Diabetics are hunting down obsolete insulin pumps with a security flaw

Eight years ago, thanks to 10-year-old code that failed to use encryption to conceal the content of its wireless transmissions, security researcher Barnaby Jack successfully hacked a Medtronic insulin pump and proved it’s feasible to poison a diabetic wearer with a potentially lethal overdose.

If diabetic equipment hackers cared about money, that security flaw would now be worth more than gold. But they don’t.

What the community of people devoted to hacking their way to better diabetes management through homemade, closed-loop systems care about is helping themselves, loved ones and each other to climb over the lag in Federal Drug Administration (FDA) approval of such systems.

Medtronic hasn’t sold those flawed pumps for years. You can still get them, though, and an army of people dedicated to hacking insulin pumps has arisen to source them wherever they can find them, including on an underground market for medical devices that exists in places like eBay, Craigslist, or Facebook.

This is nothing new. Hackers first realized they could exploit the security flaw for a DIY diabetes revolution back in 2014. And on Monday, The Atlantic published a comprehensive look at how they’re hunting down the obsolete, security flaw-ridden devices, which can be used to create artificial pancreases because they’re so conveniently hackable.

DIY pancreas

The pancreas of a Type 1 diabetic doesn’t produce insulin, or doesn’t produce enough, to keep blood sugar levels under control. That lack of control will eventually lead to death if the hormone isn’t administered manually, whether it be through multiple daily injections or via insulin pumps that do it automatically and continuously, feeding a steady drip of insulin through thin, disposable tubing that’s inserted under the skin.

Another crucial part of diabetes care is a continuous sensor that measures blood sugar levels, which also slips just under the skin.

Tie together insulin delivery with CGM data, throw in some algorithms that can dynamically respond to rising and falling blood sugar by adjusting insulin delivery, and you’ve got an artificial pancreas. The idea is like the promised land to Type 1 diabetics: without the need to continuously monitor blood sugar levels, they can actually sleep through the night.

Many now can’t, given how CGM alerts jolt them awake, calling them to action, be it through eating something to fend off low blood sugar (potentially lethal) or to administer more insulin to fend off high blood sugar (also dangerous and potentially lethal).

It’s not that we don’t have all the hardware components now. We had the components to create an artificial pancreas back in 2014, as well. The problem was, and still is, that the pumps couldn’t talk to the sensors. That’s where the Medtronic pump’s security flaw came in.

The hackers realized they could exploit that flaw to override the programming in the old Medtronic pumps, substituting their own algorithm that automatically calculates insulin doses based on real-time glucose data. As the Atlantic puts it, it closed the feedback loop.

Multiple looping systems now available

The hackers made the code available online as OpenAPS – the Open Artificial Pancreas System project – and homemade “looping” was born. Besides OpenAPS, there’s also now another system called Loop. There are communities that have grown up around the technologies to help what the Atlantic says are now thousands of people who are experimenting with DIY artificial pancreas systems.

The FDA hasn’t officially approved any of them. That isn’t stopping diabetics and their helpers, though, whose war cry is #WeAreNotWaiting.

As word has spread, the old, compatible Medtronic pumps have gotten ever tougher to hunt down. The Atlantic spoke to one diabetic who got lucky enough to win one in a periodic raffle held by an online group for diabetics – that’s how coveted they are.

Aren’t these diabetics frightened of malicious Wi-Fi hacks?

When Jack first hacked the Medtronic back in 2011, the news was met with alarm, as are any security flaws that could lead to somebody dying. It was yet another example of how the FDA wasn’t taking the issue of medical device hacking seriously, critics said.

But the remote possibility that somebody’s going to scan for their pumps’ serial numbers and get physically close enough to remotely take it over don’t come close to offsetting the relief that loopers get from being able to simply relax when it comes to the constant vigilance that is the lot of diabetics. The Atlantic quotes one looper, Doug Boss, who said that the everyday risks of high and low blood sugar are a lot more real than the possibility of a malicious hacker lurking around a corner:

If I drink coffee in the morning and forget to enter it into my phone, my blood sugar is going to be higher than normal.

Thank you, Barnaby Jack

It’s not often that we get the chance to write about the upside of a security flaw… if ever. This is the most positive one I’ve ever run across, at any rate. And it’s a welcome opportunity to thank the ingenious Barnaby Jack for calling the world’s attention to a security flaw that could have caused harm but did the opposite.

Barnaby Jack passed away in 2013. We lost you too soon, Mr. Jack, but as time goes on, we grow ever more grateful for your contributions.