I could get the data out and plot it on graphs. At the time I thought this could be a vulnerability, but because I couldn't make it work I gave up and thought no more of it.
It's a serious point about the hacking, glad it's been brought to life. As more of us get to outsource our body functions to machines, we had better make sure they can't be slipped a 'virtual mickey'.
Wow, the skin sensors will be a huge improvement quality of life. I hope they test well.
The security vulns in this need fixed, and quickly.
There are three purposes for the wireless functionality:
- enable a glucose sensor to communicate levels to the pump
- enable details to be uploaded to a PC for analysis of trends
- enable the use of a remote control so that parents can lock their children's pumps so they cannot adjust them.
Most diabetics manage their own levels and do not rely on someone else adjusting the settings. However pumps are also used by young chiildren and it is not appropriate for they to make their own adjustments. So there is a remote control option to allow the pump controls to be locked and the parent deliver the bolus using the remote.
@ dave 76 - Glad you brought
the "think of the children" factor into our discussion. This will definitely help silence those pesky critics.
You could wrap it in a tinfoil hat
I did some noodling around years ago with a mylar snack bag and a cell phone and a prox card. The there's no cell signal inside that bag, and the prox card wasn't seen by readers. If you were worried about your insulin pump or your passport or what have you being hacked by evildoers, just recycle one of those bags.
FDA & co asleep at the wheel?
Presumably devices such as these that dispense medication to a patient fall under some regulatory oversight/approval process....
Shouldn't the incompetents in question have reviewed the security of the methods used to instruct the device to dispense said medication before approving the device?
I'd rather fire/do other nasty things to a few regulators and fine the producer a large amount of cash (some amount they actually care about) than blame the poor firmware programmers (as mentioned above).
@Anonymous Ditch Coward - In case you didn't figure out yourself
incompetents can not monitor incompetents
The medical industry is risk-averse to a level approaching severe paranoia. Medical companies don't just decide "hey it'd be cool to make it wireless" - that would have to go through trials and get approval from bodies such as FDA before being allowed, and that means the usefulness had to be proved.
This does make for a great CSI episode; however a recall is quite likely in my view... or scheduling patients to get a new device next check-up.
Suddenly rather relieved...
That NHS Scotland doesn't have the money to supply pumps.
Cripes--the $200 remote engine start fob has more security.
"Cripes--the $200 remote engine start fob has more security."
On this showing it does.
For those wondering why the pump is wireless...
Its main reason is so the device can communicate wirelessly with its optional continuous blood glucose monitor (CGM) -- AKA "the cybernetic wood tick". Downloading pump history, etc., was secondary, since that could have been done over a wired port -- however, since the wireless ability was now there for CGM, why not just use it for everything?
Newer versions of the pump will eventually use this configuration to allow it to automatically decide the dosage to give you based on the predicted values from he CGM (from what I understand, human trials are underway) -- however, unless they also integrate a glucagon pump (in addition to their lack of insulin, type 1 diabetics also don't produce glucagon, hence their susceptibility to hypoglycemia), you won't catch this type 1 using one.
er just no
I'm a diabetic, and Ive long since pondered if I would let the average incompetent write embedded firmware to go inside me. And the answer after working in IT for years is NO! not until its been tested and on the market for years...
And the attitude of the company "the risks outweigh the benefits" er yes Im sure they do. But a pump without a remote injection exploit would deliver benefits without those risks. Not a good answer. Not the correct answer.
Two thoughts, firstly get someone involved who understands security and has a bent for doing things the "wrong" way. Hell, get it pen tested formally, there's lots of companies fairly good at this sort of thing who will contract and come in and test embedded firmware. Its part of actually designing something for the real world and should be factored into the cost of development, even if it does eat slightly into the costs of your big fat medi company profits.
Secondly all the people saying they'd stick it in themselves knowing this was possible, hows your hosting server doing? p0wn3d this week? go ahead, you might find more than a downed server if some evil pixie happens to be in a train station in central london or something for a few hours just for the craic of it (and that's what drives some bad people). And you know what, nobody would ever think to put you hypo'ing out a hour later in that same trainstation walking past some evil begger running exploit code on a hidden lappy or droid phone...
In fact, do it, thin the herd a bit if your that hard of thinking.
Its in all of our interests to cause so much noise to this manufacturer, that every other developer of medical embedded devices takes note, and starts doing due diligence properly. Not just accept sloppy work like sheep.
While it's a serious issue, and needs to be fixed -- any type 1 that isn't in tune enough with their condition to know when they're dropping fast and need sugar is probably already at high risk of death, sans the exploitable pump.
Sure, you'll need a great amount of sugar, a glucagon injection, and are going to feel sick as hell in the end -- but you'll survive it, just like you always do.
Also, note that the pump can't exhaust the full reservoir all that quickly. You'll probably start feeling it before it completes, not just as hypoglycemia, but as pain in the infusion site from the prolonged injection. In addition, 150 to 300 units, depending on the reservoir you have, is the worst case. The exploit would have to take place immediately after your 3 day refill for you to have a chance of getting the full dose.
In short; Yes, it needs to be fixed quickly -- but lets not over react.
stuxnet for insulin pumps ?
you have got to be kidding me...
even 10 years ago leaving a life critical system unencrypted is blatant stupidity...
It can be easily solved : only accept incoming transmissions provided a button is physically held down on the device. like enter a special menu. then select option 'enable receive' and keep holding the 'ok button. if you let go of the button the link is terminated.
hardware mechanisms require physical access to the device.
Not if you want to use a CGM...
"only accept incoming transmissions provided a button is physically held down on the device"
The pumps in question use wireless to communicate with Continuous Glucose Monitors (CGM). While a link with the CGM should be much more secure than it currently is, having to hold a button down every 15 minutes to get a reading kinda defeats the purpose of the CGM and isn't the correct path to take for security.
What noone seems to have cottoned onto is that a terrorist could have a great deal of 'fun' taking this exploit for a drive, and could wipe out a city of diabetics before anyone joins the dots.
It is vital that this security hole is fixed ASAP, and that all designers are taught to consider security before, during and after any code is written.
I would expect the manufacturers and users to be a damned sight more concerned than they appear to be!
Seriously AC 20:36 the number of insulin pump users even in the US is fairly low in comparison to the rest of society a terrorist could drive around all day given the ranges needed to find someone to kill. I'm not saying this isnt a potential problem and it should definetly be fixed at medtronic's expense but please try to get some perspective here. Additionally as a planned murder tool the target would a) Have to be an insulin controlled diabetic with one of these devices b) You would have to know point a and c) the person would have to have enough insulin in there pump to make it a fatal dose at the time you choose to strike.
I would be far more worried about contaminated insulin or getting hit by a bus than this scenario.
For those saying that there are other ways to kill people.....
There have always been other ways to kill people. If you really want to do someone in you can walk up to them and bash their head in with a rock. However, that tends to generate lots of witnesses and evidence. You can get more sophisticated and use a high-powered rifle with a silencer and an exploding bullet, but that takes a lot of skill and can generate witnesses and evidence too.
However, if you can get a hacker to give you the necessary gear, you can readily kill someone with one of these insulin pumps, and nobody is going to suspect you because you were in the next room or sitting at a nearby table when it happened.
So, are we going to have an outbreak of assassinations of diabetics--no. But if someone wanted to get rid of their diabetic spouse/business partner/public official without leaving fingerprints or suspicion, it could be done. If enough money was at stake, you could even use this hack to sabotage a diabetic business rivals health just enough that he stays home sick and misses a big business deal of some kind.
I mentioned spmething like this last time it was brought up.
Surely it wouldn't be that hard to dose a business rival while they slept so that they performed worse in the morning, for example?
Also, the fact you don't have to ever touch anything that will be at the crime scene or get in any wa close to the victim must make this an easier option for getting even on a diabetic loe rival, for example, than punching them in the face?
To me this is just another version of using an unsecured wireless network to plant something on someone's PC -- it's probably not going to be that common but I'm sure that it's easy enough that someone will do it.
It's just sad
That the world is such a f'd up place these days that you need to worry about someone Pwn!ng your medical device, and that they might frivolously decide to screw with the settings. It's depressing that anyone would even think of exploiting this.
"It's depressing that anyone would even think of exploiting this."
Welcome to plane Earth.
We are the human race.
Some of us are pretty bad. Some of us are pretty good. Most of us are somewhere in between.
This is all very theoretical
Honestly... the risk here is mainly theoretical. I fail to accept that there would be very many people motivated to kill a person using an insulin pump anyway, but there are a number of reasons why it remains quite implausible to do on a large scale.
To clear up some misconceptions: there are user enabled security measures on these pumps (I've been using pumps from various manufacturers for over a decade). The simplest one is not filling your pump overly full if you don't use much insulin. A 300 unit dose to someone who uses 20 units a day is a lot more serious than to someone who uses 100+ units per day. There are also settings on the pump which allow you to restrict the maximum dose that can be delivered in a single go. There is nothing in this article that mentions over riding that setting.
Finally, on a very practical note, Medtronic insulin pumps deliver insulin boluses at a maximum rate of 1.5 units per minute. Assuming that you had just filled your pump up to 300 units, failed to set the maximum bolus limit and then encountered a person with both the skills and motive to attack your pump, it would take 200 minutes for the full 300 units to be delivered. To not notice this happening, you'd most likely have to be asleep, as most patients will use or check their insulin pump more frequently than that.
Others have covered the reasons why radio frequency is used, but it's also worth noting that USB or their direct cable interfaces are not used because they compromise the integrity of the casing. Failure of the pump through moisture ingress is much more likely than the implausible hacking scenarios I've just outlined.
All medical devices are regulated in europe under the medical device directive and in the US by the FDA and software is an increasing focus of the regualtors. The regualtion is risk based and if a fault in the software can kill then is falls into the highest category of regulation 'serious concern' in the US or 'class C' in the EU.
In the design of adevice you are required to consider user errors and forseeable misuse of the device but your are not required to consider deliberate abuse of the device. The reason for this is it is impossible to design devices paticularily medical devices which are safe if some one is actively trying to use them to cause harm. In the case of an infusion pump such as the device mentioned some one can contaminate the medication, load the wrong medication or request too high or too low a dose, none of these things require a wireless connection. Someone could simply steal the control unit, password or other authorisation mechanism required to control it so even if there was no wireless vulnerability there are many ways it can be used to kill.
The device must be designed to prevent accidental or corrupted commands being actioned. If it was required that medical devices were safe even when attacked by technically sophisticated people who aimed to cause harm then I do not think we would have any medical devices approved at all.
The reason that people are not constantly murdered usingmedical devices is because in society as a whole deliberate murder is rare. If someone ttechnically sophisticated and dedicated enought to kill someone via hacking a wireless infusion pump wanted to kill someone there is a good chance they will do so whatever level of communication link security is provided.
"The device must be designed to prevent accidental or corrupted commands being actioned. If it was required that medical devices were safe even when attacked by technically sophisticated people who aimed to cause harm then I do not think we would have any medical devices approved at all."
IOW because there are so many *other* ways to mess with sort of product it is categorically *not* the mfg's fault that this was not allowed for.
That must make users feel so much *better*.
Yes - but what if some famous/influential person has one. Specific targets could be more worried about someone only having to loiter outside the entrance to their workplace.
Glad I made the choice to stay on the "Old Fashioned" 4 injections a day. I know pumps work for a lot of people but for someone like me who engages in a lot of physical activity including martial arts it's just not practical. I can use this latest "wireless hack" as yet another reason when the docs try to force me onto the pump!!
Some insulin pumps (which are *not* implanted but can be worn under clothes) can report their insulin usage by a wireless link, which is more frequent and can update the monitoring database without human error.
But the app is coded in Java and needs Internet Explorer, although no one knows why.
But the link is not line of sight, does not require user authorisation (like inserting a tag) and uses the unlicensed radio band at 900Mhz
It allows remote adjustment of flow rate and pump activation possibly because *some* users are children (whose insulin needs presumably vary too wildly to be adjusted any other way). This *might* explain why the alarm and vibration warnings can be shut off. Too distracting for the little darlings) and *some* users might have a wireless insulin monitor (from the same company?) which could update pump settings.
Maximum flow rate on the pump would require 200 (c3 hours) mins to dump the whole reservoir. If you wear it while asleep or while driving you might not notice it or be unable to do something about it. So do diabetics wear them to sleep?
Insulin tolerance amongst diabetics varies by an order of magnitude.
This product has been on the market since at least 2006 and possibly as early as 2001 which predates Stuxnet but not the case of the radiation machine whose faulty software dosed patients with 10x the set dose, and a few other cases of embedded systems working incorrectly.
European rules appear to say that since there are so many other ways to tamper with the insulin supply the mfg have a get out of jail free card.
The combination of security-by-obscurity (*despite* the fatal consequences to patients *if* someone tampers with the product) coupled with the circular logic of only-trusted-devices-will-update-the-settings-because-only-trusted-devices-know-how makes this a crime waiting to happen (it would *not* be an accident), always assuming it has not *already* happened.
BTW I first read about "artificial pancreas" research using pumps and an optical sensor in the late 1970's. It needed blood vessels *very* close to the surface to get a clear reading so you
had to "kiss" it. Not really convenient for update rate of every 10 mins.
Despite *huge* advances in MEMS, DSP, stem cell and genetic modification we still seem no closer now than we did then to dealing with Type 1 diabetes. Type 2's best bet seems to be trying to stay on a 900Kcal/diet to shock their cells back into insulation production and reception.
Not until they can do something about it.
Unscrew the antenna maybe (I know it would probably require a scalpel)
When this code was written was what 10 years ago?
2001 - No one thought of security? I doubt it, they just thought "!windows == !vulnerable"
OK, so my insulin pump happens to not be wireless. But even if it was it's not really something to be worried about. It's not an attack that could be targeted at you specifically, and unless they are just going to go and sit in a crowded space and see who he can make drop to the floor from an insulin overdose. They have no way of knowing that I am diabetic from 300ft away, or even 2ft away unless I tell him I'm wearing an insulin pump. And if someone is sat in front of me with a laptop and fancy antenna and starts asking about what kind of insulin pump I'm using... I'll just walk away and the problem is solved.
A large dose of insulin is dangerous, but it's far less dangerous to an insulin dependant diabetic than it is to a "regular" person. I'll certainly feel it if my pump suddenly starts trying to send 300 units into me (the max my pump ever has in it is about 180u), then just unplug the canula and start downing bottles of Lucozade. Not a fun result, but not fatal.
Pumps need to communicate
I built an interface to my companies pumps, not the interface in the pump. Pumps need to talk to systems for software changes and to report data back to monitoring systems.
Most of our customers (hospitals) demand wireless interfaces and that is the way the industry is going, at the moment most of our kit is wired and does have basic encryption enabled by default.
a doctor writes...
CGM is handy, although many with T1DM and pumps manage without. CGM sensors are of course attached to the same person (although some patients constantly surprise), so a limited range is required.
Medical devices may go through "extensive testing", but this is limited when compared with drugs. I'm also sceptical that the device testing people are sufficiently up on IT and embedded software to understand that if a device is hacked, it can do things it's not been programmed to do.
Finally (at the risk of the wrath of those with pumps, and their doctors) pumps are no better at controlling diabetes than multiple daily injections (a basal bolus regimen), in terms of outcomes (death, complications, hospital admissions). They are much better in terms of flexibility, and given they are still fairly new, I *think* taht they will improve and become better in the future. This is not certain. The companies that make pumps of course wish world+dog to believe that they are perfection (whilst enjoying their cheap razor/expensive razor blade economic model).