Slashdot Mirror
McAfee Claims Successful Insulin Pump Attack
judgecorp writes "Intel security subsidiary McAfee has claimed a successful wireless attack on insulin pumps that diabetics rely on to control blood sugar. While previous attempts to attack insulin pumps have met with mixed success, McAfee's Barnaby Jack says he has persuaded an insulin pump to deliver 45 days worth of insulin in one go, without triggering the pump's vibrating alert safety feature. All security experts still say that surgical implants are a benefit overall."
Some thing just don't have any business being connected to the internet.
There is always that conspiracy theory that many if not most viruses are written by anti-virus software vendors.
After all we didn't have many viruses until these things appeared on the market.
I'm not one to believe this sort of conspiracy theory, but McAfee isn't doing themselves any favors by publicizing this.
Usual run-of-the-mill computer viruses and exploits don't usually harm one's health in the say that this has the potential to do. I mean, seriously - a virus could infect your insulin pump and kill you??
I know it's naïve to even ask, but would this be used in the wild? What special sort of sicko would do this for kicks?
"All security experts still say that surgical implants are a benefit overall"
For those who aren't familiar with insulin, and can't be bothered to read the article, a dose of 45days will kill you.
This is effectively a wireless security breach that will kill a person.
I'm a diabetic and the risk of this happening terrifies me. I don't need the pump, so won't be going on it any time soon, hopefully this kind of crap (yes, it is crap, we know that secure networks can be designed and implemented) is ironed out and eliminated as soon as possible.
McAfee releases an antivirus product for insulin pumps.
So,not only being one of the most crappiest AV Vendors around, they now are branching out to making viruses?
I never trusted you before and I sure as fuck do NOT trust you now.
Be seeing you...
It's one thing to publicize an exploit of Firefox or IE that could cause the user's PC to become enlisted in a botnet, but another to show how a twisted mind could kill someone in a most painful fashion and avoid detection while doing so.
I can also just stab the old lady with a kitchen knife. But either way I'm probably going to jail for the rest of my life, which keeps me from doing it.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
The Matrix giveth, and the Matrix taketh away.
I want to delete my account but Slashdot doesn't allow it.
"All security experts still say that surgical implants are a benefit overall." I'm impressed they managed to ask *all* the security experts of the world for their opinion.
An insulin pump is NOT implanted inside the user's body, and it is NOT a medical implant. A small, disposable cannula attached to the pump via plastic tubing is inserted by the user under the skin just a few mm, and is exchanged by the user every few days. There is no permanently inserted component to an insulin pump.
Also, pump's cartridges to hold insulin typically range from 200-300 units. Contrary to the article's claims, this is not 45 days worth! Someone who is not insulin resistant using a 200 unit model would get 6, 7 days out of it tops. People who use the bigger ones because they are very insulin resistant might use 300 units in just a couple of days.
The BBC article also states "Mr Jack said diabetics typically needed a dose of 5-10 units of insulin after a heavy meal to help regulate blood sugar. Making the device empty its cartridge into a host's bloodstream would cause "deep trouble"."
This is very flawed as well. Typically, insulin is taken before a meal whenever possible, and how "heavy" the meal is, is irrelevant. What matters is the user's insulin to carb ratio (how much insulin they need to properly use a gram of carbs) and how many carbs the item they eat contains. Some people require a very large amount of insulin for very small amounts of carbs, some people require barely any insulin for a large amount. Also, when a person relies on an insulin pump, they're not just adding insulin to their body during mealtimes, the vast majority will be using it to deliver a "basal" dose of insulin, or a small amount of insulin 24/7 to stay alive (as this is a function normal non-diabetic bodies perform.) They also use it to deliver corrections, or small doses of insulin in response to blood glucose levels that are higher than expected after meals or throughout the day. A pump is not just a device you use after a "heavy meal."
While it is true that an insulin cartridge unwillingly emptied into a patient poses significant danger, even without an alarm, I suspect 99% of people would be able to quickly notice such a large dose of insulin being delivered. You can see and feel insulin being delivered that rapidly. And if they happened to miss it, that's what frequent monitoring of blood glucose (which is required for all insulin pump users) is for. Sure, taking 200-300 units more than you should have would be a world of suck, but if you had access to food to eat or a sweet drink or glucose tablets, it's very likely an experienced diabetic would survive that sort of incident... to say nothing of if the cartridge wasn't full. But that's all assuming we're taking someone who has clearly made several mistakes in their reasoning for their word when they say they can access these devices.
If more security were implemented in an insulin pump, there would certainly be no "frequent surgeries to replace the batteries," as the battery is (like the entire pump) stored in an external pump. It would involve the manufacturer mailing you a replacement and you switching it out.
I can't imagine that this can be done very easily (at least with the insulin pump I have). The only wireless communications that it has is directly with a blood glucose meter to get readings from it... thats it. I also haven't seen any insulin pumps that use any standard wireless communication (it looks to be proprietary RF).
I still feel safer with this exploit running around than McAfee getting their software onto these devices...
With an aging population it seems terribly interesting that it could be possible to go after people wirelessly. :)
Doctor:"The deceased appears to have had a malfunctioned insulin pump, your honor."
Lawsuits out the yinyang, headlines, millions go to lawyers, but it was just a lone FBI agent who needed someone out of the way, or a smart outsider who wanted Dick Cheney to finally bite the bucket
Sleep tight, politicos of the world >:)
So McAfee is trying to find ways to kill my grandmaw?
s/©//g
... it seems like if beaming a RF signal is all it takes to control the device, it's a terrible, terrible design.
If I were designing an implantable device that I wanted to be robust to attacks like this, I'd build in a two-stage security system. The first would be a piezoelectric element connected to an oscillator tuned to a particular frequency that acts as a switch for the radio receiver; only when exposed to a strong signal at the appropriate frequency will it even start *listening* for an RF signal. The advantage of this is that sound propagates quite strongly directly through tissue; it would be very difficult to trigger the receiver by just shouting at it, but fairly easy to just strike a tuning fork of the right frequency and place its base on top of the device, relying on the very strong mechanical coupling through the skin to amplify the transmission. If you want, make the frequency 440-A -- the goal here is not security through obscurity, but to require physical contact with the patient.
This turns on the RF receiver itself, which would then require authentication with some standard key-exchange method before agreeing to do whatever. The acoustic trigger is both there to serve as another "factor" for two-factor authentication and to guard against any sort of DoS attack by making the radio not even pay attention until some condition is met.
"We can influence any pump within a 300ft [91m] range," Mr Jack told the BBC. "We can make that pump dispense its entire 300 unit reservoir of insulin and we can do that without requiring its ID number."
So you're telling me that a bad actor could affix a computer with malicious software to a car, and drive it to the parking lot of a hospital that refills these insulin pumps, and kill lots of people?
And how would the police detect such a thing, let alone find who was responsible? A terrorist would be long gone before law enforcement had the first clue.
If I were the maker of one of these wireless medical devices, I'd be tempted to tell my users to wrap them in foil!
There are different kinds of pumps. The most common is the type you describe, but there are in fact implantable insulin pumps which get refilled via syringe, and this is the type described in the article:
"The pumps hold 300 units of insulin, enough for about 45 days, and are refilled by a syringe."
Who needs to update their heart from 300 feet away? One of the articles discusses encryption as a solution -- because the person is an idiot. My heart doesn't have any encryption. It has one very important security feature: it doesn't talk to devices 300 feet away.
It's very easy to screw with my organs, you come up to me and you hit them. It's really easy.
So who decided that an insulin pump needed full-range wireless connectivity? How about 3 inches. 3 inches would have been great. It's already refilled by a seringe. Ignoring, for the moment, that a seringe-like probe could have updated it without anything being wireless, a simple short-range induction or vibrational signal, or even IR -- actually, IR would have been fantastic because it would have been obscured by clothing, a security device that has resulted in every doctor everywhere asking patients to disrobe, and then leaving for another random amount of time.
but no, let's use a technology designed for long-distance communication. We talk to space telescopes and voyager probes this way, so it clearly makes sense that implanted devices be accessed this same way -- you know, in case voyager wants to screw with us.
My pump only holds about 3 days of insulin, how did they come up with 300 units being a month and a half worth?
Thats nuts.
CIA, Mossad, FSB, etc.
[[All security experts still say that surgical implants are a benefit overall.]]
My house is a benefit overall. I still put a lock on the front door.
IT'S MR. CREOSOTE!
... they're figuring out how to kill people.
Isn't THAT wonderful news?
Do you mean: 'pump up kicks?!
I have worn an insulin pump for over a decade. I'm switching to a new one (Medtronic Paradigm Veo) soon, and it has some wireless capability.
This article is complete bullshit. First of all, the summary says he persuaded an insulin pump to deliver 45 days worth of insulin in one go. The article makes no mention of 45 days. A typical 300 unit cartridge (which the article does mention) lasts me under 4 days. Some people may get more time, some less, but nowhere near 45.
But the more important aspect: the wireless component.
The pump I will soon be using can receive data from various blood glucose meters and continuous blood glucose monitors. When it receives this value, it can fall into three categories:
1. High (or trending). Action taken: alert user
2. Normal. Action taken: none
3. Low (or trending). Action taken: alert user, or possibly stop delivery (this may or may not be configurable, I'm not sure)
There is absolutely no reason to ever allow delivery based on a wireless command. This isn't a device sitting across the room that you want to control from your couch. It's attached to you by a cable less than a meter long.
I don't know what pump McAfee claims to have manipulated, but it's not one I've ever seen (and I've done research).
Why does this kind of security vulnerability even exist in this day and age? Considering how compact solid state data storage is these days, there's no reason I can think of whatsoever that a vulnerability like this should exist. This is the perfect use case for a one time pad. It's simple. You generate some random data and save a copy of it on three storage devices. One copy goes into the pump, another copy goes into the external wireless controller, and the last copy goes into a safe somewhere. When the wireless controller wants to send instructions to the pump, it xors them against the random data. The pump then xors what it's receiving against its copy of the data to decrypt it. If the controller ever gets lost, a new one can be programmed with the copy of the data that's in a safe somewhere. Provided the control instructions to the pump are long enough, that method makes it virtually impossible to attack the pump without getting physical access to the pump itself, the controller, or the copy of the data securely locked in a safe.
It's like no-one even considers security. Maybe the manufacturers of these pumps take their cues about security from the credit card companies.
I know those things fsck up all the time anyway. A friend of mine had his go haywire so many times resulting in severe hypoglycemic attacks on par with what the article suggestions that there is just no interest in it for me. Much like regular software such as Windows, the threats posed from the software itself result in many more mistakes and threats to things running properly than some rogue hacker. Multiple daily injections and freedom from cybernetics FTW.
Do not discount the threat of this process overnight. With my mom's history her real danger is at night. She has slept through the pump alerts including vibration. There are advantages to having a small dog or two on the bed.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Using wireless insulin pump. I am an Electrical and Electronics Engeneer with specialization in computers and RF communication. I don't believe that anybody (McAfee employee or Al-Kaida terrorist) can possibly access my insulin pump or my Glucometer. My insulin pump can deliver 315 units of insulin in one go, without triggering any alert, if programmed or operated to do so. I use ~41 units of insulin per a day. It is 7 days, 16 hours and ~ 20 minutes of insulin. It is ~17% of 45 days. I am not worried, it is just a regular pile of FUD.
BTW: 315 units of insulin is very fatal for me and most of non metabolic syndrome human. The "deep trouble" mr. Ward talking about is Cardiac Arrest. Means immediate death.
(sounds of night bugs) Security guy one: Hey..i'm bored......Security guy 2: me too (more sounds of nothingness for several minutes) then a brainfart follows,,,,,Hey let's hack a device that most people dont use and let's scare people with it......OH YEAH GOOD,,,,,,pass me that skittle bag.
Comment removed based on user account deletion
What dumbass designs a system like this with absolutely no security at all? The company should be held criminally liable for being douchebags.
the first script kiddie frameworks ...
For each adrPump in pumpList do
Obviously the article is a cunning ploy.
If they made an outright claim that socialist medicine has advanced technology it would be too obviously socialist propaganda lies. So those devious reds pulled a sneaky trick. The article masquerades as capitalist propaganda so that the reader assumes the technology is a given and an important enough win for the socialists that the capitalists would be making dubious security claims about it in desperation.