Slashdot Mirror
Probing Insulin Pumps For Vulnerabilities
Several readers have sent in news of a presentation at the Black Hat security conference from a diabetic security researcher, Jerome Radcliffe, who is looking into the security of automated insulin pumps. While most of the headlines are sensationalist, referencing "lethal attacks from a half-mile away," Scott Hanselman breaks down the media reports and weeds out the inaccuracies, explaining that while this is a valid area of concern, diabetics don't need to cover themselves in tinfoil just yet.
"Just to be clear, Jerome has not yet successfully wirelessly hacked an insulin pump. He's made initial steps to sniff wireless traffic from the pump. I realize, as I hope you do, that his abstract isn't complete. Hopefully a more complete presentation is forthcoming. I suspect he's exploiting the remote control feature of a pump. ... What Jerome has done, however, is posed a valid question and opened a door that all techie diabetics knew was open. It is however, an obvious question for any connected device. Anyone who has ever seen OnStar start a car remotely knows that there's a possibility that a bad guy could do the same thing."
The weird thing is not knowing if you're just crazy, stupid, or a very patient troll..
The first link is from 2006, you'd be better posting the follow up of if/when they did a study on humans.
Your second link also just says that diabetes causes problems, not that those problems cause diabetes.
which is totally what she said
Would you please apply some chiropractic treatment to your brain? It seems in need of one.
Various pumps record RF transmission of blood glucose readings from glucometers, or from continuous glucose sensors that connect to a pump. This includes the Medtronic Paradigm I'm wearing right now. But this number is visibly displayed as part of the setting to request a "bolus" of insulin, and no current pump that I can find closes the feedback loop and allows the glucose sensor to directly control the pump: this is because the continuous sensors are, basically, very expensive ouija boards that require frequent recalibration with an actual finger-prick based glucometer. They're basically no more useful than checking in the mirror for muscle tremors or changes in vision associated with extremely high and extremely low blood sugars, or keeping track of how often you need to pee. (I've tried the continuous sensors: they all suck.) There is no pump on the market that is directly controlled by a continuous sensor: they're not accurate enough to rely on.
It is theoretically possible to skew the continuous sensors over a long period and encourage over, or under, dosing of insulin. This could particularly be an issue during the night, when actually verifying it with a finger-stick blood sample is unlikely. But such errors would show up pretty quickly as being out of sync with morning measurements, and with remotely good control, most of us diabetics have learned to detect, without instruments, what our blood sugar is. The sensors provide invaluable calibration and fine tuning for that sense, but gross errors would be noticeable to most of us.
Of course, if I caught anyone screwing with my glucose readings this way, they'd die the death of a million blood samples before I was done with them.
I have a Medtronics Nerve Stim in my chest with a wireless remote.
In my experience you have to get the handheld remote or it's antenna lead within a half inch of my skin right over the device.
http://professional.medtronic.com/products/primeadvanced-spinal-cord-neurostimulator/index.htm
Medical Device #1 costs $500. It was made with an embedded RTOS on a ROM. It does one thing, ALL the time.
Medical Device #2 costs $250. It was made with Windows CE, a cheap TTL motor and a simple full screen app that launches at boot. It was developed fast, breezed through FDA 'certification'.
Which one is the normal consumer going to buy?
See also voting machines, ATMs, etc.
My wife uses the OmniPod disposable pumps. They are controlled by a wireless PDA-like device. When she was switching from a conventional pump to the Omnis, I wrote to the company and asked them to explain to me how their wireless technology works, what protocols are they using, what security measures they have taken to protect the pods from malicious activity. My concern was the possibility of an outside party either deliberately or accidentally messing with the pod settings, and minimizing insulin delivery or pushing a huge bolus.
I even offered to sign an NDA. Obviously, the company was less than willing to divulge their proprietary secrets, and I was shuffled off to a PR flack, who just reiterated the same marketing material over and over.
Insulin pumps - Because an actual cure wouldn't make your life depend on their wealth.
(Aimee Mann - Wise Up)
I've had a minimed paradigm for about 8 years now, and all of what Scott said makes sense. In addition, there are a few more things which make this impractical. I assume the researcher is trying to hack the "Remote" option. Not only do you need to turn the remote option on, you need to add IDs of the remotes to the pump itself. So unless you can figure out how to add IDs remotely, you have to find someone with a remote, and get the ID from the remote.
Second, there's a limit (at least on my Paradigm version) of 20 units of insulin at a time. I haven't tried this, but I think there's a system to prevent you from giving multiple 20 unit boluses at a time. Since I take around 14 units for some meals, 20 units of insulin is conceivable to overcome just by eating sweets, and there's always glucagon injections in a pinch. My pump makes a sound when it is done giving a bolus, meaning the diabetic could notice that a bolus was given (perhaps the beep is turned off for continuous glucose monitoring systems though).
Finally, hypoglycemia is rarely fatal. From wikipedia: "In nearly all cases, hypoglycemia that is severe enough to cause seizures or unconsciousness can be reversed without obvious harm to the brain." So even if you figure out how to give a remote bolus and succeed, it isn't likely to kill the diabetic.
look out or you may be facing attempted murder changes just for trying to hack some thing like this.
Media is picking up on every tiny thing and blowing it out of proportion. It's like suddenly every news station is Fox News Jr.
Many heart devices being implanted into people surviving (or having been determined to be at risk of) e.g. cardiac arrest also has wireless access. For example, a friend of mine has an implanted ICD (http://en.wikipedia.org/wiki/Implantable_cardioverter-defibrillator - basically an implanted heart monitor and defibrillator), which wirelessly connects every now and then to a modem he has at home, which in turn forwards data from the device to the local hospital. In addition to transfering data from the devivce, the wireless connection can also be used the other way around, for changing the configuration settings of the device (including which hearth rate the person should have), or even trigger a defibrillation shock.
One has to hope that these things were built with security in mind, but if the history of communication security is any guide...
I think the article should say exploiting, not explointing.
I realize many of these points are pointed out in the article, and I will be repeating them here for those of you who didn't read it:
There are several types of wireless communication built into my pump (A Minimed 722 with a CGMS sensor):
1.) Sensor (inserted elsewhere into body) sends current glucose level to pump
- Requires the sensor serial to be entered into the pump
- If hacked, would report a false glucose level to the pump. The pump NEVER acts on it's own, it only informs you of what the level is, so no danger. Also, for any treatment you are supposed to double check the level with a finger-poke as below.
- Also, if a level is reported that is out-of-pattern with the rest of values that the pump has been receiving, the pump assumes that the sensor is out of calibration or failing, and has you re-calibrate the sensor with a finger-poke.
2.) Meter (regular old finger-pokes) sends current glucose to monitor
- Requires meter serial to be entered into the pump.
- If hacked, the meter and the pump would show different numbers, making the manipulation obvious. Also, if someone randomly started sending values to my pump, I would know due to the fact that I wasn't currently checking my glucose.
3.) Remote sends instructions to deliver insulin
- Requires remote serial to be entered into pump
- Pump still vibrates/beeps to confirm delivery and dosage. Not exactly discrete.
- I'm not sure what other safeguards this has. I don't use it. I do know that if you don't have any serial numbers entered, it turns this feature off.
4.) USB Device gathers reports/programs pump
- Requires pump serial to be entered into computer.
- The 'USB Device' mentioned in the article is almost certainly a Carelink USB Upload device, used to upload data from the pump to a computer for gathering reports on glucose trends, patterns, other ways to fine-tune your treatment.
- I do know that these CAN be used to upload new settings to the pump, as I've seen them do it at my doctor's office.
- User software doesn't feature upload capability, so hackers would need to steal a copy of the 'pro' software from a doctor's office (additional security through obscurity?)
Of the four, the last two are the only ones that could alter insulin delivery, and the last one is the only one that would do it without notifying the user. You would have to develop a profile that had a high basal rate (background, continuous insulin delivery). Again, you would still need to get the serial number off the pump to initiate the upload.
Dr. Bob, to be honest, I'm much more concerned about the infiltration of our society by fatass cyborgs.
Kudos to Jerome Radcliffe in his fight to defend Sarahs Conners' doughnuts.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Sorry, but my mother is type 1 as well and Hypoglycemia is the biggest danger she faces on a daily basis. Why? Because it can occur without her recognizing it. Sure we all know the symptoms, she certainly does, but one problem with low blood sugar is that your not always thinking clearly and you don't always arrive at low blood sugar at the same rate. Worse, depending on many other issues one day's low blood sugar can have different results than another.
The real threat here is for those type 1s who are not in constant contact with other people, like a spouse or children in the same home. I made a trip to my parents one day to drop some boxes off, I was under the impression they were not going to be home. I saw my mom's car in their garage but still was under the assumption that she was with my dad. Well low and behold she was in the house and barely conscious. When I was able to recover her (that wonderful rescue shot plus tabs/juice) we went over what happened. She knew she was low and was going to fix it... but.. but... and there she went. She sat down started to check her pump and passed out. Her blood sugar fell. Now imagine, your asleep. I know the pump vibrates, well it falls to the side, it the needle comes out, or any other many problems that can occur... and if your alone or not checked for how many hours - well you get the picture.
Now contrast this with hyperglycemia (too much), she has never gone unconscious in this state. She has had throw up fits and such, but she was always able to try and fix it. She could even get herself to the hospital. She has been well past 600+, she knows people who went higher. She spent days over 400 with the hospital unable to explain it. She was fully functional. You cannot same the same for low blood sugar.
I just wanted to reply so that people don't get the idea it rarely is fatal which implies its not dangerous. Its very much going to be fatal if someone is not around to help you and honestly, if your type 1 I would make sure people know that if your not where you should be then there might be a problem.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Yea, because he's totally doing this on live machines attached to patients who depend on them...
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Buffer overflows and hard-coded priviliges! Where's the love?
I have a Minimed Paradigm 722 and a Dexcom 7 continuous glucose sensor.
For the benefit of non-diabetics:
Insulin is measured in "units", with 100 units per mL. A unit is actually related to moles, not volume, and it is possible to have insulin concentrations other than 100U/mL, but I've never seen such a bottle. In practice it is used as a unit of volume.
Basal rate is the background rate of insulin delivery. It is adjustable hour-by-hour and is usually small (1U/hr for me). It is a 24-hour repeating pattern.
A bolus is a single large delivery of insulin, normally in response to food (before you eat, if possible) or high blood sugar.
Insulin does not start working immediately. The "fast acting" insulin used in pumps still takes at least 30 minutes to have any noticeable effect. For me (this probably depends on body fat, etc.) insulin has the most effect between one and two hours after delivery. Changes to basal rates of course take the same amount of time, but are more subtle because the doses are much lower.
Turning off or DoS-ing a pump will not be lethal. Sensational news stories try to present it like this, because in theory with no insulin you would die, but what really happens is you notice your blood sugar is too high and take more insulin to fix it. If the pump doesn't work, you go back to needles. NPH insulin (long-acting, for overnight use) is available without a prescription (last I checked, which was a long time ago). Insulin syringes are available without a prescription, and I have a few packs on hand in case my pump fails. Pump manufacturers take failures seriously and will replace the pump quickly (Disetronic used to always send two, so you had a hot spare - I'm not sure if Accu-Check, who bought them, still does this).
High blood sugar is a lot less damaging, short term, than low blood sugar. It may cause muscle cramps, which are bad if you're driving, and it makes you pee a lot and generally feel bad, but you won't go unconscious until you've been very high for a long time and are on the edge of coma.
Too much insulin is a more plausible way for a pump-hack to cause trouble. Many people have trouble identifying lows, so in some circumstances you could cause unconsciousness. I would keep drinking sodas or fruit juice until the problem went away, but in some cases it may be possible for a very large bolus to knock me out before I knew what was happening. People who are old or normally have poor control may be the most vulnerable to a secret-bolus attack.
I would be very surprised if there is any crypto in the protocols. By default, the pump does not listen to any remotes, meters, or sensors.
Messing with data from a meter or sensor is basically useless. The pump never acts on its own, but it will use a recent meter (not sensor) reading to calculate a bolus if the user requests it.
To add a remote, meter, or sensor, you have to enter the serial number of the remote on the pump itself. It may be possible to do this through the RF programming protocol.
The programming software always leaves the pump in suspend mode, which delivers no insulin and vibrates every few minutes. In fact, the pump doesn't do anything without vibrating or, if the battery is low, beeping. Some operations can't be done during others: if a new meter reading shows up during a bolus, it will be reported after the bolus is finished.
Sending a fake meter reading can only cause trouble if it happens immediately after a real meter reading but before the user commands a bolus. The user would still have to not notice the new, incorrect reading, and would have to approve the incorrect bolus.
Sending a fake sensor reading is just annoying. The Minimed sensor produces questionable results often enough that the user would either ignore it or recalibrate. The sensor sends a new reading every minute and the graph is updated every five minutes. A single bad reading means nothing, and no one should be taking insulin based on only a sensor reading.
If you could make the p
I spent a LOT of time in various hospitals and long-term care facilities over the last year (friend with cancer), and found that most now rely heavily on WiFi enabled IV/Medication pumps and monitors. Almost every piece of equipment I looked at had a WiFi indicator light on it (some even actually said "WiFi"). There were also several secure WiFi networks operating within each facility, including- thankfully- free public Internet access. Depending on what can actually be done with them remotely- I found this a bit alarming though. If someone can hack an insulin pump, they will probably have the "keys" to other equipment, at least by the same manufacturer. This really opens the door to something like murder-by-WiFi.
One should strive to create the most efficient and secure code possible for intrinsic reasons, and insulin pump control software is no exception. That said, there are far easier ways to kill a man from half a mile away. Our brains' defenses are wholly inadequate to contend with a bullet fired from a sniper rifle. This isn't a bug, it's recognizing that we live in a dangerous world. Yes, we should secure medical devices against unintentional interference, but securing them against malice is like developing body armor to specifically defend against weaponized Rube Goldberg machines. The chance of encountering a Bond villain that kills in such a convoluted way is quite remote. Also, ego aside (crux of the issue IMHO), none of us are James Bond and our enemies are unlikely to care enough to go to that amount of trouble.