Insulin pump attack prompts call for federal probe The hack of a commercially available insulin pump that diabetics can control wirelessly has attracted the attention of US lawmakers who oversee the safety of the nation's airwaves. In a letter drafted earlier this week, US Representatives Anna Eshoo and Edward Markey asked members of the Government Accountability Office to …
“To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.”
The fact that you can in a lab means that its possible to do it outside a lab.... the fact that its possible to do it at all means it needs fixing....
"Driver with an insulin pump, vehicle, 70 mph. Pump blasts a lethal dose into the blood flow.
Nuff said."
Obviously someone who doesnt know much about diabetes or insulin pumps but... the effects of insulin being pumped into the body are not instantaneous, at least not in the case of available insulin thats on the market, they take a while to do anything and generally you do feel the effects coming on. It would be more dangerous for someone say in charge of a plane...
“To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide"
Anyone who did die from their devices getting messed with, is in fact dead, has already had the insurance collected on, and we would rather not talk about it, k? CSI couldn't solve it, neither can you.
Lord Have Mercy!
8|
"there has never been a single reported incident "
Nobody has reported being killed by this?
And exactly how would they know that it had happened? A diabetic feels ill, or their sugar levels vary unexpectedly, or they drop dead - does anyone check their insulin pump? And would there be any evidence left behind, especially if the attacker set it back to normal levels again later?
""there has never been a single reported incident "
Nobody has reported being killed by this?
And exactly how would they know that it had happened? A diabetic feels ill, or their sugar levels vary unexpectedly, or they drop dead - does anyone check their insulin pump? And would there be any evidence left behind, especially if the attacker set it back to normal levels again later?"
The pumps keep account of bolus injections that are extra to the basal ones...
Yes you have to check your pump, otherwise how would you change the insulin and cannula every three days? (If you didnt it would run out and youd be in serious trouble)
Yes there would be evidence left behind the insulin takes at least an hour on the quickest types to dissipate and also blood levels would differ to normal, and I would hazard a guess at there being ways of finding out what blood sugar levels where from HBA1C tests.
“To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.”
No right, just like there was never a plane hijacked until someone first hijacked one. That someone manufacturing devices on which lives depend still lives in such a well padded cloud cuckoo land should be a major cause for concern to the regulators and users of such devices, although the inevitable US supersize lawsuit that would result would certainly put paid to any lingering smugness manufacturers may still be harbouring.
As a successful security model, pretending it won't happen to you died the death a long time ago, even for manufacturers of medical devices and voting machines.
In these days of spin and image and scum sucking lawyers everywhere would you really expect a press release on the lines of "We're kakking our pants over this and the boys in the lab are desperately working on a fix..."
That sort of press release tells you exactly nothing about what the company's response to any possible vulnerability is because there are exactly no circumstances in which they'd say anything different.
On a device that actually injects insulin, any change at all will mean it has to go back to a complete review by FDA and CE before it can be sold. That's slow and expensive. Modifications to medical devices are not the same as browser patches.
I'm not saying they should ignore a problem; just that announcing an "important security fix" is coming would kill sales of the current devices, and they wouldn't get the replacements on the market for 1.5 to 2 years even if they had their internal development and testing complete next week, so they're not likely to say it.
This post has been deleted by its author
My pump at least logs everything it's been doing for at least the last X days, mostly just total daily dose. Also records time and date of X bolus doses as well.
X = Not sure how many records it actually keeps, but I got bored of pressing the buttons once I went back through 50'odd entries.
Not possible with mine as it's not wireless, but even if someone did give me an unexpected bolus I'd know about it soon enough and would soon fix the problem with a bottle of Lucozade. There are also limits set on the pumps to fix maximum potential doses so that I don't over dose by mistaken button presses so the person hacking my pump would need to over ride those setting as well and I don't think those settings were available wirelessly on the demo pumps I looked at before from other manufacturers.
There's a clause forbidding the use of it in life-critical devices (sometimes just medical devices in general) without the written permission of a very senior officer of the manufacturer.
Surely there's an equivalent for the software written for it?
I'm glad I'm still on the pills...
pumps that link to a Continuous Glucose Meter or use the remote control need to have wireless communication enabled to allow the devices to talk together. This gives an opportunity for someone to remote attack the pump - I doubt the authenication and encryption is strong enough to keep someone determined out. If you are not using one of these functions you can switch it off. Course if you are using an Omnipod you are out of luck - all the controls are on the remote so you must use it.
If you are using a non-integrated pump - ie the CGMS does not talk directly to the pump - then you don't need the wireless on.
Given that my pump and CGMS have difficulty talking with each other when they are more than about 30cm apart and you can't turn off the bloody beeping sound when you do anything I would probably notice someone attempting to adjust it, but you never know.
Of course it need a communication protocol, how else is the user going to tell it how much insulin to give? (This needs to be adjusted for diet, in case you didn't know.) A remote is very handy, because the device itself is worn under clothing and a wired remote would just end up getting tangled in things, not to mention making the user feel (even more) like some kind of freakish cyborg. So wireless seems like the way to go, If they could just figure out how to make it secure.
It doesnt need any kind of communication protocol and since when did a patient decide exactley how much of their medication they need.
Insulin (and most other self administered injectable drugs) are a pre set dose.
The device only needs to be able to deliver say, 10mils every 4 hours. Or whatever.
At no point should a user be able to modify this out side some pre set parameters without a medical proffesionals say so. More importantly a NON user should have no hope whatsoever.
Even morphine injectors for use with cancer or other hugely painful cinditions can not deliver more than a preset amount in a certain time frame, and whilst the user can happily click away pumping the stuff in, the device stops over administration of the drug. 50 mils in a 5 hour period, ok, but not 51 till that 5 hour time is up!! Which is how they should work and indeed did.
So, as i said, the DOCTOR decides how much should be given. NOT the patient. The need for this device to be remotly controlled is utterly pointless and is there because someone decided it could. Not should, or must but because it could....An appliance waiting for an application....
"since when did a patient decide exactley how much of their medication they need."
Adults with type 1 diabetes (like me) typically manage their condition themselves. I measure my blood glucose, estimate the carbs that I'm eating and the exercise that I'm taking and decide how much insulin I need to inject. I meet with a diabetes consultant or specialist nurse every six months to discuss how this self-management is going.
"At no point should a user be able to modify this out side some pre set parameters without a medical proffesionals say so."
I'm afraid you're simply wrong. Not just for diabetes but for many other long-term conditions, so-called "expert patient" schemes where the individual is given day-to-day control are quite commonplace. The days when such conditions were micro-managed by a medical professional are (happily) long since passed.
I'm sorry Mr/s. Cornz, but you could hardly be more wrong on just about everything you've written.
The diabetic herself decides, from day to day, even from hour to hour, how much insulin to inject/pump. This varies around an "ideal" dose, and depends massively on what is eaten, degree of exercise, degree of stress, etc. The amount of variation can easily be as much as 50%, or even more whilst suffering an infectious disease.
The doctor does NOT decide how much insulin should be given, except by giving individual guidelines.
The whole idea of an insulin pump is for a diabetic to be able to adjust the dose of insulin easily and rapidly, and to give boosts just before (or after) meals.
I sincerely hope you never have cause to discover these things for yourself.
over-ride the pump unit to give you ALL the insulin in one go!!
This is the point im making. If (and i do speak ferom experience here) you are given an auto injector for morphine, you can administer it to yourself all day long, however, you cannot exceed a pre-determined amount or number of shots per day.
So you have 100mls of solution, to be administered 10 times a day.
Perhaps you can administer 5 of these in an hour, 5 the next but then you cannot administer anymore until the 24 hour period is up....
If, remotely, someone can adjust that without the users consent or knowledge then thats a stupid idea...
Thats my point....
Sheesh......
"But you cannot over-ride the pump unit to give you ALL the insulin in one go!!"
I can give myself as much or as little insulin as I like whenever I like. I am in complete day-to-day control of my insulin.
"Thats my point....
Sheesh......"
Your point was bollocks. Several people have tried to explain why your point was bollocks. If you had a bit of dignity at this point you would acknowledge that you were wrong and thank people for improving your understanding. But you'll probably just slink away or post some more backpedaling sprinkled with exclamation marks. Grow up.
"X for morphine ergo X for insulin" FALSE.
Insulin and morphine are VARY different drugs, administered under VARY different rules, for VARY different conditions.
What is done for morphine (a highly addictive, opiate, analgesic (pain killer)) has nothing to do with with how Insulin (a hormone for regulating carbohydrate and fat metabolism) is regulated.
"Insulin (and most other self administered injectable drugs) are a pre set dose."
Bolus insulin is a pre-set dose that doesn't usually change without a doctor's say-so, BUT short-acting insulins are variable dose and can change from meal to meal, depending on the diabetic's blood sugar at the meal and the number of carbs in the meal. The doctor can give a base range for the short-acting insulin, but has no say over how much is actually administered at each meal as zie is not there to observe the exact conditions and dispense dosing advice. I know this because my husband has type 2 diabetes and his short-acting insulin dosages can range anywhere from 25 units to 50 units, at MY discretion, NOT the doctor's (I'm the one who figures out his dosages based on blood sugar and carb consumption and I'm better at it than the doctor is).
"So, as i said, the DOCTOR decides how much should be given. NOT the patient. The need for this device to be remotly controlled is utterly pointless and is there because someone decided it could. Not should, or must but because it could....An appliance waiting for an application..."
Fairly safe to say that cornz 1 has no experience with Type 1 diabetes at all (Type 2 is a completely different kettle of fish).
My doctor has NO say in what my dosages are. He/she can advise or recommend but seeing as I live with this 24/7 and I see them for 5 minutes every 3 months to get my prescription renewed, I have a much better idea of how to manage my diabetes that they do. I will never take instruction from them, only advice.
Yes, this vulnerability needs to be fixed, just like the myriad other ones in the world.
But it's a sad testament that we would NEED to fix something like this to prevent someone from possibly doing harm.
While I know it's not 1950 where (supposedly) you could just leave your keys in your car, not lock your front door, etc., where does it end? Eventually we'll be living in houses with shatter-proof windows in the off chance someone may throw a brick, and even toilet paper will have warning labels and come with an instructional DVD. (though that might not be bad for some people)
You can only trust that he FDA did its approvals correctly (probably not) and Pfizer didn't deep-six the study showing inconvenient results (probably not) or that the production machine was squeaky clean (probably but sometimes not).
To add insult to injury, you get to pay top dollar because of the patent before your liver gives out.
There's an old DDJ article about a guy trying to unscramble the serial port data from his glucose monitor.
As the actual *device* sets smaller (more concentrated insulin, more efficient pump design, smaller batteries) the UI (the buttons) become the limiting factor on reduction.
But what's OK for a *Monitor* should change *radically* when you can actually effect stuff IRL.
Logging the last changes is just a *start* (and note I'll bet that's just a good idea, *not* mandatory in the design of medical devices).
BTW some countries have a "Grandfather" provision for medical devices *unlike* drugs.
So I say "It's an insulin pump, just like insulin pump X" and the licensing authorities say "Fair enough type X passed you're clear to go."
It doesn't have to be *better* it just has to be *different* (but not *too* different).
While the idea that no one would investigate a diabetic whose just going along and suffers a massive insulin OD should be *very* far fetched given competent forensic techs and autopsy it's less clear cut if they were *doing* something which damaged the body. Driving a car would be the obvious one but I'm sure someone motivated to do this would find others.
So absolutely no problem to kill someone in a packed commuter train when you're wedged up against him with your sequential channel scanning diabetic-o-zapem(tm)
Anyway, the RFID range limit is a false security as has already been shown with the RFID passports. Both ends of the link don't need to be high power or have comparatively large directional antennas, only one. So back to the packed tube train, you could stand at one end, and attack half the carriage - how nice of them to all stand within the couple of degree field of your antenna, hidden in the oh so obvious piece of luggage at your feet.
Of that small population, a small subset will be using a pump rather than pens, and a smaller subset of those will be using a pump whose dose can be adjusted wirelessly, and an even smaller subset of those will be using the particular type of pump whose vulnerability your imaginary wireless murder machine would be targetting. So if you're lucky, you'll find one potential victim in every thousand packed tube carriages.
Worst. Serial. Killer. Ever.
The good old hacker spirit ... because it's there.
I doubt he needs to be hooked up to the machine to test it. Even if he did, then he wouldn't be setting a fatal dose and as another commenter has pointed out the machines have a fixed upper limit to prevent exactly that.
Worst case scenario the machine breaks, I would assume (not being diabetic myself) that he has a backup supply of needles and insulin for emergencies anyway.
You bugger about with it *because* you depend on it to save your life. If I was using a device like that I'd want to be damned sure it was as secure as it possibly could be - if I had the required know how and suspected there was a vulnerability I'd be investigating it and trying to identify the security hole in the hope it would be patched, thus closing the avenue for some resentful bastard finding an ingenious way to kill me.
Which is what this guy did. Hardly criteria for a Darwin Award.
Not exactly rocket science, but it is brain - well, chest - surgery.
These devices, according to the article, have been around for 30 years. How much security did network connected computers have 30 years ago? There would have been no suggestion that security would be needed in the device, that sort of thing just hadn't been invented then. Networks were mainly private, users trusted only had accounts to separate their work. Now look at the early Internet protocols - SMTP, telnet, FTP would be a good start - the security is woeful and yet some are still used on a global basis.
For those who have been following the story a bit more closely than the Reg decided to read into it. The guy at Black Hat did actually break into 5 different Medtronic devices, and a third party blood meter. Mostly due to the fact the ones with wireless talk to a wireless blood meter, he basically could just fire off fake blood readings to the pump and cause it to do whatever it likes. Why the blood meter and pump arn't encrypted and paired together is just typical medical corporate types cost cutting and deciding it isn't a concern.
I was chatting to a guy at a diabetic conference and in a room of a few hundred people he got concerned long before this story as you got nothing but the pumps asking for blood readings. Lots of pumps, lots of data going in, lots of very questionable pairing of pump to meter connections = doses all over the place.
At the very least, all medical kit needs to be encrypted by law. It's that simple. No "it won't happen" bullshit. It needs to be put into law that at the very least a decent level of encryption is used on these systems. And all the open devices need to be recalled. Medtronic sting the NHS thousands for each device they sell (base level device last time I enquired was about £3000), and on a component level they are on a par with a pocket calculator and you could knock one together with a Maplin catalogue for under £30. A full recall due to possible threats should occur.
My son's pump has got a limiter that prevents large boluses of insulin. We've set the level quite low deliberately.
The comms to upload the data through the USB connector needs to be ruddy close (within a few inches) to make a connection, and the connection needs to be initiated from the pump itself. (Don't get me started on the Java applet that "requires Microsoft Windows (TM) and Internet Explorer"). VirtualBox, you were sent by Jupiter Himself.
When his blood glucose goes very low, the pump shuts down to prevent background insulin from going in.
Having met with the manufacturers and had conference calls with their development department and having harangued them at length about my need for a Bluetooth interface, I have a few degrees of scepticism about this article being aimed at their devices.
Hospitals are increasingly relying on WLAN, not just for security cameras and doctors' laptops, but also for patient monitors, infusion pumps and medications carts etc. That makes patients' well-being and, indeed, their life dependent on WLAN ability to function properly.
Some hospitals across the pond have already understood that WLANs performance must be monitored 7/24. Hopefully the same approach will eventually arrive here as well: http://www.ohio.com/news/wireless-tech-firm-7signal-plugs-into-akron-1.208537
for the insulin pump i have that any wireless device needs to be associated with the insulin pump before it can be used otherwise it wont work? so if there is an issue it must be on one of the older models that they dont sell anymore because im pretty sure the association of devices is standard in the newer models.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
