Insulin pump attack prompts call for federal probe The hack of a commercially available insulin pump that diabetics can control wirelessly has attracted the attention of US lawmakers who oversee the safety of the nation's airwaves. In a letter drafted earlier this week, US Representatives Anna Eshoo and Edward Markey asked members of the Government Accountability Office to …
The good old hacker spirit ... because it's there.
I doubt he needs to be hooked up to the machine to test it. Even if he did, then he wouldn't be setting a fatal dose and as another commenter has pointed out the machines have a fixed upper limit to prevent exactly that.
Worst case scenario the machine breaks, I would assume (not being diabetic myself) that he has a backup supply of needles and insulin for emergencies anyway.
You bugger about with it *because* you depend on it to save your life. If I was using a device like that I'd want to be damned sure it was as secure as it possibly could be - if I had the required know how and suspected there was a vulnerability I'd be investigating it and trying to identify the security hole in the hope it would be patched, thus closing the avenue for some resentful bastard finding an ingenious way to kill me.
Which is what this guy did. Hardly criteria for a Darwin Award.
Not exactly rocket science, but it is brain - well, chest - surgery.
These devices, according to the article, have been around for 30 years. How much security did network connected computers have 30 years ago? There would have been no suggestion that security would be needed in the device, that sort of thing just hadn't been invented then. Networks were mainly private, users trusted only had accounts to separate their work. Now look at the early Internet protocols - SMTP, telnet, FTP would be a good start - the security is woeful and yet some are still used on a global basis.
For those who have been following the story a bit more closely than the Reg decided to read into it. The guy at Black Hat did actually break into 5 different Medtronic devices, and a third party blood meter. Mostly due to the fact the ones with wireless talk to a wireless blood meter, he basically could just fire off fake blood readings to the pump and cause it to do whatever it likes. Why the blood meter and pump arn't encrypted and paired together is just typical medical corporate types cost cutting and deciding it isn't a concern.
I was chatting to a guy at a diabetic conference and in a room of a few hundred people he got concerned long before this story as you got nothing but the pumps asking for blood readings. Lots of pumps, lots of data going in, lots of very questionable pairing of pump to meter connections = doses all over the place.
At the very least, all medical kit needs to be encrypted by law. It's that simple. No "it won't happen" bullshit. It needs to be put into law that at the very least a decent level of encryption is used on these systems. And all the open devices need to be recalled. Medtronic sting the NHS thousands for each device they sell (base level device last time I enquired was about £3000), and on a component level they are on a par with a pocket calculator and you could knock one together with a Maplin catalogue for under £30. A full recall due to possible threats should occur.
My son's pump has got a limiter that prevents large boluses of insulin. We've set the level quite low deliberately.
The comms to upload the data through the USB connector needs to be ruddy close (within a few inches) to make a connection, and the connection needs to be initiated from the pump itself. (Don't get me started on the Java applet that "requires Microsoft Windows (TM) and Internet Explorer"). VirtualBox, you were sent by Jupiter Himself.
When his blood glucose goes very low, the pump shuts down to prevent background insulin from going in.
Having met with the manufacturers and had conference calls with their development department and having harangued them at length about my need for a Bluetooth interface, I have a few degrees of scepticism about this article being aimed at their devices.
Hospitals are increasingly relying on WLAN, not just for security cameras and doctors' laptops, but also for patient monitors, infusion pumps and medications carts etc. That makes patients' well-being and, indeed, their life dependent on WLAN ability to function properly.
Some hospitals across the pond have already understood that WLANs performance must be monitored 7/24. Hopefully the same approach will eventually arrive here as well: http://www.ohio.com/news/wireless-tech-firm-7signal-plugs-into-akron-1.208537
for the insulin pump i have that any wireless device needs to be associated with the insulin pump before it can be used otherwise it wont work? so if there is an issue it must be on one of the older models that they dont sell anymore because im pretty sure the association of devices is standard in the newer models.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
