Sophos Cloud Optix
Last week at the Black Hat 2011 conference Jay Radcliffe, a Type-I diabetic like myself, presented his research into the security of modern medical insulin pumps.
For the uninitiated an insulin pump is used to deliver the hormone insulin to diabetics who can no longer produce insulin naturally and gain better control of their blood glucose than can be achieved using multiple daily injections (MDI).
Newer models of insulin pumps offer the ability to communicate by radio to make diabetics’ lives easier. The device can read your blood sugar automatically from a continuous glucose monitor (CGM) or blood glucose meter.
Jay investigated and reverse engineered the radio protocol between the CGM and the pump and was able to discover a lot about how the device communicates. The device was vulnerable to replay attacks, but he was unable to fully forge fake glucose readings.
The devices are also configured to allow you to disperse insulin from a handheld sensor, something akin the the device on your keychain for locking your car. A third method of wireless communication is also possible using a USB stick that talks to the pump over radio.
Radcliffe explored the third method as the vendor provides a Java application that can be used to wirelessly configure the device. This is the very scary part, there was no authentication nor encryption between the configuration tool and the device.
It does require the serial number, although arguably it could be social engineered, or simply brute forced. My device has a six digit ID, so brute forcing it is not out of the realm of possibility.
What could you do were you able to talk with someone’s insulin pump over the air? You could turn it off, change any and all settings on the device related to the delivery and calculation of the correct quantities of medicine they require, nearly any setting the device supports.
Worse yet the device has no ability to notify you that it was modified, or prompt you to accept this new configuration. Perhaps it is time I built a tinfoil hat for my pump… the radios cannot be disabled.
At this point in time it is not possible to “patch” the firmware on a device, leaving it vulnerable for the life of the device (usually five to ten years).
This could kill people if it were used by someone with malicious intent. Hopefully Radcliffe’s research will result in manufacturers taking the security of medical devices much more seriously.
This is scary. One wonders that neither the device manufacturer nor the government oversight organizations (FDA?) would think to consider security for wireless medical devices.
Based on what you describe a malicious hacker could randomly mess with people’s insulin pumps, or could even target a particular individual for a “medical assault” without ever touching their person.
Hopefully, articles such as this one will bring pressure to manufacturers to address this type of security problem.
WHo would do anything to a tool like that, thats just stupid
I was at the brief myself. I do agree with many parts of this, and hope this helps the major manufacturers to improve on security. However, the devices mentioned in this research were several years old and in the case of his glucose monitor it was so obsolete they were no longer being manufactured and he couldn't locate the engineer since it was so long ago.
What is missing from this is the current state of devices. I hope they are better, but I aim to find out. I have an appointment on Friday and I plan on pushing the envelope to find out.
The devices in question were the current device being sold up to less than one year ago. The lifespan for most of these devices is eight years…. Many people will be using these for many more years. At a cost of nearly $7000 many patients will use them far past their warranty as well considering they are only covered under the best of health plans.
I saw this on a TV show, like Law & Order, that a hacker got into a hospital insulin pump and killed the patient.
This is most definitely a concern to those of us with implanted medical devices of all kinds. I believe that there's arguably relatively low risk of actual exploitation here, but the fact that it's even possible is astounding and frightening.
I don't have an implanted insulin pump – I have a device called a deep brain stimulator intended to help manage the symptoms of young-onset Parkinson's disease. It's only recently been implanted – I've had it for about 2 months. It's programmed with a handheld device that requires a close-proximity antenna, but i don't know what the communication signal or protocol looks like. I made the assumption that it's some kind of magnetic induction technique, but I think I'll find out. 🙂
I would imagine that any hacking attempts in the real world by by very smart but very foolhardy RE/hacker types would be treated by law enforcement and the courts as attempted murder. Hopefully that will be a deterrent as we figure this new problem out.
Let's summarize. Radcliffe demonstrates some party tricks with his insulin pump that are documented in the product manual. The key take-away *should* be:
OK, 6-alphanumeric, symmetrical, shared keys are a little basic at this stage. Let's brainstorm some improvements that consider the real important usability and battery life boundaries. Key rotation scheme? Borrow some refinements from Bluetooth (pseudo-random passkeys generation). Wouldn't this dialog be the most constructive next step?
Why instead do knowledgeable analysts insist on ratcheting up the anxiety level with misinformation? (user cannot disable radios; no authentication to communicate with pump; no warning to user of configuration change).
Patients and potential pumpers bring these distorted headlines to their next clinical appointment where it consumes time better spent on trends and therapy decisions.
Stoking the fire is easy; who will take responsibility for rationalizing the conversation?
I have been type one diabetic for two years. I was totally unprepared for the amount of prejudice and intolerance I would come across from friends and co-workers in every day life, so to be quite frank, this type of hacking is the least of my concerns.
I think you would have to have a VERY strong motive to go to the length of taking control of someone's insulin pump. As per the previous comment, a charge of attempted murder if found guilty should be enough to deter all but the most psychopathic.
Anyway, all the people who hate my guts are too dumb to work out how to do this, so I can rest easy 🙂