Last week at the Black Hat 2011 conference Jay Radcliffe, a Type-I diabetic like myself, presented his research into the security of modern medical insulin pumps.
For the uninitiated an insulin pump is used to deliver the hormone insulin to diabetics who can no longer produce insulin naturally and gain better control of their blood glucose than can be achieved using multiple daily injections (MDI).
Newer models of insulin pumps offer the ability to communicate by radio to make diabetics’ lives easier. The device can read your blood sugar automatically from a continuous glucose monitor (CGM) or blood glucose meter.
Jay investigated and reverse engineered the radio protocol between the CGM and the pump and was able to discover a lot about how the device communicates. The device was vulnerable to replay attacks, but he was unable to fully forge fake glucose readings.
The devices are also configured to allow you to disperse insulin from a handheld sensor, something akin the the device on your keychain for locking your car. A third method of wireless communication is also possible using a USB stick that talks to the pump over radio.
Radcliffe explored the third method as the vendor provides a Java application that can be used to wirelessly configure the device. This is the very scary part, there was no authentication nor encryption between the configuration tool and the device.
It does require the serial number, although arguably it could be social engineered, or simply brute forced. My device has a six digit ID, so brute forcing it is not out of the realm of possibility.
What could you do were you able to talk with someone’s insulin pump over the air? You could turn it off, change any and all settings on the device related to the delivery and calculation of the correct quantities of medicine they require, nearly any setting the device supports.
Worse yet the device has no ability to notify you that it was modified, or prompt you to accept this new configuration. Perhaps it is time I built a tinfoil hat for my pump… the radios cannot be disabled.
At this point in time it is not possible to “patch” the firmware on a device, leaving it vulnerable for the life of the device (usually five to ten years).
This could kill people if it were used by someone with malicious intent. Hopefully Radcliffe’s research will result in manufacturers taking the security of medical devices much more seriously.