back to article Insulin pump hack delivers fatal dosage over the air

In a hack fitting of a James Bond movie, a security researcher has devised an attack that hijacks nearby insulin pumps, enabling him to surreptitiously deliver fatal doses to diabetic patients who rely on them. The attack on wireless insulin pumps made by medical devices giant Medtronic was demonstrated Tuesday at the Hacker …

COMMENTS

This topic is closed for new posts.
  1. Christian Berger

    In a sensible world

    That pump manufacturer would have to immediately recall all defective pumps. After all this is a dead serious problem.

    What also should be communicated that this is not a problem caused by cost or computing power. It's a problem completely caused by idiocy and bad education. If the software programmers would have known the slightest bit about security, this wouldn't have happened.

    1. Anonymous Coward
      Anonymous Coward

      In a sensible world?

      Expecting your medical device to be used for murder is a "sensible world" consideration?

      Whether it's a random "angel of death" or a particular person being assassinated, all the would-be killer is going to do.... is find another method.

      It's far easier, to say, sneak into a hospital and manually inject patients, tamper with prescriptions, doses and prescriptions - and not get caught. Guns are often frowned upon because they make murder easy ... but this is just convoluted.

      It might make for a good Columbo plot, but trying to pull off such a stunt without leaving an electronic trail (internet searches, equipment purchases and disposing of the equipment).

      Oh, I'm going to kill this guy at work... all I need to do now is feed him fatty, salty foods for years so that he ends up with either a pacemaker or electronic insulin dispenser... then it's simple, dead simple!

      1. Anonymous Coward
        Anonymous Coward

        "It might make for a good Columbo plot, but trying to pull off such a stunt without leaving an electronic trail (internet searches, equipment purchases and disposing of the equipment)."

        Uhm... actually it can be done without leading any electronic trail... but lets not go there.

        The point is that the design didn't consider the need for security.

    2. Anonymous Coward
      Anonymous Coward

      > It's a problem completely caused by idiocy and bad education. If the software programmers would have known the slightest bit about security, this wouldn't have happened

      That's right. Blame the programmer who coded the system to somebody else’s specification.

      1. Michael Wojcik Silver badge

        Following orders is not an excuse

        "Blame the programmer who coded the system to somebody else’s specification."

        Yes, the programmer deserves some of the blame. Practitioners are responsible to 1) understand their industry (and for programmers that includes having a basic understanding of security risks, threat models, etc); and 2) intervene when asked to do something unsafe, unethical, or unwise.

        If I asked a (competent, ethical) building contractor to remove all the interior walls of my house, I wouldn't want him to say "OK, it's your specification!". When the specs are wrong, the implementer needs to say so.

    3. Ammaross Danan
      FAIL

      Let's not forget that the company blatently dismissed this guy's warnings too.... (read the Aug 25th article)

      1. Wize

        There is also the risk of someone doing it for fun.

        Like someone with a sniper rifle picking off random people or some script kid DDOSing a site for shits and giggles.

    4. tslate

      In a sensible world people would have sense before commenting

      Programmers do not decide supported transmission protocols unless they themselves are the device manufacturer which is never the case. Maybe if the idiot medical community would learn to heal instead of medicate then there would be no need for implanted devices. And maybe in a perfect world you get to decide everything.

    5. zanto

      missing the point

      These designs are insecure by design. If they were secure than it could prevent a person from getting medical attention because of the security.

      Think of the emergency brake in trains. Would you really want to encase that in reinforced steel with an electronic lock having 1024 bit keys and a pass phrase like "imabor3dcuzimanattag3tt1nnepoozi"?

  2. Anonymous Coward
    Boffin

    As i said originally... Ahh Smug mode!

    Why the hell is such a device in need of a wireless connection at all?????

    Come to that, why does it need a communication protocol at all!!!!

    1. This post has been deleted by its author

      1. J Munro
        Stop

        Have you even seen how diabetics administer insulin? Its usually just a tiny little needle, nothing more, that gets the insulin to where its needed: subcutaneous tissue. Why would someone need to perform invasive surgery to embed a device that can only be modified by cutting a person open that only needs to get its output to the tissues near the surface of the skin? That is madness!

        I'm not sure where the idea of cutting someone open came from, but that would never be the case with regard to changing the settings on an insulin pump. The insulin pump with the wireless receiver is external to the person, it would have to be external anyway as they need to change the insulin vial it houses on a monthly basis or sooner, dependent on their dosage.

        The wireless communication is provided to simplify control for the user by providing a secondary handheld device which regulates the insulin dosage and allows for the user to get instantaneous blood sugar level readings.

    2. Ian Johnston Silver badge
      FAIL

      Did you read the article?

      "... because they contain tiny radio transmitters that allow patients and doctors to adjust their functions"

      Or would you prefer the patient was cut open whenever a change to the treatment regime was needed?

      1. Jim 59

        Insulin pump

        There would be no "cutting open". The pump is an externally worn device, only the needle pierces the skin. Presumably the wireless connection is to allow the adjustment of the control unit (also external) from a PC. I guess it integrates with monitoring sofware etc, so the patient can set the device according to historic stats of blood sugar levels. With the old fashined insulin pen, the patient must work it all out in their heads.

        There must be some diabetic Reg commentards who can explain...

        1. Anonymous Bosch

          The wireless function is for the PARENTS of a young diabetic to adjust dosage without having to keep said child still while making the modifications.

      2. Raumkraut

        Cutting people open

        Surgery is not the only alternative to wireless communications.

        Before implanted heart monitors/defibrillators had wireless functionality, there were models which could be read and manipulated using a sensor placed against the skin. These are generally not very easily acquired any more, however, because they've been supplanted by the far more convenient wireless models...

        1. T.a.f.T.
          Headmaster

          @Raumkrat, please define wireless

          > Before implanted heart monitors/defibrillators had wireless functionality, there were models which could be read and manipulated using a sensor placed against the skin

          So the sensor communicated with the heart monitor <what>erly?

          I am guessing it involved RF or in induction, both of which generally lack strings of electrically conductive material. In fact the 10 year old code in the insulin shooter might be that same stuff just with a longer range wireless transceiver in it. No encryption over a 10cm range link = not a big problem; same protocol broadcast over 10m link = more of a problem.

          1. Anonymous Coward
            Anonymous Coward

            I guess it was induction; my wife used to fit them into people and had a large programmer (a highly modified, DOS-based laptop in a tough case) that communicated with the implanted device via a large wand placed over the patient's chest. The wand had a circular loop that, I imagine, was an induction coil. I believe it's all RF of some sort now, but she's out of that game and sticking new valves into folks via their arteries these days. Clever stuff.

    3. Stuart Elliott

      Why?

      Because it's easier to increase or decrease a persons automatic dose than cutting the person open.

    4. Benjamin 4
      Facepalm

      Sigh

      They don't need a wireless communication protocol. For all of the people saying it's easier than cutting the patient open you obviously don't understand what an insulin pump is and how it works, or are getting confused with the comparison to the hack on heart monitors.

      An insulin pump is an external device (as pictured), with a screen and buttons on it that can be directly controlled. It then has a cannula that goes into the body. It has wireless capabilities only because people are too lazy to enter the data once into it, and once into a computer database, or connect it via a cable to the computer.

      1. Anonymous Coward
        FAIL

        Re: Benjamin 4

        > It has wireless capabilities only because people are too lazy to enter the data once into it, and once into a computer database

        Once people are involved in the transfer of data then human error plays a part. Incorrect data can be entered into the insulin pump and incorrect data can be entered into the computer database.

        Oh, and one of the symptoms of type 1 diabetes is fatigue which means your are more likely to enter the incorrect data.

        1. Anonymous Coward
          Anonymous Coward

          Fatigue? Since when. Maybe when the blood sugar is so high that I'm in DKA and havingI a heart attack but otherwise I'd never had been able to get my clearance if 'fatigue' was going to oaffect my performance. Check your facts next time.

        2. Stoneshop
          FAIL

          And data entry is different when it's done wirelessly?

          >Once people are involved in the transfer of data then human error plays a part. Incorrect data can be entered into the insulin pump and incorrect data can be entered into the computer database.

          This is entirely unrelated to whatever transfer medium is used.

          FAIL yourself

    5. Ru
      Stop

      Are you all completely stupid?

      The control system of an insulin pump is *external*

      There must be an external component of the system *so it can be refilled with insulin*

      The only reason there is a radio control system is convenience. It could be done just as well with an interface on the control box (what, did you think that thing was actually stuck inside the patient? what on earth did you suppose the buttons were for?) or even a plug in control unit.

      There is absolutely no reason for any of these kind of drug delivery devices to have a radio control system. None.

      1. Tim Bergel

        There is a good reason for wireless

        "There is absolutely no reason for any of these kind of drug delivery devices to have a radio control system. None"

        Not quite. If you connect almost any sort of electronic equipment to a human for clinical purposes it has to undergo extraordinarily stringent safety tests to *prove* beyond almost any doubt that it cannot pass mains voltages through to the patient and thereby kill them. The pump assembly will have to be tested but as it is presumably battery powered that will not be quite so bad.

        If the controlling system connects to the pump assembly wirelessly the existence of a 1 meter+ air gap allows you to say 'its safe' without any testing of the controlling PC. Which is a great advantage believe me.

        Not that any of this excuses the completely insecure link design - even 10 years ago.

        1. Iain
          Terminator

          IR

          Simples!

          A plug-in infrared led/photodector pair.

          (Well two pairs, if you want to communicate both ways)

    6. Stupidscript

      As a diabetic ...

      The reason for connectivity is to improve management of the disease. The reason for wireless is for the patient's comfort and convenience.

      Using a handheld device (not implanted), I take anywhere from 6 to 12 measurements of my blood's glucose level, each day. These implanted devices take measurements anywhere from once every 3 seconds to once every 3 minutes, or so.

      That's a LOT of data points.

      Using that data to chart a patient's glucose levels greatly improves the ability of both doctor and patient to visualize the progression of the disease and its treatment.

      Manually entering into spreadsheets the thousands of data points produced by implanted devices between consultations and then producing graphs from that data is prohibitively labor-intensive. We're talking about many, many hours, even days, of going through points, one by one, and manually typing the figures on a keyboard.

      Connectivity allows the use of vendor-supplied software to (a) gather the data points and then (b) create visualizations from that data. The handheld device I use includes infrared connectivity. Many others use Bluetooth (most popular) or some other protocol.

      Attaching a cable to one of these implanted devices is extremely uncomfortable, akin to sticking a syringe into your belly/back and then having someone pull it to the side for 5-10 minutes while the device and the computer handshake and get down to work. You don't want to do that.

      I do agree that security has been pretty much overlooked in these devices.

      And to those of you who wonder what could go wrong ... what the risk is ... well, I guess you don't know any kids, or any assholes. Some people just like to hurt other people. They don't need a reason ... just the fact that it can be done, and that someone will absolutely be hurt by it, is enough.

      1. John Smith 19 Gold badge
        WTF?

        @Stupidscript

        There's an old DDJ article about someone reading the serial protocol from their Insulin monitor that's more than 10 years old so the fact the *data* was available and (at least on some models) decodeable has been around for some time. IIRC they were reading the stream to do *exactly* what you are describing.

        But what I think surprises a *lot* of people (including me) is being able to *adjust* it as well.

        Snooping someones insulin level is odd but *relatively* harmless but who designed in a way to dump the *whole* reservoir in one go? Override the change alarm?

        Either the control protocol is *very* low level (more or less bit twiddling) or someone has designed in a "remote homicide" function.

        Icon shows my surprise. Incorrect insulin levels can *kill* and US insulin pump companies should be very aware of this.

      2. Tom 13

        Thank-you for sharing your insights.

    7. Paul 87

      @cornz1

      This is so right! There was never a need to include this kind of connectivity but lazyness won out. First came remote monitoring, so medical professionals didn't have to go near the patient to read the device, then came small changes to allow limited control and now we're here.

      If people had accepted that sometimes, you have to get off your arse, this wouldn't be possible

    8. JaitcH
      WTF?

      Have they never heard of inductive loops?

      A far better form of communication would be through inductive loop technology with a control loop needing to be placed on a patients skin.

      The location could easily be defined by blood coloured tattooed dots.

      Next we'll be hearing of MURDER BY RADIO! Or CELL PHONE?

  3. jake Silver badge

    The mind boggles.

    This is like if corporations allowed all & sundry to access SCADA.

    Oh, wait ...

  4. Anonymous Coward
    Anonymous Coward

    Risk vs benefit

    I guess the calculation is that the benefit to life far out-weighs the risk to life of leaving this vulnerability un-checked. Mind you, if the manufacturers don't come clean to all users about the risk, then I would have thought they'd be exposed to a massive law suit should anyone actually use this defect to attack someone.

    The operational model for this sort of thing ought to be 'remote monitoring at any distance you like (within reason), but remote control confined to a couple of feet range' - even for a properly secured device.

    1. Jedit Silver badge
      Boffin

      Benefit to life outweighs the risk?

      I really don't think so. I'm an insulin-dependent diabetic, and can tell you that there would be absolutely no benefit to my life in having one of these pumps implanted. In fact, given that I'd have to replace a 300-unit cartridge in my body every six days instead of in my pen injector, I'd say it would be a huge detriment to my life.

    2. The Indomitable Gall

      Risk/benefit

      You're forgetting the other option. USB. It's pretty damned difficult to plug someone's insulin pump into a USB port without them noticing. Wireless is not the only connection available to device manufacturers!

      1. Jedit Silver badge
        Coat

        USB option?

        A possible if unlikely circumstance may arise where I might want to get an insulin pump installed in my body, but I'll be shagged up the arse with a splintered broomstick before I get a USB port installed...

        1. Richard 12 Silver badge
          FAIL

          Insulin pumps are NOT implanted.

          They are a 'beltpack' which contains the insulin, pump, batteries and control electronics. It then delivers the insulin dose via a canula needle.

          That's one reason why this is so unforgivable.

          An optical link similar to TOSLINK would give higher data rates than 900MHz radio and with trivial covers (black tape!) would require a proposed attacker to have physical access to the beltpack.

          But no, they went for radio and forgot that radio means you must assume *everybody* is an attacker, and that the attacker *will* listen in on all communications.

          The worst part is that it doesn't even take the attacker to be malicious. 900MHz is an ISM band, thus is used by any number of other devices. What if one of them happened to send data your device interpreted as "Inject lots", after a 'proper' controller did the handshake?

          You can't possibly test your device against every single 900MHz ISM device. You can't even test against all the other 900MHz devices that are likely to be in a hospital, let alone anywhere else.

        2. Annihilator
          Coat

          @jedit

          "I'll be shagged up the arse with a splintered broomstick before I get a USB port installed..."

          Let me guess... you're a firewire man..

        3. Stoneshop
          FAIL

          Right

          It's not installed *IN* your body.

    3. Tom 13

      That's probably more difficult than it sounds.

      Remember, people initially thought certain wi-fi stations had fairly short ranges until some hacker stuck a Pringles(tm) can around them and beefed up reception to a couple multiples of the vendor designed range.

  5. petur
    FAIL

    worse....

    it should never accept commands that are lethal. I've done work for a well known medical company in the past, and I was amazed by the amount of securitychecks in the firmware, no way you could give it a command that would be fatal. Injuries, yes, but it would catch any typo of a nurse...

    1. Anonymous Coward
      Anonymous Coward

      > no way you could give it a command that would be fatal.

      Until some hacker comes along and finds out that if you do this, this and this whilst sticking a finger up your nose it bypasses the security. At which point the original system designers slap themselves on the head and say "I never even considered that!"

    2. FordPrefect
      FAIL

      Problem is its not as simple as deciding which command will kill someone. As a diabetic on insulin I use very small amounts of units between 20-30 I have a friend who is type 2 and he uses hundreds of units a day. Some people will use more than 10 times the number of units of insulin per meal that I use. There dose could easily be fatal to me. My dose would have next to no effect on them.

      For those that dont understand how you use an insulin pump the number of units pumped wouldnt normally be static, normally it would be based on a profile of the food you are eating and the total amount of carbohydrate in the food. There is a need to be able to control the device on the move. Using no encryption though is very silly I would expect if it was wireless to use something akin to a VPN where encryption keys are changed regularly.

  6. Semaj
    Thumb Down

    Old News

    OK, am I getting de ja vu or didn't the reg already do this story earlier in the year?

    1. Usually Right or Wrong

      They did, but...

      Barnaby Jack had not been on the case, so the conclusion was that you needed physical access to the device to get the serial number, so the risk was relatively low.

      Now it has been revealed that these devices will transmit their serial numbers, so the stakes are higher. The serial number will be used to confirm that the patient and device are the same as the medical records before adjustments are made, a requirement for medical safety, but it seems implemented with insecure protocols.

    2. AdamT

      They actually mention that in the 3rd paragraph (and provide a handy clickable link). And point out that this research builds on that research so now he doesn't need to know the serial number of the device in advance and he can carry out the attack from signficiantly further away ...

      1. Semaj

        Ah fair enough, I'm not going mad then. Ta.

    3. Anders Halling
      Thumb Down

      No

      Not old news, the last article about this was pooh-poohed by the manufaturer because you had to know the serial number of the targeted device and the device would alert the user that something was going on. There are soo many easier ways to kill someone so that possibillity just wasn't very feasible. But this new vuln that makes the device respond to some sort of broadcast with it's own serial number, and makes it possible to override the warning and control mechanisms make the vulnerability several orders of magintude more serious and is definately worthy of a follow-up article.

  7. Psiren
    Stop

    I have one of these pumps...

    I have one of these pumps, and frankly I'm not going to lose any sleep over it. If someone wants to kill me, there are far easier ways than this. Yes, it's a flaw that should be fixed, but in my opinion the security researcher is making this out to be a bigger issue than it really is.

    And for those asking above, the wireless capability is to allow a small controller to manage the device. Frankly I've never seen much need for it myself, as I use the pump directly, so I never enabled the wireless facility. Note, the device isn't inside the body, as some people seem to think!

    1. Sir Runcible Spoon

      Sir

      "If someone wants to kill me, there are far easier ways than this."

      If I had a device in my body that was capable of killing me, I wouldn't be worried about hackers either.

      I'd be more worried about a software bug in the system.

  8. This post has been deleted by its author

  9. This post has been deleted by its author

    1. J Munro

      No, that is correct. They are talking about insulin levels, but I think that you are thinking from the perspective of blood sugar levels. When insulin is too low, blood sugar levels rise, leading to hyperglycemia. When insulin is too high, blood sugar levels drop leading to hypoglycemia. Excessively high insulin levels (as in the case of the attack in question) could lead to fatal case of hypoglycemia.

    2. Allan 1

      No, they got it right.

      Low blood sugar is called a hypo, or hypoglycaemia.

      High blood sugar is a hyper, hyperglycaemia.

      A hypo is more dangerous than a hyper.

      Also, slow news day? I seem to recall this very same story being reported earlier on this year. Along with a statement from the company admitting the vulnerability but saying theres no evidence of the attack ever being performed, so they weren't going to action it.

    3. Robin Phillips

      Nope. Hypoglycaemia is low sugar, hyperglycaemia is high sugar.

    4. Anonymous Coward
      Anonymous Coward

      nope

      It's just worded confusingly, when *insulin* levels are too high, there's a risk of hypoglycaemia (low blood sugar), when *insulin* levels are too low there's a risk of hyperglycaemia (high blood sugar) - it's a little bit more complicated than that, but that's the gist (btw, insulin dependant diabetic here... but i don't have a pump, oo-err missus)

    5. Andy Fletcher

      No, it's correct...

      ...but not worded particularly clearly. Too much insulin = low blood sugar levels which can result in hypoglycemia. Not enough insulin = high blood sugar levels which leads to hyperglycemia. It's not as simple as that though unfortunately as activity is a huge factor in sugar levels. A type one diabetic can suffer either hyper or hypoglycemia without having made any change to their usual dose of insulin. My son's a keen sportsman and type 1 diabetic.

      I've never understood why two opposing descriptions of blood sugar levels have names that sound almost completely the same. In our house we don't tend to use them - "high" or "low" make much more sense.

      On the topic of the article, we've looked into pumps. I'm really uncomforatble with the idea of a device deciding on insulin dosage, when it contains enough to be lethal. The article, on top of the fear I already have, implies human error could send the device an incorrect (lethal) instruction. I don't want to be hearing that apology from my GP.

  10. Anonymous Coward
    Anonymous Coward

    I fail to believe that there is no software sanity checking on the receiving unit, or other physical interlocks built into the pump itself to prevent lethal doses being administered. Didn't software engineers learn anything from the Therac-25? A safety-of-life system should never be totally reliant on a single software component to function correctly. What if a bug in the unit (rather than a hack) sent or parsed a 'deliver insulin' message in an infinite loop? Or the owner mashed the button repeatedly cos he left it in a trouser pocket? The mind boggles if this story is true.

    1. Oninoshiko
      FAIL

      as has been pointed out by others, this isn't like radiation exposure, where we all have a smiler limit. The limit for any individual is variable, dependent on their type and degree of diabetes.

      Therapeutic for one person is fatal for another.

  11. Ru
    Facepalm

    "the benefits of the therapy outweigh the risk of an individual criminal attack"

    Well, the benefits of taking insulin outweight the risks of someone using your new killswitch functionality, that much I'll agree with. Insulin pumps are pretty good, especially if you're less than brilliant at dosing yourself with insulin effectively.

    But exactly what are the benefits of using a radio control system, again? Perhaps the 900mhz radiation makes the insulin more effective, hmm?

  12. Anonymous Coward
    Anonymous Coward

    Why is everyone so keen to cut diabetics open to change the dose? The pumps are worn on the outside and are connected to user via a cannula.

    The main reason for the wireless commands I would guess would be for a glucose sensor on another part of the body to send the pump readings so it can administer the correct amount of insulin.

  13. adamd

    Facts from a Medtronic User

    My wife has one of these pumps - a Medtronic 719. Her life depends on it, and trust me, diabetes is not fun to have. Some of the comments are not very helpful, even offensive, implying that the wireless is there just to save some time getting data out.

    The facts: The wireless feature does help to get data out of the device which helps with setting the dosage curve (annoyingly you need a PC with IE and Java), but more importantly the wireless feature is used to help regulate the insulin intake, more or less continuously. An electronic strip tester can take the blood-sugar level from a pin-prick of blood and send the level to the pump - this can happen up to 10 times a day. Another device which my wife has been piloting has a sensor that sits in the skin, and continually measures the sugar level, again radioing in the numbers only this time every few minutes. This gets the whole setup to something like an artificial pancreas, which if you think about it, is pretty cool.

    The downside is that the pump is plumbed into your body. You wear it under clothes - and the wireless trick is useful as it helps you lead a more normal life.

    Actually I tried to read data from the Medtronic device myself - the fact that it can't be read from a Mac is not in my mind a helpful feature so I earlier this year I tried to set up a 900Mhz radio to read from it, or to intercept the USB dongle, so I could get the data out and plot it on graphs. At the time I thought this could be a vulnerability, but because I couldn't make it work I gave up and thought no more of it.

    It's a serious point about the hacking, glad it's been brought to life. As more of us get to outsource our body functions to machines, we had better make sure they can't be slipped a 'virtual mickey'.

    1. Oninoshiko
      Thumb Up

      Wow, the skin sensors will be a huge improvement quality of life. I hope they test well.

      The security vulns in this need fixed, and quickly.

  14. dave 76
    Boffin

    Why wireless

    There are three purposes for the wireless functionality:

    - enable a glucose sensor to communicate levels to the pump

    - enable details to be uploaded to a PC for analysis of trends

    - enable the use of a remote control so that parents can lock their children's pumps so they cannot adjust them.

    Most diabetics manage their own levels and do not rely on someone else adjusting the settings. However pumps are also used by young chiildren and it is not appropriate for they to make their own adjustments. So there is a remote control option to allow the pump controls to be locked and the parent deliver the bolus using the remote.

    1. Anonymous Coward
      Anonymous Coward

      @ dave 76 - Glad you brought

      the "think of the children" factor into our discussion. This will definitely help silence those pesky critics.

  15. dr2chase

    You could wrap it in a tinfoil hat

    I did some noodling around years ago with a mylar snack bag and a cell phone and a prox card. The there's no cell signal inside that bag, and the prox card wasn't seen by readers. If you were worried about your insulin pump or your passport or what have you being hacked by evildoers, just recycle one of those bags.

  16. Anonymous Dutch Coward
    Mushroom

    FDA & co asleep at the wheel?

    Presumably devices such as these that dispense medication to a patient fall under some regulatory oversight/approval process....

    Shouldn't the incompetents in question have reviewed the security of the methods used to instruct the device to dispense said medication before approving the device?

    I'd rather fire/do other nasty things to a few regulators and fine the producer a large amount of cash (some amount they actually care about) than blame the poor firmware programmers (as mentioned above).

    1. Anonymous Coward
      Anonymous Coward

      @Anonymous Ditch Coward - In case you didn't figure out yourself

      incompetents can not monitor incompetents

  17. JDX Gold badge

    The medical industry is risk-averse to a level approaching severe paranoia. Medical companies don't just decide "hey it'd be cool to make it wireless" - that would have to go through trials and get approval from bodies such as FDA before being allowed, and that means the usefulness had to be proved.

    This does make for a great CSI episode; however a recall is quite likely in my view... or scheduling patients to get a new device next check-up.

  18. manyspendidgeek
    Meh

    Suddenly rather relieved...

    That NHS Scotland doesn't have the money to supply pumps.

  19. Anonymous Coward
    Anonymous Coward

    Cripes--the $200 remote engine start fob has more security.

    1. John Smith 19 Gold badge
      Thumb Up

      AC@13:45

      "Cripes--the $200 remote engine start fob has more security."

      On this showing it does.

  20. brainbone
    Stop

    For those wondering why the pump is wireless...

    Its main reason is so the device can communicate wirelessly with its optional continuous blood glucose monitor (CGM) -- AKA "the cybernetic wood tick". Downloading pump history, etc., was secondary, since that could have been done over a wired port -- however, since the wireless ability was now there for CGM, why not just use it for everything?

    Newer versions of the pump will eventually use this configuration to allow it to automatically decide the dosage to give you based on the predicted values from he CGM (from what I understand, human trials are underway) -- however, unless they also integrate a glucagon pump (in addition to their lack of insulin, type 1 diabetics also don't produce glucagon, hence their susceptibility to hypoglycemia), you won't catch this type 1 using one.

  21. Anonymous Coward
    Anonymous Coward

    er just no

    I'm a diabetic, and Ive long since pondered if I would let the average incompetent write embedded firmware to go inside me. And the answer after working in IT for years is NO! not until its been tested and on the market for years...

    And the attitude of the company "the risks outweigh the benefits" er yes Im sure they do. But a pump without a remote injection exploit would deliver benefits without those risks. Not a good answer. Not the correct answer.

    Two thoughts, firstly get someone involved who understands security and has a bent for doing things the "wrong" way. Hell, get it pen tested formally, there's lots of companies fairly good at this sort of thing who will contract and come in and test embedded firmware. Its part of actually designing something for the real world and should be factored into the cost of development, even if it does eat slightly into the costs of your big fat medi company profits.

    Secondly all the people saying they'd stick it in themselves knowing this was possible, hows your hosting server doing? p0wn3d this week? go ahead, you might find more than a downed server if some evil pixie happens to be in a train station in central london or something for a few hours just for the craic of it (and that's what drives some bad people). And you know what, nobody would ever think to put you hypo'ing out a hour later in that same trainstation walking past some evil begger running exploit code on a hidden lappy or droid phone...

    In fact, do it, thin the herd a bit if your that hard of thinking.

    Its in all of our interests to cause so much noise to this manufacturer, that every other developer of medical embedded devices takes note, and starts doing due diligence properly. Not just accept sloppy work like sheep.

    1. brainbone
      Facepalm

      Stay calm...

      While it's a serious issue, and needs to be fixed -- any type 1 that isn't in tune enough with their condition to know when they're dropping fast and need sugar is probably already at high risk of death, sans the exploitable pump.

      Sure, you'll need a great amount of sugar, a glucagon injection, and are going to feel sick as hell in the end -- but you'll survive it, just like you always do.

      Also, note that the pump can't exhaust the full reservoir all that quickly. You'll probably start feeling it before it completes, not just as hypoglycemia, but as pain in the infusion site from the prolonged injection. In addition, 150 to 300 units, depending on the reservoir you have, is the worst case. The exploit would have to take place immediately after your 3 day refill for you to have a chance of getting the full dose.

      In short; Yes, it needs to be fixed quickly -- but lets not over react.

  22. vincent himpe

    stuxnet for insulin pumps ?

    you have got to be kidding me...

    even 10 years ago leaving a life critical system unencrypted is blatant stupidity...

    It can be easily solved : only accept incoming transmissions provided a button is physically held down on the device. like enter a special menu. then select option 'enable receive' and keep holding the 'ok button. if you let go of the button the link is terminated.

    problem solved.

    hardware mechanisms require physical access to the device.

    1. brainbone

      Not if you want to use a CGM...

      "only accept incoming transmissions provided a button is physically held down on the device"

      The pumps in question use wireless to communicate with Continuous Glucose Monitors (CGM). While a link with the CGM should be much more secure than it currently is, having to hold a button down every 15 minutes to get a reading kinda defeats the purpose of the CGM and isn't the correct path to take for security.

  23. Anonymous Coward
    Anonymous Coward

    Point missed?

    What noone seems to have cottoned onto is that a terrorist could have a great deal of 'fun' taking this exploit for a drive, and could wipe out a city of diabetics before anyone joins the dots.

    It is vital that this security hole is fixed ASAP, and that all designers are taught to consider security before, during and after any code is written.

    I would expect the manufacturers and users to be a damned sight more concerned than they appear to be!

    1. FordPrefect

      Seriously AC 20:36 the number of insulin pump users even in the US is fairly low in comparison to the rest of society a terrorist could drive around all day given the ranges needed to find someone to kill. I'm not saying this isnt a potential problem and it should definetly be fixed at medtronic's expense but please try to get some perspective here. Additionally as a planned murder tool the target would a) Have to be an insulin controlled diabetic with one of these devices b) You would have to know point a and c) the person would have to have enough insulin in there pump to make it a fatal dose at the time you choose to strike.

      I would be far more worried about contaminated insulin or getting hit by a bus than this scenario.

  24. Anonymous Coward
    Devil

    For those saying that there are other ways to kill people.....

    There have always been other ways to kill people. If you really want to do someone in you can walk up to them and bash their head in with a rock. However, that tends to generate lots of witnesses and evidence. You can get more sophisticated and use a high-powered rifle with a silencer and an exploding bullet, but that takes a lot of skill and can generate witnesses and evidence too.

    However, if you can get a hacker to give you the necessary gear, you can readily kill someone with one of these insulin pumps, and nobody is going to suspect you because you were in the next room or sitting at a nearby table when it happened.

    So, are we going to have an outbreak of assassinations of diabetics--no. But if someone wanted to get rid of their diabetic spouse/business partner/public official without leaving fingerprints or suspicion, it could be done. If enough money was at stake, you could even use this hack to sabotage a diabetic business rivals health just enough that he stays home sick and misses a big business deal of some kind.

    1. Cameron Colley

      I mentioned spmething like this last time it was brought up.

      Surely it wouldn't be that hard to dose a business rival while they slept so that they performed worse in the morning, for example?

      Also, the fact you don't have to ever touch anything that will be at the crime scene or get in any wa close to the victim must make this an easier option for getting even on a diabetic loe rival, for example, than punching them in the face?

      To me this is just another version of using an unsecured wireless network to plant something on someone's PC -- it's probably not going to be that common but I'm sure that it's easy enough that someone will do it.

  25. Unicornpiss
    WTF?

    It's just sad

    That the world is such a f'd up place these days that you need to worry about someone Pwn!ng your medical device, and that they might frivolously decide to screw with the settings. It's depressing that anyone would even think of exploiting this.

    1. John Smith 19 Gold badge
      Meh

      @Unicornpiss

      "It's depressing that anyone would even think of exploiting this."

      Welcome to plane Earth.

      We are the human race.

      Some of us are pretty bad. Some of us are pretty good. Most of us are somewhere in between.

  26. Anonymous Coward
    Anonymous Coward

    This is all very theoretical

    Honestly... the risk here is mainly theoretical. I fail to accept that there would be very many people motivated to kill a person using an insulin pump anyway, but there are a number of reasons why it remains quite implausible to do on a large scale.

    To clear up some misconceptions: there are user enabled security measures on these pumps (I've been using pumps from various manufacturers for over a decade). The simplest one is not filling your pump overly full if you don't use much insulin. A 300 unit dose to someone who uses 20 units a day is a lot more serious than to someone who uses 100+ units per day. There are also settings on the pump which allow you to restrict the maximum dose that can be delivered in a single go. There is nothing in this article that mentions over riding that setting.

    Finally, on a very practical note, Medtronic insulin pumps deliver insulin boluses at a maximum rate of 1.5 units per minute. Assuming that you had just filled your pump up to 300 units, failed to set the maximum bolus limit and then encountered a person with both the skills and motive to attack your pump, it would take 200 minutes for the full 300 units to be delivered. To not notice this happening, you'd most likely have to be asleep, as most patients will use or check their insulin pump more frequently than that.

    Others have covered the reasons why radio frequency is used, but it's also worth noting that USB or their direct cable interfaces are not used because they compromise the integrity of the casing. Failure of the pump through moisture ingress is much more likely than the implausible hacking scenarios I've just outlined.

  27. Anonymous Coward
    Anonymous Coward

    unwarranted hysteria

    All medical devices are regulated in europe under the medical device directive and in the US by the FDA and software is an increasing focus of the regualtors. The regualtion is risk based and if a fault in the software can kill then is falls into the highest category of regulation 'serious concern' in the US or 'class C' in the EU.

    In the design of adevice you are required to consider user errors and forseeable misuse of the device but your are not required to consider deliberate abuse of the device. The reason for this is it is impossible to design devices paticularily medical devices which are safe if some one is actively trying to use them to cause harm. In the case of an infusion pump such as the device mentioned some one can contaminate the medication, load the wrong medication or request too high or too low a dose, none of these things require a wireless connection. Someone could simply steal the control unit, password or other authorisation mechanism required to control it so even if there was no wireless vulnerability there are many ways it can be used to kill.

    The device must be designed to prevent accidental or corrupted commands being actioned. If it was required that medical devices were safe even when attacked by technically sophisticated people who aimed to cause harm then I do not think we would have any medical devices approved at all.

    The reason that people are not constantly murdered usingmedical devices is because in society as a whole deliberate murder is rare. If someone ttechnically sophisticated and dedicated enought to kill someone via hacking a wireless infusion pump wanted to kill someone there is a good chance they will do so whatever level of communication link security is provided.

    1. John Smith 19 Gold badge
      WTF?

      AC@15:44

      "The device must be designed to prevent accidental or corrupted commands being actioned. If it was required that medical devices were safe even when attacked by technically sophisticated people who aimed to cause harm then I do not think we would have any medical devices approved at all."

      IOW because there are so many *other* ways to mess with sort of product it is categorically *not* the mfg's fault that this was not allowed for.

      That must make users feel so much *better*.

  28. JDX Gold badge

    re: theoretical

    Yes - but what if some famous/influential person has one. Specific targets could be more worried about someone only having to loiter outside the entrance to their workplace.

  29. yomchi86
    Mushroom

    Hurrah

    Glad I made the choice to stay on the "Old Fashioned" 4 injections a day. I know pumps work for a lot of people but for someone like me who engages in a lot of physical activity including martial arts it's just not practical. I can use this latest "wireless hack" as yet another reason when the docs try to force me onto the pump!!

  30. John Smith 19 Gold badge

    Let's recap

    Some insulin pumps (which are *not* implanted but can be worn under clothes) can report their insulin usage by a wireless link, which is more frequent and can update the monitoring database without human error.

    But the app is coded in Java and needs Internet Explorer, although no one knows why.

    But the link is not line of sight, does not require user authorisation (like inserting a tag) and uses the unlicensed radio band at 900Mhz

    It allows remote adjustment of flow rate and pump activation possibly because *some* users are children (whose insulin needs presumably vary too wildly to be adjusted any other way). This *might* explain why the alarm and vibration warnings can be shut off. Too distracting for the little darlings) and *some* users might have a wireless insulin monitor (from the same company?) which could update pump settings.

    Maximum flow rate on the pump would require 200 (c3 hours) mins to dump the whole reservoir. If you wear it while asleep or while driving you might not notice it or be unable to do something about it. So do diabetics wear them to sleep?

    Insulin tolerance amongst diabetics varies by an order of magnitude.

    This product has been on the market since at least 2006 and possibly as early as 2001 which predates Stuxnet but not the case of the radiation machine whose faulty software dosed patients with 10x the set dose, and a few other cases of embedded systems working incorrectly.

    European rules appear to say that since there are so many other ways to tamper with the insulin supply the mfg have a get out of jail free card.

    The combination of security-by-obscurity (*despite* the fatal consequences to patients *if* someone tampers with the product) coupled with the circular logic of only-trusted-devices-will-update-the-settings-because-only-trusted-devices-know-how makes this a crime waiting to happen (it would *not* be an accident), always assuming it has not *already* happened.

    BTW I first read about "artificial pancreas" research using pumps and an optical sensor in the late 1970's. It needed blood vessels *very* close to the surface to get a clear reading so you

    had to "kiss" it. Not really convenient for update rate of every 10 mins.

    Despite *huge* advances in MEMS, DSP, stem cell and genetic modification we still seem no closer now than we did then to dealing with Type 1 diabetes. Type 2's best bet seems to be trying to stay on a 900Kcal/diet to shock their cells back into insulation production and reception.

  31. John Robson Silver badge

    Recall???

    Not until they can do something about it.

    Unscrew the antenna maybe (I know it would probably require a scalpel)

    When this code was written was what 10 years ago?

    2001 - No one thought of security? I doubt it, they just thought "!windows == !vulnerable"

  32. Anonymous Coward
    Anonymous Coward

    Pumps need to communicate

    I built an interface to my companies pumps, not the interface in the pump. Pumps need to talk to systems for software changes and to report data back to monitoring systems.

    Most of our customers (hospitals) demand wireless interfaces and that is the way the industry is going, at the moment most of our kit is wired and does have basic encryption enabled by default.

  33. Robin Phillips

    Not concerned

    OK, so my insulin pump happens to not be wireless. But even if it was it's not really something to be worried about. It's not an attack that could be targeted at you specifically, and unless they are just going to go and sit in a crowded space and see who he can make drop to the floor from an insulin overdose. They have no way of knowing that I am diabetic from 300ft away, or even 2ft away unless I tell him I'm wearing an insulin pump. And if someone is sat in front of me with a laptop and fancy antenna and starts asking about what kind of insulin pump I'm using... I'll just walk away and the problem is solved.

    A large dose of insulin is dangerous, but it's far less dangerous to an insulin dependant diabetic than it is to a "regular" person. I'll certainly feel it if my pump suddenly starts trying to send 300 units into me (the max my pump ever has in it is about 180u), then just unplug the canula and start downing bottles of Lucozade. Not a fun result, but not fatal.

  34. DocJames
    Boffin

    a doctor writes...

    CGM is handy, although many with T1DM and pumps manage without. CGM sensors are of course attached to the same person (although some patients constantly surprise), so a limited range is required.

    Medical devices may go through "extensive testing", but this is limited when compared with drugs. I'm also sceptical that the device testing people are sufficiently up on IT and embedded software to understand that if a device is hacked, it can do things it's not been programmed to do.

    Finally (at the risk of the wrath of those with pumps, and their doctors) pumps are no better at controlling diabetes than multiple daily injections (a basal bolus regimen), in terms of outcomes (death, complications, hospital admissions). They are much better in terms of flexibility, and given they are still fairly new, I *think* taht they will improve and become better in the future. This is not certain. The companies that make pumps of course wish world+dog to believe that they are perfection (whilst enjoying their cheap razor/expensive razor blade economic model).

This topic is closed for new posts.

Other stories you might like