Forgot your password?
typodupeerror
Medicine Security Technology

Probing Insulin Pumps For Vulnerabilities 81

Posted by Soulskill
from the panic-versus-sanity dept.
Several readers have sent in news of a presentation at the Black Hat security conference from a diabetic security researcher, Jerome Radcliffe, who is looking into the security of automated insulin pumps. While most of the headlines are sensationalist, referencing "lethal attacks from a half-mile away," Scott Hanselman breaks down the media reports and weeds out the inaccuracies, explaining that while this is a valid area of concern, diabetics don't need to cover themselves in tinfoil just yet. "Just to be clear, Jerome has not yet successfully wirelessly hacked an insulin pump. He's made initial steps to sniff wireless traffic from the pump. I realize, as I hope you do, that his abstract isn't complete. Hopefully a more complete presentation is forthcoming. I suspect he's exploiting the remote control feature of a pump. ... What Jerome has done, however, is posed a valid question and opened a door that all techie diabetics knew was open. It is however, an obvious question for any connected device. Anyone who has ever seen OnStar start a car remotely knows that there's a possibility that a bad guy could do the same thing."
This discussion has been archived. No new comments can be posted.

Probing Insulin Pumps For Vulnerabilities

Comments Filter:
  • by Anonymous Coward

    Various pumps record RF transmission of blood glucose readings from glucometers, or from continuous glucose sensors that connect to a pump. This includes the Medtronic Paradigm I'm wearing right now. But this number is visibly displayed as part of the setting to request a "bolus" of insulin, and no current pump that I can find closes the feedback loop and allows the glucose sensor to directly control the pump: this is because the continuous sensors are, basically, very expensive ouija boards that require

    • by Gunnut1124 (961311) <rowdy.vinsonNO@SPAMgmail.com> on Friday August 05, 2011 @11:07AM (#36997618)
      Omnipod and OneTouch Ping both use the same type of wireless control unit, though not directly inline with a CGM. The system he tested (Paradigm Reveal) is a 2 part loop that requires human interaction. (ie CGM tells you a glucose reading, then you use the pump to decide how much insulin to deliver.) All he was able to do was jam the data from the real CGM sensor and spoof it with false data. That's not exactly "hacked" but is a threat. The pumps with wireless control units are where I'd expect to see the primary fault and possible loss of control. (FYI, I'm a diabetic with a deep knowledge of both these systems from a user's perspective, as well as an IT worker in a medical field. These may not be perfect credentials, but I figure it might be relevant.)
    • by MattJD (1020453)

      I know Animas's OneTouch Ping also is remotely controllable from its meter. It isn't a closed loop, but you could definetly pour a good amount of insulin into someone.

      Also, studies have shown that people cannot accurately predict there glucose levels. While people can tell they are off (especially low), exact numbers are hard to produce.

      • by Lehk228 (705449)
        biological neuro nets are inherently bad at making exact estimates, but they make up for it by being able to be sensitive to extremely small variations. compare perceived light levels indoors under lamps vs outdoors in sun, or perceived smell when a stench is first introduced to 6 hours later. look at the blue/yellow optical illusions, http://www.lottolab.org/illusiondemos/Demo%2012.html# [lottolab.org] when you activate the mask it will look like it is cheating and the squares are changing colors, confirm the honesty
    • by tirerim (1108567)
      There's an optional remote control [minimed.com] for the Paradigm that can be used to deliver insulin. It's a $150 accessory, and of the several pumpers I know (including myself), I don't know anyone who has one, but it does exist. Since you have to turn on the option from the pump (Utilities -> Connect Devices -> Remotes, on the 723), it's probably impossible to exploit on someone who doesn't already have a remote, but it seems entirely plausible to do so if they do.

      And I'm right there with you on the CGMSs.
  • I have a Medtronics Nerve Stim in my chest with a wireless remote.

    In my experience you have to get the handheld remote or it's antenna lead within a half inch of my skin right over the device.

    http://professional.medtronic.com/products/primeadvanced-spinal-cord-neurostimulator/index.htm [medtronic.com]

    • by X0563511 (793323)

      That looks like an RDIF-style system.

    • by AJWM (19027)

      Or further away with a more powerful transmitter and a directional antenna. Of course at the limit the attacker does away with the subtle apporach and just blasts the device with an EMP (or you with a shotgun). Depends on how "accidental" he wants it to look.

      • by pnewhook (788591)

        Of course at the limit the attacker does away with the subtle apporach and just blasts the device with an EMP (or you with a shotgun)

        Yes, because an attacker is going to set off a nuke to generate an EMP with the sole purpose of frying everyones medical implants.

        Agree a shotgun would be a lot easier and less evil-fanatic like.

        • by AJWM (19027)

          There are ways to generate a (small, but lethal in this case) EMP that don't require a nuke. But a shotgun is still easier.

    • by Chewbacon (797801)
      Put a magnet over a pacemaker or AICD and it's hacked. Probably won't do any damage and unless the patient is asleep, they'll just pull it off.
  • by 0100010001010011 (652467) on Friday August 05, 2011 @11:07AM (#36997612)

    Medical Device #1 costs $500. It was made with an embedded RTOS on a ROM. It does one thing, ALL the time.

    Medical Device #2 costs $250. It was made with Windows CE, a cheap TTL motor and a simple full screen app that launches at boot. It was developed fast, breezed through FDA 'certification'.

    Which one is the normal consumer going to buy?

    See also voting machines, ATMs, etc.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      The one that really whips the llama's ass?

    • by i.r.id10t (595143)

      Whichever one that their doc prescribes *and* their insurance will pay for ...

    • by magusxxx (751600)
      You forgot Medical Device #3 which can run Doom.
      • by cayenne8 (626475)
        Hey, just wait for the federally mandated, remotely accessible Harkonnen heart plugs are installed into everyone.

        Then there will be NO more protests.....citizen.

        ......or else...

    • by Rich0 (548339)

      Yeah, but in this case medical device #1 costs $5k - insulin pumps may be simple, but they are NOT cheap.

      In theory the whole reason medical devices are so expensive is precisely because the vendor has to ensure that stuff like remote wireless hacks can't happen.

      I've thought about what it would take to build an insulin pump. To do a cheap job probably wouldn't be very hard - a simple pump just needs a syringe with a plunger and a motor that runs at constant speed.

      But, start thinking about all the "what if's

      • by Anrego (830717) *

        I imagine liability also plays largely into it. They have to be covered when one of these things kills someone and the family sues them for 3 billion dollars.

        I've thought about what it would take to build an insulin pump.

        When I first read this, I thought you were planning to do so! After reading the whole post I realized that wasn't your point, but at first I was envisioning some arduino controlled contraption. I can't wait till this actually starts happening.. OSS/DIY medical gear!

    • by pnewhook (788591)
      As a designer of medical devices, based on the description device #2 could never exist.
      • by RockDoctor (15477)
        Not doubting your assertion, but on what grounds?
        • by pnewhook (788591)

          Basically everything stated:

          - "Windows CE" Any device must be proven by the manufacturer to not cause patient harm if an component within it fails. This includes software, and when calculating probability of failure, software is assumed to fail 100% of the time.

          - "cheap TTL monitor" Any hardware must conform to stringent medical standards and if fails be proven not to cause patient harm

          - "Developed fast" The amount of documentation required on process, design, testing and validation means it simply c

          • by RockDoctor (15477)
            -Since all software is assumed to fail 100% of the time, and by implication all software failures will cause harm, then no medical devices can include software of any sort? Is that what you're saying?

            What about a "cheap TTL monitor" would fail which medical standards and necessarily cause patient harm on failure. TTL (transistor-transistor logic, unless it means something else in this field) can include fairly substantial voltages, but proper (not necessarily expensive, just proper consumer-grade design)

            • by pnewhook (788591)

              Since all software is assumed to fail 100% of the time, and by implication all software failures will cause harm, then no medical devices can include software of any sort? Is that what you're saying?

              No. Software can fail and not cause harm. That's the art to system design - no matter what single failure happens to software on my systems, absolutely nothing hazardous can happen to the patient.

              cheap TTL monitor

              What you say is perfectly correct. It comes down to patient safety and whether all electrical design and safety have been taken into account. The medical device manufacturer would have to certify any monitor (or any other commercial device) for compliance, cheap or not.

              Poor documentation is more strongly associated with "developed cheaply" than "developed fast". IMHO.

              You not only have to document the softwar

              • by RockDoctor (15477)

                Oh, sorry, by the criteria you've stated, you can't have any sort of software in the device

                I never said nor implied that

                That was certainly the implication that I picked up ; hence the RAA (definition [wikipedia.org]).

                It comes down to patient safety and whether all electrical design and safety have been taken into account. The medical device manufacturer would have to certify any monitor (or any other commercial device) for compliance, cheap or not.

                Again, I'm reading that as --no medical device manufacturer can ever say "p

    • I'm amazed that the simple system using Windows even passed the FDA validation tests. It would not have passed a simple FDA network validation if there is any chance that a signal could interfere with the operation. I was a project manager for implementing Laboratory Information Management Systems, better known as LIMS and we would have had a problem using wireless devices just to pass data from testing. If another wireless device on the same frequency or close to it could block or interfere is would have
  • by TheCabal (215908) on Friday August 05, 2011 @11:09AM (#36997632) Journal

    My wife uses the OmniPod disposable pumps. They are controlled by a wireless PDA-like device. When she was switching from a conventional pump to the Omnis, I wrote to the company and asked them to explain to me how their wireless technology works, what protocols are they using, what security measures they have taken to protect the pods from malicious activity. My concern was the possibility of an outside party either deliberately or accidentally messing with the pod settings, and minimizing insulin delivery or pushing a huge bolus.

    I even offered to sign an NDA. Obviously, the company was less than willing to divulge their proprietary secrets, and I was shuffled off to a PR flack, who just reiterated the same marketing material over and over.

    • by TheCabal (215908)

      Just a followup to this, I posted a summary of the article on Facebook, and my wife predictably reacted the same way the press did.

      Me: "Guy gives a talk about the *possibility* of hacking a wireless insulin pump"
      Wife filter: ZOMG HACKERS ARE GOING TO KILL US!

      After answering questions of responsible disclosure and security through obfuscation, she asked why someone would want to do such a thing as try to kill a diabetic. She was unfamiliar with the term "for teh lulz"

      • by Rich0 (548339)

        Well, why would anybody kill anybody?

        Certainly if you are going to build a medical device that uses wireless technology you need VERY strong security controls around authentication/etc. If somebody steals your handheld controller and does a mission impossible on it I could understand that no security is perfect. On the other hand, I shouldn't be able to take apart my insulin pump and then use what I learn to remote control your insulin pump.

        The wireless features are handy. The typical use cases I'm aware

      • I think both you and your wife are missing the most likely threat vector here. Black Hat hackers may not be, in general, the most empathic of people; but I doubt there are many that would simply kill a random diabetic for the Hell of trying a new hack. A much more plausible situation is someone using a mature form of this to kill a specific person that they hate or who has something they want, who also happens to be a diabetic, in a nearly untraceable way.

        Motiveless murders, while they grab headlines beca

        • by TheCabal (215908)

          Note that I also said I was concerned that an outside party accidentally changes the settings on the pods. I think that is far more likely, but people aren't really going think that walking past the microwave or the 802.11 router is really a threat.

          • by pnewhook (788591)

            but people aren't really going think that walking past the microwave or the 802.11 router is really a threat.

            If it is a certified medical device, there is no way walking past a router or microwave is going to change the settings.

        • by LWATCDR (28044)

          I wouldn't worry about people trying to kill random people how ever I do think that there are way too many people that would think it was "funny" to really mess with people. "Dude, did you see those four just drop like a rock! That was so cool!"
          For example http://en.wikipedia.org/wiki/Anonymous_(group)#Epilepsy_Foundation_forum_invasion [wikipedia.org]
          I just hope that they hackers are being as responsible as possible and are not going to publish this until any vulnerabilities are fixed. I would suggest publishing the resul

  • by sheepweevil (1036936) on Friday August 05, 2011 @11:10AM (#36997646) Homepage

    I've had a minimed paradigm for about 8 years now, and all of what Scott said makes sense. In addition, there are a few more things which make this impractical. I assume the researcher is trying to hack the "Remote" option. Not only do you need to turn the remote option on, you need to add IDs of the remotes to the pump itself. So unless you can figure out how to add IDs remotely, you have to find someone with a remote, and get the ID from the remote.

    Second, there's a limit (at least on my Paradigm version) of 20 units of insulin at a time. I haven't tried this, but I think there's a system to prevent you from giving multiple 20 unit boluses at a time. Since I take around 14 units for some meals, 20 units of insulin is conceivable to overcome just by eating sweets, and there's always glucagon injections in a pinch. My pump makes a sound when it is done giving a bolus, meaning the diabetic could notice that a bolus was given (perhaps the beep is turned off for continuous glucose monitoring systems though).

    Finally, hypoglycemia is rarely fatal. From wikipedia [wikipedia.org]: "In nearly all cases, hypoglycemia that is severe enough to cause seizures or unconsciousness can be reversed without obvious harm to the brain." So even if you figure out how to give a remote bolus and succeed, it isn't likely to kill the diabetic.

    • by X0563511 (793323)

      Do you wear these systems all the time? What would happen if such a thing happened while you were, say, driving? Or doing something else where the symptoms could result in maiming?

      • by tirerim (1108567)
        As a rule, the symptoms don't just come out of nowhere—if you're driving, and start to go hypoglycemic, you just pull over, treat it, wait 15 minutes, and start up again. (There is a such a thing as hypoglycemia unawareness, in which the symptoms do come on much faster and at a lower level of blood glucose, but that's an individual-specific thing that results from having too many lows to begin with, so it doesn't affect the general population of diabetics.) The bigger danger, as I said in my reply t
    • Sorry, but my mother is type 1 as well and Hypoglycemia is the biggest danger she faces on a daily basis. Why? Because it can occur without her recognizing it. Sure we all know the symptoms, she certainly does, but one problem with low blood sugar is that your not always thinking clearly and you don't always arrive at low blood sugar at the same rate. Worse, depending on many other issues one day's low blood sugar can have different results than another.

      The real threat here is for those type 1s who are not

      • by Rich0 (548339)

        Yup, hypoglycemia is no joke - I help take care of somebody who is diabetic. Hospitals always error on the side of hyperglycemia as a result - it is harder for them to control sugar with everything going on so they'd rather go too high than too low.

        That said, I've heard that studies have shown that tight sugar control improves hospital outcomes. That being the case I don't know why hospitals don't just put all their diabetics on insulin IV pumps. Check their sugar hourly until you get a baseline and then

    • by cnettel (836611)
      You are assuming there are no holes in the protocol. How is the ID pairing truly done? Is it possible to do some kind of hardware reset over the wireless interface, either by design or by an implementation flaw? Is the ID sent in clear, or is there some proper handshake going on? If there is a cryptographic handshake, is it based on a single common certificate? (Reverse engineering one remote would then still be enough to spoof the ID of any other.)

      If the secret of the ID itself is supposed to maintain se
    • by fermion (181285)
      Remote IDs, at least for some wireless, is not an issue. Sniff the network for IDs, spoof those ids, and you're in. That is why on networks I want to remain private, I not only close the network, require MAC, but also have a password.

      As far as the 20 unit limit, the security of this is dependent on whether the setting is in hardware or software. If it is in software, there is a possibility that the limits can be overridden and all insulin can be dumped. Even if in hardware, and constraints between dum

    • by tirerim (1108567)
      No, there's nothing to prevent you from giving multiple consecutive boluses. I occasionally eat enough in one sitting that I need about 30 units, and I just give myself a second bolus right after the first one. (More often one of them is actually a dual or square wave, but it does happen that both of them are normal boluses.) It's designed to guard against human error, nothing more.

      As for the dangers of hypoglycemia... yes, it is fairly easy to treat a hypoglycemic seizure. I've had quite a few of th
  • look out or you may be facing attempted murder changes just for trying to hack some thing like this.

    • by X0563511 (793323)

      Yea, because he's totally doing this on live machines attached to patients who depend on them...

  • I realize many of these points are pointed out in the article, and I will be repeating them here for those of you who didn't read it:

    There are several types of wireless communication built into my pump (A Minimed 722 with a CGMS sensor):
    1.) Sensor (inserted elsewhere into body) sends current glucose level to pump
    - Requires the sensor serial to be entered into the pump
    - If hacked, would report a false glucose level to the pump. The pump NEVER acts on it's own, it only informs you of what the level is, so no

    • by X0563511 (793323)

      You're assuming that the hacks wouldn't involve simulating the source of the signal. They don't actually have to obtain the professional software, they just have to figure out the protocol. This needs be done once.

      • by DramaGeek (806258)

        What else would a hack simulate but the signal source? In my first two instances, bad data is introduced, but there is no danger to the patient. In the third, bad instructions may be sent, but they are echoed by the pump before starting. In the fourth, you not only have to have a valid serial to simulate, but you have to address it directly to another serial.
        Did you read the article? The would-be hacker HAS the serials of his own devices, and still hasn't figured out how to hack them.

  • I spent a LOT of time in various hospitals and long-term care facilities over the last year (friend with cancer), and found that most now rely heavily on WiFi enabled IV/Medication pumps and monitors. Almost every piece of equipment I looked at had a WiFi indicator light on it (some even actually said "WiFi"). There were also several secure WiFi networks operating within each facility, including- thankfully- free public Internet access. Depending on what can actually be done with them remotely- I found this
  • One should strive to create the most efficient and secure code possible for intrinsic reasons, and insulin pump control software is no exception. That said, there are far easier ways to kill a man from half a mile away. Our brains' defenses are wholly inadequate to contend with a bullet fired from a sniper rifle. This isn't a bug, it's recognizing that we live in a dangerous world. Yes, we should secure medical devices against unintentional interference, but securing them against malice is like developi

The typical page layout program is nothing more than an electronic light table for cutting and pasting documents.

Working...