back to article Insulin pump attack prompts call for federal probe

The hack of a commercially available insulin pump that diabetics can control wirelessly has attracted the attention of US lawmakers who oversee the safety of the nation's airwaves. In a letter drafted earlier this week, US Representatives Anna Eshoo and Edward Markey asked members of the Government Accountability Office to …

COMMENTS

This topic is closed for new posts.
  1. Bango Skank
    WTF?

    Holy Crap Batman, why can't I feel Muh Legs?

    Bloody hellfire, hackable insulin pumps and pacemakers, remotely startable cars, Iranian Nuclear reactors - Whatever next?

    Sounds like a something out of an Agatha Christie mystery, only real.

  2. Anonymous Coward
    Stop

    fix the damn thing....

    “To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.”

    The fact that you can in a lab means that its possible to do it outside a lab.... the fact that its possible to do it at all means it needs fixing....

  3. Anonymous Coward
    Anonymous Coward

    Ah

    “To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.”

    So that's ok then. Bury your head in the sand because "It can't happen to you" (TM)

    1. AndyS

      title

      Not that it can't, just that it hasn't yet.

      1. Chris 3
        Facepalm

        Not that it hasn't happened yet...

        ... just that it hasn't happened to "their knowledge". Of course, its not quite clear how they would have known about it *had* happened, given that it was a risk they were unaware of and weren't looking for.

    2. Voland's right hand Silver badge

      So why do you think that the attacked will be able to report it?

      Driver with an insulin pump, vehicle, 70 mph. Pump blasts a lethal dose into the blood flow.

      Nuff said.

      1. Keiron
        WTF?

        Someone needs edumacating...

        "Driver with an insulin pump, vehicle, 70 mph. Pump blasts a lethal dose into the blood flow.

        Nuff said."

        Obviously someone who doesnt know much about diabetes or insulin pumps but... the effects of insulin being pumped into the body are not instantaneous, at least not in the case of available insulin thats on the market, they take a while to do anything and generally you do feel the effects coming on. It would be more dangerous for someone say in charge of a plane...

        1. ArmanX
          Flame

          I was thinking more of heads-of-state...

          Don't like your current representative? Hey, we've got a sure fire way to kill him untraceably! Turns out, all you need to do is send him into a diabetic coma - and the best thing is, you only need to get within WIFI range!

  4. 404
    Alert

    Lawyerspeak

    “To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide"

    Anyone who did die from their devices getting messed with, is in fact dead, has already had the insurance collected on, and we would rather not talk about it, k? CSI couldn't solve it, neither can you.

    Lord Have Mercy!

    8|

  5. Oninoshiko
    WTF?

    only done by the "good guys" in the lab?

    I'm supposed to feel better about that?

  6. Christoph
    Boffin

    No reports

    "there has never been a single reported incident "

    Nobody has reported being killed by this?

    And exactly how would they know that it had happened? A diabetic feels ill, or their sugar levels vary unexpectedly, or they drop dead - does anyone check their insulin pump? And would there be any evidence left behind, especially if the attacker set it back to normal levels again later?

    1. Keiron
      WTF?

      Another bit of edumacation needed...

      ""there has never been a single reported incident "

      Nobody has reported being killed by this?

      And exactly how would they know that it had happened? A diabetic feels ill, or their sugar levels vary unexpectedly, or they drop dead - does anyone check their insulin pump? And would there be any evidence left behind, especially if the attacker set it back to normal levels again later?"

      The pumps keep account of bolus injections that are extra to the basal ones...

      Yes you have to check your pump, otherwise how would you change the insulin and cannula every three days? (If you didnt it would run out and youd be in serious trouble)

      Yes there would be evidence left behind the insulin takes at least an hour on the quickest types to dissipate and also blood levels would differ to normal, and I would hazard a guess at there being ways of finding out what blood sugar levels where from HBA1C tests.

  7. Havin_it
    Coat

    Why, with technology like this...

    Claus Von Bülow could have murdered his wife and escaped jail. Oh, wait...

    1. John Smith 19 Gold badge
      Happy

      @Havin_it

      No. that should have read

      Claus Von Bülow could have murdered his wife and escaped jail cheaply.

  8. JeffyPooh
    FAIL

    Medtronic - "To our knowledge..."

    <- Utter.

    Good grief. Don't you just want to smack Mr. Medtronic upside the head?

    There are actually tree stumps with more common sense.

  9. Anonymous Coward
    Facepalm

    "Titanic" mindset

    “To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.”

    No right, just like there was never a plane hijacked until someone first hijacked one. That someone manufacturing devices on which lives depend still lives in such a well padded cloud cuckoo land should be a major cause for concern to the regulators and users of such devices, although the inevitable US supersize lawsuit that would result would certainly put paid to any lingering smugness manufacturers may still be harbouring.

    As a successful security model, pretending it won't happen to you died the death a long time ago, even for manufacturers of medical devices and voting machines.

    1. JimC

      Oh good grief people, live in the real world...

      In these days of spin and image and scum sucking lawyers everywhere would you really expect a press release on the lines of "We're kakking our pants over this and the boys in the lab are desperately working on a fix..."

      That sort of press release tells you exactly nothing about what the company's response to any possible vulnerability is because there are exactly no circumstances in which they'd say anything different.

      1. kissingthecarpet
        Stop

        No

        They could say, "there was a possible vulnerability , but we've already fixed it as part of a routine security review" or something

        1. Anonymous Coward
          Anonymous Coward

          No such thing as a routine security review

          On a device that actually injects insulin, any change at all will mean it has to go back to a complete review by FDA and CE before it can be sold. That's slow and expensive. Modifications to medical devices are not the same as browser patches.

          I'm not saying they should ignore a problem; just that announcing an "important security fix" is coming would kill sales of the current devices, and they wouldn't get the replacements on the market for 1.5 to 2 years even if they had their internal development and testing complete next week, so they're not likely to say it.

          1. yakitoo
            WTF?

            Does

            make you wonder how it got through 510k in the first place

          2. Just Thinking

            Review?

            Someone reviewed a wireless controlled device for injecting insulin, and didn't ask what is to stop someone hacking it?

            Who do they get to do these reviews?

      2. Francis Boyle

        Never say anything different?

        How about: we are take our customers safety seriously and purely as a precautionary measure have initiated a review of the security of our products.

        Protecting your legal arse doesn't actually require sounding like a couldn't-care-less jerk.

        1. auburnman
          Stop

          Title required

          That's pretty much exactly what they say. The Reg quote is just a small extract from the company's full response. If you read their take on things they sound like they have it in hand.

  10. This post has been deleted by its author

  11. Anonymous Coward
    Anonymous Coward

    pump user

    My pump at least logs everything it's been doing for at least the last X days, mostly just total daily dose. Also records time and date of X bolus doses as well.

    X = Not sure how many records it actually keeps, but I got bored of pressing the buttons once I went back through 50'odd entries.

    Not possible with mine as it's not wireless, but even if someone did give me an unexpected bolus I'd know about it soon enough and would soon fix the problem with a bottle of Lucozade. There are also limits set on the pumps to fix maximum potential doses so that I don't over dose by mistaken button presses so the person hacking my pump would need to over ride those setting as well and I don't think those settings were available wirelessly on the demo pumps I looked at before from other manufacturers.

    1. Robert Carnegie Silver badge

      Not to terrify you, but do you wear the insulin pump at night?

      As for boosting the radio range: http://www.turnpoint.net/wireless/has.html

    2. Voland's right hand Silver badge
      Devil

      So in the wireless case

      So, let's say we have a wireless pump which does not require any authentication for the dosage changes. Why should be expect it to require authentication for clearing the log?

  12. Anonymous Coward
    FAIL

    At the bottom of every chip datasheet

    There's a clause forbidding the use of it in life-critical devices (sometimes just medical devices in general) without the written permission of a very senior officer of the manufacturer.

    Surely there's an equivalent for the software written for it?

    I'm glad I'm still on the pills...

  13. Tzael
    Coat

    On off on off on off on ...

    Does this mean hackers have discovered 'off switches' for humans? Yes I know, bad taste, I'll get my jacket...

  14. dave 76

    of course it could be hacked but not all pumps

    pumps that link to a Continuous Glucose Meter or use the remote control need to have wireless communication enabled to allow the devices to talk together. This gives an opportunity for someone to remote attack the pump - I doubt the authenication and encryption is strong enough to keep someone determined out. If you are not using one of these functions you can switch it off. Course if you are using an Omnipod you are out of luck - all the controls are on the remote so you must use it.

    If you are using a non-integrated pump - ie the CGMS does not talk directly to the pump - then you don't need the wireless on.

    Given that my pump and CGMS have difficulty talking with each other when they are more than about 30cm apart and you can't turn off the bloody beeping sound when you do anything I would probably notice someone attempting to adjust it, but you never know.

    1. Anonymous Bosch

      Medtronics Pumps

      Mine can only talk to my glucose meter. No worries there for me. Meter doesn't make the pump do anything.

  15. Anonymous Coward
    FAIL

    Eh?????

    Why the hell is such a device in need of a wireless connection at all?????

    Come to that, why does it need a communication protocol at all!!!!

    1. Old Handle
      Boffin

      RE: Eh?????

      Of course it need a communication protocol, how else is the user going to tell it how much insulin to give? (This needs to be adjusted for diet, in case you didn't know.) A remote is very handy, because the device itself is worn under clothing and a wired remote would just end up getting tangled in things, not to mention making the user feel (even more) like some kind of freakish cyborg. So wireless seems like the way to go, If they could just figure out how to make it secure.

      1. Anonymous Coward
        FAIL

        RE: Eh?????............

        It doesnt need any kind of communication protocol and since when did a patient decide exactley how much of their medication they need.

        Insulin (and most other self administered injectable drugs) are a pre set dose.

        The device only needs to be able to deliver say, 10mils every 4 hours. Or whatever.

        At no point should a user be able to modify this out side some pre set parameters without a medical proffesionals say so. More importantly a NON user should have no hope whatsoever.

        Even morphine injectors for use with cancer or other hugely painful cinditions can not deliver more than a preset amount in a certain time frame, and whilst the user can happily click away pumping the stuff in, the device stops over administration of the drug. 50 mils in a 5 hour period, ok, but not 51 till that 5 hour time is up!! Which is how they should work and indeed did.

        So, as i said, the DOCTOR decides how much should be given. NOT the patient. The need for this device to be remotly controlled is utterly pointless and is there because someone decided it could. Not should, or must but because it could....An appliance waiting for an application....

        1. Some Beggar
          Thumb Down

          @cornz 1

          "since when did a patient decide exactley how much of their medication they need."

          Adults with type 1 diabetes (like me) typically manage their condition themselves. I measure my blood glucose, estimate the carbs that I'm eating and the exercise that I'm taking and decide how much insulin I need to inject. I meet with a diabetes consultant or specialist nurse every six months to discuss how this self-management is going.

          "At no point should a user be able to modify this out side some pre set parameters without a medical proffesionals say so."

          I'm afraid you're simply wrong. Not just for diabetes but for many other long-term conditions, so-called "expert patient" schemes where the individual is given day-to-day control are quite commonplace. The days when such conditions were micro-managed by a medical professional are (happily) long since passed.

        2. Alan Mackenzie
          Boffin

          @cornz1 - The basics of diabetic control

          I'm sorry Mr/s. Cornz, but you could hardly be more wrong on just about everything you've written.

          The diabetic herself decides, from day to day, even from hour to hour, how much insulin to inject/pump. This varies around an "ideal" dose, and depends massively on what is eaten, degree of exercise, degree of stress, etc. The amount of variation can easily be as much as 50%, or even more whilst suffering an infectious disease.

          The doctor does NOT decide how much insulin should be given, except by giving individual guidelines.

          The whole idea of an insulin pump is for a diabetic to be able to adjust the dose of insulin easily and rapidly, and to give boosts just before (or after) meals.

          I sincerely hope you never have cause to discover these things for yourself.

          1. Anonymous Coward
            Facepalm

            But you cannot

            over-ride the pump unit to give you ALL the insulin in one go!!

            This is the point im making. If (and i do speak ferom experience here) you are given an auto injector for morphine, you can administer it to yourself all day long, however, you cannot exceed a pre-determined amount or number of shots per day.

            So you have 100mls of solution, to be administered 10 times a day.

            Perhaps you can administer 5 of these in an hour, 5 the next but then you cannot administer anymore until the 24 hour period is up....

            If, remotely, someone can adjust that without the users consent or knowledge then thats a stupid idea...

            Thats my point....

            Sheesh......

            1. Some Beggar
              Headmaster

              @cornz 1

              "But you cannot over-ride the pump unit to give you ALL the insulin in one go!!"

              I can give myself as much or as little insulin as I like whenever I like. I am in complete day-to-day control of my insulin.

              "Thats my point....

              Sheesh......"

              Your point was bollocks. Several people have tried to explain why your point was bollocks. If you had a bit of dignity at this point you would acknowledge that you were wrong and thank people for improving your understanding. But you'll probably just slink away or post some more backpedaling sprinkled with exclamation marks. Grow up.

              1. Oninoshiko
                FAIL

                @ Cornz1

                "X for morphine ergo X for insulin" FALSE.

                Insulin and morphine are VARY different drugs, administered under VARY different rules, for VARY different conditions.

                What is done for morphine (a highly addictive, opiate, analgesic (pain killer)) has nothing to do with with how Insulin (a hormone for regulating carbohydrate and fat metabolism) is regulated.

        3. vesta44

          Not always........

          "Insulin (and most other self administered injectable drugs) are a pre set dose."

          Bolus insulin is a pre-set dose that doesn't usually change without a doctor's say-so, BUT short-acting insulins are variable dose and can change from meal to meal, depending on the diabetic's blood sugar at the meal and the number of carbs in the meal. The doctor can give a base range for the short-acting insulin, but has no say over how much is actually administered at each meal as zie is not there to observe the exact conditions and dispense dosing advice. I know this because my husband has type 2 diabetes and his short-acting insulin dosages can range anywhere from 25 units to 50 units, at MY discretion, NOT the doctor's (I'm the one who figures out his dosages based on blood sugar and carb consumption and I'm better at it than the doctor is).

        4. dave 76

          diabetes control is in the hands of the patient, not the doctor

          "So, as i said, the DOCTOR decides how much should be given. NOT the patient. The need for this device to be remotly controlled is utterly pointless and is there because someone decided it could. Not should, or must but because it could....An appliance waiting for an application..."

          Fairly safe to say that cornz 1 has no experience with Type 1 diabetes at all (Type 2 is a completely different kettle of fish).

          My doctor has NO say in what my dosages are. He/she can advise or recommend but seeing as I live with this 24/7 and I see them for 5 minutes every 3 months to get my prescription renewed, I have a much better idea of how to manage my diabetes that they do. I will never take instruction from them, only advice.

      2. Jedit Silver badge
        Headmaster

        Let's add a bit more common sense

        Diabetics who don't get enough insulin will eventually enter a coma. It is thus VITAL that the dosages from an insulin pump must be readable and for preference adjustable by a person other than the user.

  16. Anonymous Coward
    FAIL

    Yes, this needs to be fixed

    Yes, this vulnerability needs to be fixed, just like the myriad other ones in the world.

    But it's a sad testament that we would NEED to fix something like this to prevent someone from possibly doing harm.

    While I know it's not 1950 where (supposedly) you could just leave your keys in your car, not lock your front door, etc., where does it end? Eventually we'll be living in houses with shatter-proof windows in the off chance someone may throw a brick, and even toilet paper will have warning labels and come with an instructional DVD. (though that might not be bad for some people)

  17. The BigYin

    List to "Free as in Freedom" podcast, episode 15

    http://faif.us/cast/2011/aug/02/0x15/

    Now be afraid, be very afraid. You have no alternative but to have one inside your body, and you can only trust it works because the maker says so?

    1. Destroy All Monsters Silver badge
      Big Brother

      This is different from popping pills with some new molecule.

      You can only trust that he FDA did its approvals correctly (probably not) and Pfizer didn't deep-six the study showing inconvenient results (probably not) or that the production machine was squeaky clean (probably but sometimes not).

      To add insult to injury, you get to pay top dollar because of the patent before your liver gives out.

  18. Apocalypse Later

    "So far, so good"

    Man falling past ninth floor window gives thumbs up.

  19. John Smith 19 Gold badge
    FAIL

    Been coming for a *very* long time.

    There's an old DDJ article about a guy trying to unscramble the serial port data from his glucose monitor.

    As the actual *device* sets smaller (more concentrated insulin, more efficient pump design, smaller batteries) the UI (the buttons) become the limiting factor on reduction.

    But what's OK for a *Monitor* should change *radically* when you can actually effect stuff IRL.

    Logging the last changes is just a *start* (and note I'll bet that's just a good idea, *not* mandatory in the design of medical devices).

    BTW some countries have a "Grandfather" provision for medical devices *unlike* drugs.

    So I say "It's an insulin pump, just like insulin pump X" and the licensing authorities say "Fair enough type X passed you're clear to go."

    It doesn't have to be *better* it just has to be *different* (but not *too* different).

    While the idea that no one would investigate a diabetic whose just going along and suffers a massive insulin OD should be *very* far fetched given competent forensic techs and autopsy it's less clear cut if they were *doing* something which damaged the body. Driving a car would be the obvious one but I'm sure someone motivated to do this would find others.

  20. Anonymous John

    It's probably like an RFID chip.

    With a range of less than half an inch. And unless the hacker gets the correct channel first time, the victim notices and moves out of range.

    1. Anonymous Coward
      Anonymous Coward

      @Anonymous John

      So absolutely no problem to kill someone in a packed commuter train when you're wedged up against him with your sequential channel scanning diabetic-o-zapem(tm)

      Anyway, the RFID range limit is a false security as has already been shown with the RFID passports. Both ends of the link don't need to be high power or have comparatively large directional antennas, only one. So back to the packed tube train, you could stand at one end, and attack half the carriage - how nice of them to all stand within the couple of degree field of your antenna, hidden in the oh so obvious piece of luggage at your feet.

      1. Some Beggar
        WTF?

        The incidence of type 1 diabetes is about 10 people per 100k

        Of that small population, a small subset will be using a pump rather than pens, and a smaller subset of those will be using a pump whose dose can be adjusted wirelessly, and an even smaller subset of those will be using the particular type of pump whose vulnerability your imaginary wireless murder machine would be targetting. So if you're lucky, you'll find one potential victim in every thousand packed tube carriages.

        Worst. Serial. Killer. Ever.

  21. GuyC
    WTF?

    Well this guy won't collect on his life insurance

    WTF would you try and bugger about with something that is there to save your life......sounds like one for the darwin awards

    1. Anonymous Coward
      Anonymous Coward

      I'm going to go with...

      The good old hacker spirit ... because it's there.

      I doubt he needs to be hooked up to the machine to test it. Even if he did, then he wouldn't be setting a fatal dose and as another commenter has pointed out the machines have a fixed upper limit to prevent exactly that.

      Worst case scenario the machine breaks, I would assume (not being diabetic myself) that he has a backup supply of needles and insulin for emergencies anyway.

    2. Anonymous Coward
      FAIL

      To prove there's a vulnerability

      You bugger about with it *because* you depend on it to save your life. If I was using a device like that I'd want to be damned sure it was as secure as it possibly could be - if I had the required know how and suspected there was a vulnerability I'd be investigating it and trying to identify the security hole in the hope it would be patched, thus closing the avenue for some resentful bastard finding an ingenious way to kill me.

      Which is what this guy did. Hardly criteria for a Darwin Award.

  22. Mr Young
    Go

    Oh FFS

    How hard can it be to add at least a little security? I'd expect a graduate to sort that in a few weeks or maybe a couple of months, whatever. It's not exactly rocket science is it!

    1. Anonymous Coward
      Anonymous Coward

      Hmm...

      Not exactly rocket science, but it is brain - well, chest - surgery.

      These devices, according to the article, have been around for 30 years. How much security did network connected computers have 30 years ago? There would have been no suggestion that security would be needed in the device, that sort of thing just hadn't been invented then. Networks were mainly private, users trusted only had accounts to separate their work. Now look at the early Internet protocols - SMTP, telnet, FTP would be a good start - the security is woeful and yet some are still used on a global basis.

  23. Anonymous Coward
    Anonymous Coward

    Force them to recall them, and pay the price for there foul up!

    For those who have been following the story a bit more closely than the Reg decided to read into it. The guy at Black Hat did actually break into 5 different Medtronic devices, and a third party blood meter. Mostly due to the fact the ones with wireless talk to a wireless blood meter, he basically could just fire off fake blood readings to the pump and cause it to do whatever it likes. Why the blood meter and pump arn't encrypted and paired together is just typical medical corporate types cost cutting and deciding it isn't a concern.

    I was chatting to a guy at a diabetic conference and in a room of a few hundred people he got concerned long before this story as you got nothing but the pumps asking for blood readings. Lots of pumps, lots of data going in, lots of very questionable pairing of pump to meter connections = doses all over the place.

    At the very least, all medical kit needs to be encrypted by law. It's that simple. No "it won't happen" bullshit. It needs to be put into law that at the very least a decent level of encryption is used on these systems. And all the open devices need to be recalled. Medtronic sting the NHS thousands for each device they sell (base level device last time I enquired was about £3000), and on a component level they are on a par with a pocket calculator and you could knock one together with a Maplin catalogue for under £30. A full recall due to possible threats should occur.

  24. Destroy All Monsters Silver badge
    Big Brother

    "Before testing or reconfiguring, always mount a scratch monkey"

    Why is the GAO getting involved? Are they looking for work?

    I would hope that there was enough pressure from consumers and the insurance companies to ... oh wait. Socialized medicine. Never mind.

  25. Robigus

    Medtronic Veo

    My son's pump has got a limiter that prevents large boluses of insulin. We've set the level quite low deliberately.

    The comms to upload the data through the USB connector needs to be ruddy close (within a few inches) to make a connection, and the connection needs to be initiated from the pump itself. (Don't get me started on the Java applet that "requires Microsoft Windows (TM) and Internet Explorer"). VirtualBox, you were sent by Jupiter Himself.

    When his blood glucose goes very low, the pump shuts down to prevent background insulin from going in.

    Having met with the manufacturers and had conference calls with their development department and having harangued them at length about my need for a Bluetooth interface, I have a few degrees of scepticism about this article being aimed at their devices.

  26. Mikko Kaarela
    Megaphone

    Can we trust that the WLAN works?

    Hospitals are increasingly relying on WLAN, not just for security cameras and doctors' laptops, but also for patient monitors, infusion pumps and medications carts etc. That makes patients' well-being and, indeed, their life dependent on WLAN ability to function properly.

    Some hospitals across the pond have already understood that WLANs performance must be monitored 7/24. Hopefully the same approach will eventually arrive here as well: http://www.ohio.com/news/wireless-tech-firm-7signal-plugs-into-akron-1.208537

  27. Keiron
    Thumb Up

    Was there any mention anywhere of the fact that at least...

    for the insulin pump i have that any wireless device needs to be associated with the insulin pump before it can be used otherwise it wont work? so if there is an issue it must be on one of the older models that they dont sell anymore because im pretty sure the association of devices is standard in the newer models.

This topic is closed for new posts.

Other stories you might like