These diabetes pumps obey unencrypted radio commands – which is, frankly, f*%king stupid Johnson & Johnson's Animas division has issued a letter [PDF] warning diabetes patients using its OneTouch Ping insulin pump that the device could be triggered remotely. Discounting the possibility of an attack as "extremely low," the company nonetheless says that "a person could potentially gain unauthorized access to the …
"Given that security tends to add complexity and cost to technology products, the chance that companies will adopt the FDA's cybersecurity guidelines fully can be considered to be extremely low. "
Not so sure about that. The potential losses in the resulting court case could offset the savings by several orders of magnitude.
The likelihood of such a case depends on the nature of the vulnerability. For example, if it is a failure to authenticate the sender, then it could happen almost any time two users are in the same room and one of them needs to inject. If it is poor authentication, then it is only a matter of time before garbled commands to one unit happen to be valid commands to another and (again) this "attack" will be "tried" whenever you get gatherings of users.
Malicious exploitation is a different set of risks altogether. It is far more likely to succeed and the resulting death will look like suicide. Are there any potential users of these devices who have enemies (or relatives) evil enough to give that a go? Sadly human nature is not all fluffy kittens, so I suspect the answer to that is a firm "Yes".
<quote>Not so sure about that. The potential losses in the resulting court case could offset the savings by several orders of magnitude.</quote>
And one such mechanism to get the manufacturers interested in implementing safety protocols would be a multi-Billion dollar "hit" (lawsuit).
Recently, I noticed legal advertising for patients who take certain blood thinners who suffered varied injuries as a result of the software in a PT-INR1 testing machine producing the wrong results. Just the ticket to prod manufacturers....
1 In layman's terms: the time for your blood to clot.
The user must presumably already know it can be triggered remotely as that is a selling point.
What they should be warning them is that it could be controlled by someone else in the vicinity, assuming it is not an IOT device, or could be triggered by a random radio transmission.
Also, unless they are monitoring the device how can they possibly know this has not already happened.
Are they offering to recall the device and rectify the problem? It doesn't sound like it.
I have no problems with the concept of modern technology it it just the way some f*ckwits implement it. Seriously what the f*ck where the thinking sending anything in the clear! Absolute bloody tools, this is basically criminally negligent.
...who uses a traditional syringe these days?
Perhaps someone attempting a visual pun to go with the term "injection attack".
I followed the link to the Medtronic post. They seem to want to address security issues with their devices but don't entirely understand what that entails. For example, they say this:
"However, the pump will not recognize commands from the USB device without the proper insulin pump serial number. If you’re still concerned, we recommend that you protect the serial number of your pump as you would your social security number, passwords and other important personal information."
This leads me to guess that these devices are vulnerable to brute force attacks against their serial numbers which are used to authenticate an always-on connection to their devices. It's on their website, which means that a potential attacker researching the issue would have an easy start on this. I don't advocate security through obscurity, but let's not make it too easy.
And I haven't seen a syringe that size in a *very* long time.
And it wasn't an injection syringe, but a blood sample syringe, when I was first diagnosed with Type I diabetes in 1981. (At the age of 15, mind.)
For a while, I had a glass-walled syringe for injections (and a need to divide doses by two because it was for 20-U insulin and I had 40-U). The one in Pulp Fiction looks sort of similar.
Then I changed to 100-U insulin with 100-U syringes, which are skinny disposable plastic things, very vaguely similar, except much thinner and a bit shorter, to the one in the picture.
These days I use "pens" - pre-filled cylinders with screw-on disposable needles. Twist the cap to select the dose, push the protruding tube (that wound out as you twisted the cap) to inject. They are thicker than the disposable syringes, but *still* thinner than the syringe in the picture.
Check out the tandem:tslim (no wireless so no chance of hacking).
After 38 years of multiple daily injections, I switched to this pump a few months ago and the convenience far outweighs any disadvantages (of which I know of none). Plus my control has never been better.
I have been a Type I diabetic for 38 years and just switched to an insulin pump a few months ago (tandem:tslim). This one does not have any wireless communications so no chance of any hacking. I love it and will never go back to multiple injections. My control has never been better and it is so convenient.
And yes, you'd have thought they would show a picture of an insulin pump rather than a manual injection. :(
The letter also recommends turning on the Vibrating Alert feature, because it could be useful to be told when insulin is about to be administered, and to set a limit on insulin doses over a given period of time.</quote>
Surely our hacker could just disable them again using the same unencrypted commands to switch the alerts off again?
But with this and the 10 zillion other IoT devices out there, isn't it time an idiot proof chip or framework is produced to allow people to do secure comms on small devices easily?
"Given that security tends to add complexity and cost to technology products, the chance that companies will adopt the FDA's cybersecurity guidelines fully can be considered to be extremely low. "
Would they be able to withhold or retract approval if security flaws such as these are found? It's clear such testing needs to become part of the approval process for devices with remote control capabilities. And companies will pay attention to matters that can keep their product from entering the market.
When the FDA get around to looking at this then they could have the product withdrawn from the market - a complete recall - if they think it's a risk. Chances are that Johnson & Johnson didn't pass this design through the FDA as the "feature" could have been rationalized away as not affecting the core functionality - thus not triggering an FDA 510(k) design review at the FDA.
I would expect that the FDA will issue a ruling on this although probably not for a few years. The end result is that encryption will be mandated - eventually.
I love the march of technology, but I can see we're heading in the wrong direction. I am not happy to have to think like a luddite, but it's necessary for survival. Sometimes you need to know when to say "Stop. This ain't good".
I see they're selling DNA manipulation kits for 100 dollars on the internet. Can't be good. If there's one thing we don't need it is antibiotika resistent E.coli bacteria created by some derp in his home.
I am not sure we are heading in the wrong direction, more walking a path without fully realising we need to redirect that path. Such realisations only come with discovering where one has gone wrong.
History is littered with 'good ideas' which turned out to not be such good ideas until we got those under control, figured out how to do them safely, and sometimes abandoned those ideas. Getting it wrong, not having as much foresight as hindsight would like us to have had, seems a part of human nature.
One day we may improve on that, may learn the lessons of history, but it seems we have a long way to go. We can't even agree on what are best 'safe practices', when something is safe to release; only when it's proven safe to do so, or it can be released unless proven not to be safe.
When we tend towards the latter there will be cases where what seemed like a good idea turns out not to have been. We have to accept that if we follow that course.
despite what you read, creating an "antibiotic resistant E.coli" is really not the issue. Generally, anything we create in the lab does not compete well in the environment - the real world is *really* noisy.
However, if you pump every living thing in the food chain full of antibiotics, you will select (as in Darwin's Natural Selection) for some really nasty variants, since they have survived the microbiological gladiatorial arena of every cell they enter.
Read about phages, a 3 billion year old experiment into molecular robots...they're an interesting topic.
If we lived in a rational political universe, this would prioritize research into the mechanisms of disease so we could create solutions to the problems. but our media prefers novelty to progress.
The Dark Ages are only one lost generation away...
P.
Rather than just telling people to set limits and turning on a vibration alert feature (because knowing your about to be injected is really going to help you out if someone is trying to overdose you!), they could take the time to create some new firmware for the device which plugs the security holes. And then the advice for their patients could be to update the firmware on the device. Problem solved. No need to release such statements which look like they are saying the risk is low and they don't really care about the risks to your life anyway. They could laud instead how much they care for their patients and are taking a firm stance on security!
Oh wait, securing the device costs money, nevermind.
An Animas statement says patients and healthcare providers have been contacted about this issue. "Animas continues to work with the appropriate regulatory bodies and security experts on this issue as we are always evaluating ways to further ensure patient safety and enhance security," the company said.
Enhancing security isn't what you are doing, you are fixing a massive security hole in your product. A security hole that could be lethal to someone.
My son's Medtronic insulin pump had to be explicitly configured to listen to remote instructions for it to be vulnerable.
All of his cohort had remote access turned off by default when setup by the hospital because it was battery thirsty.
Also, the article doesn't mention that pumps are setup with a maximum bolus - another safety feature that prevents little people delivering shit-tons* of insulin.
That's not to say the manufacturers aren't money-first/patient-second yacht-sailing greed-monster tooth-whitened billionaires, but the headline's a bit OTT.
* This is the proper medical terms for large quantities of insulin.
"Since Animas Corporation launched the product in the US in 2008 and Canada in 2009, there were zero patient complaints (and no patients affected) related to this issue"
Because all of those involved were suffering from hypos/death and couldn't communicate coherently as a result.
"Medtronic Paradigm Bolus Wizard"
'Bad news Jeff, the name for our new product is apparently already some sort of internet meme. The correct horse battery staple needs a new name'
'Ok, I'll get the word list and the darts'
I skimmed the manual for this thing (online, I don't actually have one, thank goodness) and it talks about "pairing" the pump and remote, and also says the remote can check the pump's status. So they have two-way communication. If they hadn't that would have made security a bit difficult, but since they seem to be perfectly capable little gadgets, there's really no excuse.
There's a Case Study published in 2009 by well-known medical equipment manufacturer Welsh Allyn titled "
Application of IEC 80001 in Avoiding Pitfalls of Wireless LAN System Design, Case Study".
Scroll down to Section 5 - Security and the third paragraph near the end of the section states, "Of the vendors that support WPA, many only support Pre-Shared
Key (PSK) authentication; again, likely because of low cost and ease of implementation. Consider that those who claim that WPA
is secure likely don’t support WPA2."
Some medicial equipment manufactures DO NOT have the technical skills to make their products wirelessly secure.
I've seen this before from medics with predictably dire consequences.
They confuse probability with risk and don't take into account the impact. So yes it's very unlikely there would be an attack against diabetics with these pumps, however the impact of such an attack would be critical since people would die.
So I would say that the risk is actually 'high' and should be addressed.
If anyone here has had experience with getting FDA approval for medical devices I would appreciate comments from them. I have experience in FDA submissions for drugs and they can be very frustrating to deal with in terms of making any changes in any aspect of the drug approval and production process. If one looks at the baby step approach that Medtronic has used in adding features to its insulin pimp line, it should be obvious that making wholesale changes to a device is time-consuming and expensive. I use a Medtronic 530g insulin pump with the CGM(continuous glucose monitor). The sensor communicates to the pump via radio. The pump and glucose meter also communicate with each other in the same fashiom. I am in far more danger of mis-entering blood glucose values manually than I am from someone trying to cause me harm by hacking my pump. These systems are low-poower systems. The pump runs on a single AAA battery which lasts about two weeks with vibration mode on. The transmitter lasts about two weeks also before being recharged but as the sensors only last six days, I recharge the transmitter each time I change a sensor. When the sensor and pump are on opposite sides of my body, communication stops. In order to have decent encryption you need a decently powered CPU which these insulin pumps don't have. Yes, you could design an entirely new pump with a "modern" CPU but then the entire unit(pump, meter, remote control, CGM transmitter) would have to be validated by the FDA. Here in the US the new versions of the pumps are available 12 - 18 months after they are in UK/EU. And that is for each of those baby step improvements.
If a patient is worried about someone hacking their pump(I'm not) or remebering when the gave themselves their last bolus(I am) then it is simple to look at either the bolus history or amount of active insulin on the pump.
Finally, new drugs are launched without having hundreds of thousands of test subjects, and yes, people do die from new drugs, drug interactions, and drug allergies. It is a risk-benefit analysis. I use my pump because it works for me, far better than multiple daily injections. I would say that it is far more hazardous to be driving a car either in the US, EU, or on some of those tiny hedge roads in the UK.
in the newer Medtronic pumps they have disabled some of the remote features for security but although I have one, I am planning to move back to the less secure model which does allow remote control of dosing levels.
Why? Because there are open source projects like openAPS to enable smarter control of the pump and to create an almost closed loop insulin delivery system. I consider that to be much more important to me than if someone wants to play silly buggers with my pump.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
