Slashdot Mirror

← Back to Stories (view on slashdot.org)

Probing Insulin Pumps For Vulnerabilities

Posted by Soulskill on from the panic-versus-sanity dept.

Several readers have sent in news of a presentation at the Black Hat security conference from a diabetic security researcher, Jerome Radcliffe, who is looking into the security of automated insulin pumps. While most of the headlines are sensationalist, referencing "lethal attacks from a half-mile away," Scott Hanselman breaks down the media reports and weeds out the inaccuracies, explaining that while this is a valid area of concern, diabetics don't need to cover themselves in tinfoil just yet. "Just to be clear, Jerome has not yet successfully wirelessly hacked an insulin pump. He's made initial steps to sniff wireless traffic from the pump. I realize, as I hope you do, that his abstract isn't complete. Hopefully a more complete presentation is forthcoming. I suspect he's exploiting the remote control feature of a pump. ... What Jerome has done, however, is posed a valid question and opened a door that all techie diabetics knew was open. It is however, an obvious question for any connected device. Anyone who has ever seen OnStar start a car remotely knows that there's a possibility that a bad guy could do the same thing."

10 of 81 comments (clear)

  1. What pump has *control* via wireless? by Anonymous Coward · · Score: 2, Informative

    Various pumps record RF transmission of blood glucose readings from glucometers, or from continuous glucose sensors that connect to a pump. This includes the Medtronic Paradigm I'm wearing right now. But this number is visibly displayed as part of the setting to request a "bolus" of insulin, and no current pump that I can find closes the feedback loop and allows the glucose sensor to directly control the pump: this is because the continuous sensors are, basically, very expensive ouija boards that require frequent recalibration with an actual finger-prick based glucometer. They're basically no more useful than checking in the mirror for muscle tremors or changes in vision associated with extremely high and extremely low blood sugars, or keeping track of how often you need to pee. (I've tried the continuous sensors: they all suck.) There is no pump on the market that is directly controlled by a continuous sensor: they're not accurate enough to rely on.

    It is theoretically possible to skew the continuous sensors over a long period and encourage over, or under, dosing of insulin. This could particularly be an issue during the night, when actually verifying it with a finger-stick blood sample is unlikely. But such errors would show up pretty quickly as being out of sync with morning measurements, and with remotely good control, most of us diabetics have learned to detect, without instruments, what our blood sugar is. The sensors provide invaluable calibration and fine tuning for that sense, but gross errors would be noticeable to most of us.

    Of course, if I caught anyone screwing with my glucose readings this way, they'd die the death of a million blood samples before I was done with them.

    1. Re:What pump has *control* via wireless? by Gunnut1124 · · Score: 4, Informative

      Omnipod and OneTouch Ping both use the same type of wireless control unit, though not directly inline with a CGM. The system he tested (Paradigm Reveal) is a 2 part loop that requires human interaction. (ie CGM tells you a glucose reading, then you use the pump to decide how much insulin to deliver.) All he was able to do was jam the data from the real CGM sensor and spoof it with false data. That's not exactly "hacked" but is a threat. The pumps with wireless control units are where I'd expect to see the primary fault and possible loss of control. (FYI, I'm a diabetic with a deep knowledge of both these systems from a user's perspective, as well as an IT worker in a medical field. These may not be perfect credentials, but I figure it might be relevant.)

      --
      America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
    2. Re:What pump has *control* via wireless? by tirerim · · Score: 2

      There's an optional remote control for the Paradigm that can be used to deliver insulin. It's a $150 accessory, and of the several pumpers I know (including myself), I don't know anyone who has one, but it does exist. Since you have to turn on the option from the pump (Utilities -> Connect Devices -> Remotes, on the 723), it's probably impossible to exploit on someone who doesn't already have a remote, but it seems entirely plausible to do so if they do.

      And I'm right there with you on the CGMSs. Bloody useless (literally) -- I tried it for about a month and gave up. They might work better for people with nice, consistent schedules for eating and exercise, whose blood sugars don't change that much or that rapidly, but if you have that I don't see why you would need a CGMS in the first place.

  2. "Easy to make" by 0100010001010011 · · Score: 2

    Medical Device #1 costs $500. It was made with an embedded RTOS on a ROM. It does one thing, ALL the time.

    Medical Device #2 costs $250. It was made with Windows CE, a cheap TTL motor and a simple full screen app that launches at boot. It was developed fast, breezed through FDA 'certification'.

    Which one is the normal consumer going to buy?

    See also voting machines, ATMs, etc.

    1. Re:"Easy to make" by Anonymous Coward · · Score: 2, Funny

      The one that really whips the llama's ass?

    2. Re:"Easy to make" by magusxxx · · Score: 2

      You forgot Medical Device #3 which can run Doom.

      --
      Care killed the cat, but satisfaction brought it back.
  3. My experience by TheCabal · · Score: 2

    My wife uses the OmniPod disposable pumps. They are controlled by a wireless PDA-like device. When she was switching from a conventional pump to the Omnis, I wrote to the company and asked them to explain to me how their wireless technology works, what protocols are they using, what security measures they have taken to protect the pods from malicious activity. My concern was the possibility of an outside party either deliberately or accidentally messing with the pod settings, and minimizing insulin delivery or pushing a huge bolus.

    I even offered to sign an NDA. Obviously, the company was less than willing to divulge their proprietary secrets, and I was shuffled off to a PR flack, who just reiterated the same marketing material over and over.

  4. Had a pump for 8 years by sheepweevil · · Score: 3, Interesting

    I've had a minimed paradigm for about 8 years now, and all of what Scott said makes sense. In addition, there are a few more things which make this impractical. I assume the researcher is trying to hack the "Remote" option. Not only do you need to turn the remote option on, you need to add IDs of the remotes to the pump itself. So unless you can figure out how to add IDs remotely, you have to find someone with a remote, and get the ID from the remote.

    Second, there's a limit (at least on my Paradigm version) of 20 units of insulin at a time. I haven't tried this, but I think there's a system to prevent you from giving multiple 20 unit boluses at a time. Since I take around 14 units for some meals, 20 units of insulin is conceivable to overcome just by eating sweets, and there's always glucagon injections in a pinch. My pump makes a sound when it is done giving a bolus, meaning the diabetic could notice that a bolus was given (perhaps the beep is turned off for continuous glucose monitoring systems though).

    Finally, hypoglycemia is rarely fatal. From wikipedia: "In nearly all cases, hypoglycemia that is severe enough to cause seizures or unconsciousness can be reversed without obvious harm to the brain." So even if you figure out how to give a remote bolus and succeed, it isn't likely to kill the diabetic.

    1. Re:Had a pump for 8 years by fermion · · Score: 2
      Remote IDs, at least for some wireless, is not an issue. Sniff the network for IDs, spoof those ids, and you're in. That is why on networks I want to remain private, I not only close the network, require MAC, but also have a password.

      As far as the 20 unit limit, the security of this is dependent on whether the setting is in hardware or software. If it is in software, there is a possibility that the limits can be overridden and all insulin can be dumped. Even if in hardware, and constraints between dumps is likely software, and can be hacked.

      I cannot fathom a reason why someone would want to mess with the instrument, other than to show it can be done which hopefully will result in a more secure device. A more secure device will reduce the possibility of accidental dosage errors.I mean really all that needs to be done is figure out a way to remotely disable the injection mechanism while making everything show normal and that could quickly lead to a fatal condition. if that is accidental, and not malicious, the outcome is the same. It is like those warning to turn off electronic devices on an airplane. It is scary knowing that one gameboy could down a plane, though I know it is not quite that bad.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  5. You brush over the danger of hypoglycemia by Shivetya · · Score: 2

    Sorry, but my mother is type 1 as well and Hypoglycemia is the biggest danger she faces on a daily basis. Why? Because it can occur without her recognizing it. Sure we all know the symptoms, she certainly does, but one problem with low blood sugar is that your not always thinking clearly and you don't always arrive at low blood sugar at the same rate. Worse, depending on many other issues one day's low blood sugar can have different results than another.

    The real threat here is for those type 1s who are not in constant contact with other people, like a spouse or children in the same home. I made a trip to my parents one day to drop some boxes off, I was under the impression they were not going to be home. I saw my mom's car in their garage but still was under the assumption that she was with my dad. Well low and behold she was in the house and barely conscious. When I was able to recover her (that wonderful rescue shot plus tabs/juice) we went over what happened. She knew she was low and was going to fix it... but.. but... and there she went. She sat down started to check her pump and passed out. Her blood sugar fell. Now imagine, your asleep. I know the pump vibrates, well it falls to the side, it the needle comes out, or any other many problems that can occur... and if your alone or not checked for how many hours - well you get the picture.

    Now contrast this with hyperglycemia (too much), she has never gone unconscious in this state. She has had throw up fits and such, but she was always able to try and fix it. She could even get herself to the hospital. She has been well past 600+, she knows people who went higher. She spent days over 400 with the hospital unable to explain it. She was fully functional. You cannot same the same for low blood sugar.

    I just wanted to reply so that people don't get the idea it rarely is fatal which implies its not dangerous. Its very much going to be fatal if someone is not around to help you and honestly, if your type 1 I would make sure people know that if your not where you should be then there might be a problem.

    --
    * Winners compare their achievements to their goals, losers compare theirs to that of others.