Slashdot Mirror
McAfee Claims Successful Insulin Pump Attack
judgecorp writes "Intel security subsidiary McAfee has claimed a successful wireless attack on insulin pumps that diabetics rely on to control blood sugar. While previous attempts to attack insulin pumps have met with mixed success, McAfee's Barnaby Jack says he has persuaded an insulin pump to deliver 45 days worth of insulin in one go, without triggering the pump's vibrating alert safety feature. All security experts still say that surgical implants are a benefit overall."
It isn't connected.
There is always that conspiracy theory that many if not most viruses are written by anti-virus software vendors.
After all we didn't have many viruses until these things appeared on the market.
I'm not one to believe this sort of conspiracy theory, but McAfee isn't doing themselves any favors by publicizing this.
Usual run-of-the-mill computer viruses and exploits don't usually harm one's health in the say that this has the potential to do. I mean, seriously - a virus could infect your insulin pump and kill you??
I know it's naïve to even ask, but would this be used in the wild? What special sort of sicko would do this for kicks?
These are implant devices that respond to radio for diagnostic info, updates, etc. Much like a pacemaker.
It isn't connected.
But it could be (then you would patent it, I suppose.)
While this is interesting and all and potentially could be used at a high value directed target, as a general problem it's pretty limited. There aren't many insulin pumps out there, there are several manufacturers and I would imagine the exploit is device specific.
I'm not sure just why the manufacturer thinks the pump needs to have a wireless function though. If it needs to talk to another device, I would have used a small magnetic cable (so it doesn't get pulled out). Easy peasy as opposed to convincing a wireless device to talk to something else.
Faster! Faster! Faster would be better!
Indeed. Lots of technology benefits from wireless access but does not have adequate security, if any.
http://www.ted.com/talks/lang/en/avi_rubin_all_your_devices_can_be_hacked.html
McAfee releases an antivirus product for insulin pumps.
I can also just stab the old lady with a kitchen knife. But either way I'm probably going to jail for the rest of my life, which keeps me from doing it.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
You've really never heard of security companies coming up with exploits first so they know how to solve them in case somebody else has the same idea?
The Matrix giveth, and the Matrix taketh away.
I want to delete my account but Slashdot doesn't allow it.
"All security experts still say that surgical implants are a benefit overall." I'm impressed they managed to ask *all* the security experts of the world for their opinion.
So what?
If someone throws a rock into your windshield, you die. We still drive cars.
Hell, if someone sticks a knife into you, you die. Everyone uses knives.
If someone wants you dead, there are a miriad ways to do it. The problem is not with those attack vectors, but with the fact, that someone is after your life.
This is not a 'security breach', is is murder. And it takes a murderer to do it.
This is just another case of 'same old, but now on the intertubes/with a computer!!'.
An insulin pump is NOT implanted inside the user's body, and it is NOT a medical implant. A small, disposable cannula attached to the pump via plastic tubing is inserted by the user under the skin just a few mm, and is exchanged by the user every few days. There is no permanently inserted component to an insulin pump.
Also, pump's cartridges to hold insulin typically range from 200-300 units. Contrary to the article's claims, this is not 45 days worth! Someone who is not insulin resistant using a 200 unit model would get 6, 7 days out of it tops. People who use the bigger ones because they are very insulin resistant might use 300 units in just a couple of days.
The BBC article also states "Mr Jack said diabetics typically needed a dose of 5-10 units of insulin after a heavy meal to help regulate blood sugar. Making the device empty its cartridge into a host's bloodstream would cause "deep trouble"."
This is very flawed as well. Typically, insulin is taken before a meal whenever possible, and how "heavy" the meal is, is irrelevant. What matters is the user's insulin to carb ratio (how much insulin they need to properly use a gram of carbs) and how many carbs the item they eat contains. Some people require a very large amount of insulin for very small amounts of carbs, some people require barely any insulin for a large amount. Also, when a person relies on an insulin pump, they're not just adding insulin to their body during mealtimes, the vast majority will be using it to deliver a "basal" dose of insulin, or a small amount of insulin 24/7 to stay alive (as this is a function normal non-diabetic bodies perform.) They also use it to deliver corrections, or small doses of insulin in response to blood glucose levels that are higher than expected after meals or throughout the day. A pump is not just a device you use after a "heavy meal."
While it is true that an insulin cartridge unwillingly emptied into a patient poses significant danger, even without an alarm, I suspect 99% of people would be able to quickly notice such a large dose of insulin being delivered. You can see and feel insulin being delivered that rapidly. And if they happened to miss it, that's what frequent monitoring of blood glucose (which is required for all insulin pump users) is for. Sure, taking 200-300 units more than you should have would be a world of suck, but if you had access to food to eat or a sweet drink or glucose tablets, it's very likely an experienced diabetic would survive that sort of incident... to say nothing of if the cartridge wasn't full. But that's all assuming we're taking someone who has clearly made several mistakes in their reasoning for their word when they say they can access these devices.
If more security were implemented in an insulin pump, there would certainly be no "frequent surgeries to replace the batteries," as the battery is (like the entire pump) stored in an external pump. It would involve the manufacturer mailing you a replacement and you switching it out.
Finding a security vulnerability is not "making viruses". Would you prefer that this be first discovered by someone who's not so nice as to disclose their findings, so that insulin pumps just start mysteriously "malfunctioning" and killing patients?
Regardless of what you may think of the quality of McAfee's software, they're not being anything besides white-hat here.
Who needs a high-value target when you could hold any diabetic hostage for ransom? All it takes is a vulnerable wireless router with a sufficiently flexible transmitter, and the ability to scan for a nearby victim. Barring the implacable reality of device incompatibility, this is scary stuff.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
So McAfee is trying to find ways to kill my grandmaw?
s/©//g
True, but most people don't come with "instant wireless death button" enabled.
And it takes a murderer to do it.
No, in this case it takes a script kiddie.
Pretend there is some witty statement here.
It's called proof of concept.
Pretend there is some witty statement here.
I completely agree, if this gets in the wild what would stop some sociopathic miscreant from sitting outside of a wal-mart or whatever and randomly assassinating people using their insulin pumps. I don't think profit has to be a factor in the equation when the human animal is involved and a persons death is the end result.
I got here through a series of tubes
An insulin pump reservoir holds nowhere near 45 days worth of insulin, it isn't even safe to keep insulin out at room temperature (much less worn close to your body temperature) for anywhere near that long.
On the extremely unlikely chance that someone decided to murder you with your insulin pump, I'd suspect well over 99% of "murder victims" would survive. You can feel that much insulin going in, and you can definitely pick up it's effects on a blood glucose meter (or in the symptoms of hypoglycemia coming on, if you experience them, which even people with hypoglycemic unawareness likely would at this high a dose.)
If at any point in time before the hour minimum for that dose of insulin to become dangerous you notice that a huge pocket of insulin was just injected in your body (or you happen to listen and hear your pump injecting that huge dose, which takes time, or you saw/felt it in the pump and tubing itself), or you test your blood glucose and realize it's going unexpectedly down, or you start to feel weird, and you just go and eat or drink something sweet, this is a very survivable overdose.
Getting a full reservoir full of insulin at once would suck, and it's legitimate to be concerned about how well manufacturers are protecting these devices from outside attack. But this is not likely to be an effective means of killing anyone, and it's not a rational reason to fear getting an insulin pump. The effects of not having the improved glucose and a1c control an insulin pump offers (if you need insulin therapy) are extraordinarily more likely to kill you.
I think the fear of this comes not from the fact that it's possible, but the fact that it seems much more difficult to investigate, and thus more appealing to a would-be killer, than other forms of murder. Harder to investigate translates to less likelihood of getting caught, which in turn translates into less apprehension about committing the crime.
Help protect civil rights from abuse by the TSA - visit TSA News Blog.
http://www.tsanewsblog.com
Yeah but a lot of the time people don't kill other people because of the evidence trail, or just sheer inconvenience of it. If it was as easy as hitting a "run" button on your smartphone, people might not be so hesitant. The fear of being caught keeps a lot of people honest and if people didn't have that fear, how honest would people really be in today's society? I doubt that i'd have the restraint at, say, a westboro protest or a teaparty rally.
I got here through a series of tubes
... it seems like if beaming a RF signal is all it takes to control the device, it's a terrible, terrible design.
If I were designing an implantable device that I wanted to be robust to attacks like this, I'd build in a two-stage security system. The first would be a piezoelectric element connected to an oscillator tuned to a particular frequency that acts as a switch for the radio receiver; only when exposed to a strong signal at the appropriate frequency will it even start *listening* for an RF signal. The advantage of this is that sound propagates quite strongly directly through tissue; it would be very difficult to trigger the receiver by just shouting at it, but fairly easy to just strike a tuning fork of the right frequency and place its base on top of the device, relying on the very strong mechanical coupling through the skin to amplify the transmission. If you want, make the frequency 440-A -- the goal here is not security through obscurity, but to require physical contact with the patient.
This turns on the RF receiver itself, which would then require authentication with some standard key-exchange method before agreeing to do whatever. The acoustic trigger is both there to serve as another "factor" for two-factor authentication and to guard against any sort of DoS attack by making the radio not even pay attention until some condition is met.
"We can influence any pump within a 300ft [91m] range," Mr Jack told the BBC. "We can make that pump dispense its entire 300 unit reservoir of insulin and we can do that without requiring its ID number."
So you're telling me that a bad actor could affix a computer with malicious software to a car, and drive it to the parking lot of a hospital that refills these insulin pumps, and kill lots of people?
And how would the police detect such a thing, let alone find who was responsible? A terrorist would be long gone before law enforcement had the first clue.
If I were the maker of one of these wireless medical devices, I'd be tempted to tell my users to wrap them in foil!
Apparently its not that painful. With extremely low blood sugar you get colds sweats followed by a coma, then death.
If someone sticks a knife into me, I die, but he leaves evidence, maybe someone sees him. Throwing a rock into my windshield (when I'm driving) is quite difficult. Also, the murderer needs to be stronger than me, or I could fight him off or run away.
Shooting me with a pistol is loud and someone will most likely hear the gunshot, maybe see the killer running away with the gun or throwing the gun away. Also, a gun is quite difficult to get (in my country), I assume the murderer won't want a legal gun that can be traced back to him, but even to buy a gun legally you need to pass various checks.
Shooting me with a sniper rifle is difficult because it is difficult to actually obtain a sniper rifle and it requires skills to shoot accurately over long distances.
On the other hand, pointing a high gain antenna and running a pre-made script is easy and does not leave any evidence. Or just walking past me with a transmitter in pocket programmed to transmit the required codes.
Because wireless is cool! Being wired is just so 5 years ago.
There are different kinds of pumps. The most common is the type you describe, but there are in fact implantable insulin pumps which get refilled via syringe, and this is the type described in the article:
"The pumps hold 300 units of insulin, enough for about 45 days, and are refilled by a syringe."
Who needs to update their heart from 300 feet away? One of the articles discusses encryption as a solution -- because the person is an idiot. My heart doesn't have any encryption. It has one very important security feature: it doesn't talk to devices 300 feet away.
It's very easy to screw with my organs, you come up to me and you hit them. It's really easy.
So who decided that an insulin pump needed full-range wireless connectivity? How about 3 inches. 3 inches would have been great. It's already refilled by a seringe. Ignoring, for the moment, that a seringe-like probe could have updated it without anything being wireless, a simple short-range induction or vibrational signal, or even IR -- actually, IR would have been fantastic because it would have been obscured by clothing, a security device that has resulted in every doctor everywhere asking patients to disrobe, and then leaving for another random amount of time.
but no, let's use a technology designed for long-distance communication. We talk to space telescopes and voyager probes this way, so it clearly makes sense that implanted devices be accessed this same way -- you know, in case voyager wants to screw with us.
Try essentially impossible to investigate. How many people do you walk within twenty feet of in any given week? Any given year? Now imagine that any one of those people might have been the person who injected code that waits a predetermined period of time, does something bad, and then erases the location where the time delay is stored so that the original value cannot be recovered after the fact.... Or worse, overwrites the time delay with a value that implicates someone else.
Check out my sci-fi/humor trilogy at PatriotsBooks.
"Because wireless is cool! Being wired is just so 2000 late."
FTFY
It's kind of problematic if you want to hold a random arbitrary person hostage, though. First you'd have to give them diabetes. So maybe buy them a big gulp or something. And maybe an Xbox to keep them from exercising. It'd have to be a kinect-free Xbox. And a comfy chair. Then wait while they get an insulin pump installed. Seems like there are easier ways to hold people hostage...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
All it takes is a vulnerable wireless router with a sufficiently flexible transmitter, and the ability to scan for a nearby victim.
Or, you know, a gun. And anyone nearby for a victim.
Socialism: a lie told by totalitarians and believed by fools.
Mine holds about 3 days supply and my body processes a bolus in about 2 hrs so I would have 2 hours from to notice the issue, be coherent enough to find ~1.8 kg of relatively fast-acting carbs to ingest and then get those carbs down in two hours. I have quite good hypoglycemic awareness but I'm not 100% perfect and onset rates are not always consistent.
I think the issue is overblown but not for the reasons you mention. My pump has a hard-coded bolus limit (20 units per bolus) that I'm guessing they couldn't override wirelessly (the wireless function is purely for administering bolus doses on my pump). I would at least have chance to hear one or two bolus beeps before it got through the full reservoir. I've also turned the wireless receiver of the pump off since I don't use a compatible glucometer.
The pump tested here is not available to the public (implantable insulin pumps are only for research at this point) so they are hacking a device that only people in trials would be using...equipment that is not fully featured and/or ready for market.
Two answer a different question I've seen posed in other posts: Some of the currently available pump models can team up with a glucometer so that the user can administer a does wirelessly. This is handy if your pump is packed away somewhere that is hard to get to (eg. a bride wearing a wedding dress).
Room temperature insulin is good for 28-30 days (source: Wisconsin department of Health Services).
The unit in question had a 300 unit reservior. Even assuming an abnormally low usage of 10 units per day that is only 30 days, and 25 or more units is very common. The 45 days number is pure garbage.
True, but most people don't come with "instant wireless death button" enabled.
Pretty sure a bullet counts as wireless, unless someone's mugging you with a TOW missile. Not to say this shouldn't be secure on general principles, but the limiting factor on killing someone will always be the will to do so.
Socialism: a lie told by totalitarians and believed by fools.
To be clear here, the wireless in use has nothing to do with WiFi aside from being radio communication. You cannot control/hack/disable these things with a wireless router - they require very specialized equipment to produce the correct radio signal.
Still, not great, but nothing new by a long shot.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
It isn't connected.
But it could be (then you would patent it, I suppose.)
While this is interesting and all and potentially could be used at a high value directed target, as a general problem it's pretty limited. There aren't many insulin pumps out there, there are several manufacturers and I would imagine the exploit is device specific.
I'm not sure just why the manufacturer thinks the pump needs to have a wireless function though. If it needs to talk to another device, I would have used a small magnetic cable (so it doesn't get pulled out). Easy peasy as opposed to convincing a wireless device to talk to something else.
Apple has a patent on magnetically connected cables that they are pretty aggressive about protecting so that wouldn't work. On the other hand I have a deep fryer that has a similar cable that pre dates Apple's implementation by several years.
Any insufficiently advanced magic is indistinguishable from technology.
In almost every country on the planet, it is significantly easier to (legally) obtain a bolt-action rifle than a handgun. There is nothing particularly special about a "sniper rifle" -- it is typically just a standard bolt-action rifle with a scope.
My spoon is too big.
IT'S MR. CREOSOTE!
You're thinking about the problem backward—just scan for people with diabetes and hold them hostage. If they've got one of these expensive insulin injectors and they're in the US, then they're probably filthy rich already.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
That lacks the benefits of internet anonymity as cherished by organized crime. This sort of strategy has done wonders for holding up offshore online casinos with DDoS threats.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Okay, perhaps not any old wireless router will be sufficiently reconfigurable, but there's probably [i]something[/i] common enough that's online and could be rewired to act as a scanner for these things.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
No! Not BB-style italics! The one true faux pas! My family's honour is destroyed!
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
A special "sniper rifle" would most likely be designed to be accurate over longer distances than a regular bolt action rifle. While it may be a bit easier to get a permit for a bolt action rifle, but then it would still be difficult to conceal it to get to the rooftop or wherever and to hit anything with it over a long distance, so it means that the killer would need to really want me dead to buy the rile, practice with it etc, compared to just downloading a couple of scripts to run on a Linux live CD.
... they're figuring out how to kill people.
Isn't THAT wonderful news?
I'm not sure just why the manufacturer thinks the pump needs to have a wireless function though. If it needs to talk to another device, I would have used a small magnetic cable (so it doesn't get pulled out). Easy peasy as opposed to convincing a wireless device to talk to something else.
Because they're implanted devices. Presently absolutely no-one has any good idea on how to reliably expose a control interface (say, through the skin) without creating a massive risk of infection, or just injury (from mechanical trauma if it snags on something or whatnot).
You also can't just go threading wires through a person willy-nilly like you'd need to do to create useful induction interface (not to mention the danger that you could probably talk to such a thing wirelessly anyway, with the body acting as a pretty good antenna).
Joke's on you. In the right mode, Slashdot would have parsed that.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
It's also worth noting that people throwing rocks off overpasses at cars has in fact killed a number of people, was done by 13 year olds (in at least one instance I recall) and has more or less led to all of them being enclosed in steel mesh to prevent anything much larger then a pebble being dropped/thrown off them.
I'm sure it has, but I meant that it was difficult to hit the particular car with the target in it as opposed to just throwing rocks or bricks and hitting somebody.
In my country overpasses are not enclosed in a mesh, kids probably have better things to do than throw rocks at cars.
Ahh, but this is nearly undetectable. While some people COULD come together and go all CSI and maybe find a few suspicious people, it wouldn't be 'beyond a shadow of a doubt' to see someone standing around in front of Walmart with a backpack on.
Relative safety increases the chances some psycho is going to try to fulfill their desires. If people suddenly had a 99% chance of robbing a bank and getting away with it, there'd be a lot more bank robberies.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
I don't want to live on this planet any more.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Why does this kind of security vulnerability even exist in this day and age? Considering how compact solid state data storage is these days, there's no reason I can think of whatsoever that a vulnerability like this should exist. This is the perfect use case for a one time pad. It's simple. You generate some random data and save a copy of it on three storage devices. One copy goes into the pump, another copy goes into the external wireless controller, and the last copy goes into a safe somewhere. When the wireless controller wants to send instructions to the pump, it xors them against the random data. The pump then xors what it's receiving against its copy of the data to decrypt it. If the controller ever gets lost, a new one can be programmed with the copy of the data that's in a safe somewhere. Provided the control instructions to the pump are long enough, that method makes it virtually impossible to attack the pump without getting physical access to the pump itself, the controller, or the copy of the data securely locked in a safe.
It's like no-one even considers security. Maybe the manufacturers of these pumps take their cues about security from the credit card companies.
Wait, what? Are these medical devices connected to the internet? If you need to use typical wireless, the range and "visibility" won't be that different from a gun, though I guess people sometimes do call the police when they hear gunshots (though not in some neighborhoods I've lived in).
Socialism: a lie told by totalitarians and believed by fools.
I sort-of agree with you. One problem is the reduced evidence though. At this time, a murder would possibly not even be recognized as such. However, after a transitional period, forensics will get better and these devices will get secured with cryptography. The statement in the BBC article about not enough energy is nonsense. For example, you could interact while providing energy via a coil placed close to the device. And crypto done right does not require that much energy anyways. It is just a competence problem. I expect makers of these devices do not have actual experts on the use of cryptography on staff.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
No, no, that's not the idea. The plan is this:
1. Find some kind of radio that (a) is online, (b) is common, (c) can be hacked into, and (d) can be tuned to interact with the medical devices. This lets you connect the medical devices to the Internet. It may very well be impossible to find such a device, or it may be as common as a cheap Chinese phone with built-in FM transmission for car dashboard integration. I dunno. Too tired to RTFA.
2. Break into a large number of these radios and scan the area around them for potential targets: anyone with the right insulin pump will do.
3. Figure out who they are, through proximity to the base station over a long period of time, and social network activity.
4. Send e-mails threatening to give them a lethal dose of insulin unless they send a bunch of money.
Like malware that demands money or destroys your computer, it's a pretty comprehensive form of blackmail. And unlike your gun proposal, it's a lot harder to trace. I agree that this offers very limited benefit to an assassin, largely because of the convenience of so many non-insulin-pump-related methods of murder, but for something like mass blackmail, where the incentive is to make money rather than kill, the potential is much more scary. Never before have people been able to threaten death on people without being physically present in some way.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
I don't use a pump but the ones I've seen over here in the UK contain the insulin in cartridge form and attach to the patient's belt, with a delivery tube going to the belly. If I was wearing a pump and got an email demanding cash to save having a massive insulin dose delivered, what's to stop me physically removing the insulin delivery tube from my belly so the insulin can't be delivered, then using regular injections instead?
The fact they can be hacked is bad news bears and should be corrected but I think your hostage situation is a bit imaginary.
Or, you know, they have health insurance. It's actually not that difficult to get insurance companies to pay for pumps: they know that pump use results in much better blood sugar control, which results in a much lower risk of (even more expensive) complications down the road. I've had three different insurance companies pay for an insulin pump at this point (they need to be replaced after about five years).
I'm not sure just why the manufacturer thinks the pump needs to have a wireless function though. If it needs to talk to another device, I would have used a small magnetic cable (so it doesn't get pulled out). Easy peasy as opposed to convincing a wireless device to talk to something else.
Mostly because some people wear the pump under their clothes (means you don't have a clunky, pager-sized device sitting on your belt or in your pocket with a tube running under your shirt) and use a small wireless remote control to talk to it. The pump also uses wireless communication to talk to blood glucose meters and sensors, but that doesn't control the delivery of insulin.
No, they're not implanted. Implanted pumps do exist, but it's pretty clear that they're talking about run-of-the-mill Medtronic brand external insulin pumps in the article, even if they get some of the details wrong. People still like to wear those under their clothes and control them with a wireless remote control, though.
Do not discount the threat of this process overnight. With my mom's history her real danger is at night. She has slept through the pump alerts including vibration. There are advantages to having a small dog or two on the bed.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
With an aging population it seems terribly interesting that it could be possible to go after people wirelessly.
This is the important part, not now, but in the future. This is just a demonstration of what is possible, and how the mistakes that are being made now may effect all of us in the future.
From a recent talk by Cory Doctorow, http://boingboing.net/2012/01/10/lockdown.html
As a member of the Walkman generation, I have made peace with the fact that I will require a hearing aid long before I die. It won't be a hearing aid, though; it will really be a computer. So when I get into a car—a computer that I put my body into—with my hearing aid—a computer I put inside my body—I want to know that these technologies are not designed to keep secrets from me, or to prevent me from terminating processes on them that work against my interests.
We need to change the way that the industry and the regulators think about these kind of devices. Security by obscurity is just not good enough.
As patients (now and in the future) we should require/demand that all of the software in these devices is open source or they won't get certified for use as implants.
Many people on this site have said something along the lines of "If I were designing these devices then I would use [xyz] to make them secure".
The important point is that geeks like us aren't designing these devices, and for the companies that are designing these devices security isn't a priority.
Good security is expensive, both in terms of employing extra staff with the relevant expertise, and in terms of developer time to implement and test it. Unless peer reviewed security is required by their customers or government regulations, then it is just not enough of a priority to justify the additional cost.
The worst result from this kind of research would be that our politicos jump at a sound bite solution and make it illegal to own or design a device that could intefere with implanted medical devices. Preventing the good guys from testing their own devices, while making it easier for the bad guys by allowing manufacturers to get away with poor security.
The best result from this kind of research would be that we make peer reviewed security and open source code part of the requirements for certification of implanted devices. But that won't happen unless we keep pushing to make it happen.
Using wireless insulin pump. I am an Electrical and Electronics Engeneer with specialization in computers and RF communication. I don't believe that anybody (McAfee employee or Al-Kaida terrorist) can possibly access my insulin pump or my Glucometer. My insulin pump can deliver 315 units of insulin in one go, without triggering any alert, if programmed or operated to do so. I use ~41 units of insulin per a day. It is 7 days, 16 hours and ~ 20 minutes of insulin. It is ~17% of 45 days. I am not worried, it is just a regular pile of FUD.
BTW: 315 units of insulin is very fatal for me and most of non metabolic syndrome human. The "deep trouble" mr. Ward talking about is Cardiac Arrest. Means immediate death.
Some thing just don't have any business being connected to the internet.
Exactly. Who the hell thought putting wifi on a medical device was a good idea?
Good job American health insurance companies can be trusted to safeguard their data. Er, Whoops.
My mistake.
Comment removed based on user account deletion
Dammit! Nothing. Good show.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
It was a silly idea; diabetics can just take off the pump and use manual injections. It'd never really work.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
...but yeah, there's that, too. (I think there was supposed to be a sarcastic, "and who exactly can afford American health insurance?" in there somewhere.)
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
But I have a business PIN number too!
Oh... oh no.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
the first script kiddie frameworks ...
For each adrPump in pumpList do
Poor diet and lack of exercise takes years.
Streptozotocin takes minutes.
Just because it CAN be done, doesn't mean it should!
So, using CSMA/CA in the 2.4ghz spectrum magically makes it unacceptable? Would you feel better if it used multimorse on 900mhz or some other obscure protocol?
Or would you rather they have to perform surgery every time they want to read a metric or change something?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
A competitor could use this to make the other companies products seem deadly.
Just because it CAN be done, doesn't mean it should!
Most diabetics (I've dated a few, speaking from personal experience here,) would rather not look like heroin junkies as they give themselves life-sustaining chemicals.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Perhaps, but it would suffice to subvert any threat on one's life.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Sure, that's possible, but that's precisely the sort of thing security professionals rightly dismiss as a "movie plot threat". While it makes a good story, there's a lotof work, time, and risk involved for skilled people in return for a somewhat uncertain reward. These days anyhting that doesn't rise above the profit level for effort expended of "create botnet; mine bitcoins" isn't going to happen.
Socialism: a lie told by totalitarians and believed by fools.
Yeah... another person pointed out that you can just take off your insulin pump and use needles until a less-fallible replacement can be obtained. It would be a pretty empty threat even if put into practice.
Still, that being said, kidnappings for ransom do happen on a rampant level in e.g. Mexico. I wouldn't say "mine bitcoins" is quite the end-all be-all of criminal organisation. But your point is taken.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Sadly, heroin junkies don't mind looking like diabetics.
Not really. Just get a good bait & switch and the deed is done.
It's happened to me. Very devastating part of my life.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
It has potential for serial/thrill killers, terrorists or assassins though so it's still kind of scary.
Yyyyyyeah... someone else already pointed that out. In the absence of a profit motive, though, it'll probably never be worthwhile to actually do.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
I'm guessing they couldn't override wirelessly (the wireless function is designed for administering bolus doses on my pump).
I would at least have chance to hear one or two bolus beeps before it got through the full reservoir. provided it is operating as it is designed and being used as intended
I mean, I don't think any hardware or software is designed to guard against all the misuses they have not thought about... but if the pump is connected the same electronics as the wireless and controlled by a common software stack... it could probably be redesigned... but if I were you I'd be more worried about someone redesigning your brakes.
120 characters ought to be enough for anyone