back to article These diabetes pumps obey unencrypted radio commands – which is, frankly, f*%king stupid

Johnson & Johnson's Animas division has issued a letter [PDF] warning diabetes patients using its OneTouch Ping insulin pump that the device could be triggered remotely. Discounting the possibility of an attack as "extremely low," the company nonetheless says that "a person could potentially gain unauthorized access to the …

  1. Erewhon

    Renamed

    Onetouch Ping of Death

    1. MiguelC Silver badge

      Re: Renamed

      It creates a very specific situation in which a patient cannot complain, and that is the real reason supporting the "zero patient complaints" claim.

  2. Ken Hagan Gold badge

    "Given that security tends to add complexity and cost to technology products, the chance that companies will adopt the FDA's cybersecurity guidelines fully can be considered to be extremely low. "

    Not so sure about that. The potential losses in the resulting court case could offset the savings by several orders of magnitude.

    The likelihood of such a case depends on the nature of the vulnerability. For example, if it is a failure to authenticate the sender, then it could happen almost any time two users are in the same room and one of them needs to inject. If it is poor authentication, then it is only a matter of time before garbled commands to one unit happen to be valid commands to another and (again) this "attack" will be "tried" whenever you get gatherings of users.

    Malicious exploitation is a different set of risks altogether. It is far more likely to succeed and the resulting death will look like suicide. Are there any potential users of these devices who have enemies (or relatives) evil enough to give that a go? Sadly human nature is not all fluffy kittens, so I suspect the answer to that is a firm "Yes".

    1. Fatman

      RE: "Cost of doing business"

      <quote>Not so sure about that. The potential losses in the resulting court case could offset the savings by several orders of magnitude.</quote>

      And one such mechanism to get the manufacturers interested in implementing safety protocols would be a multi-Billion dollar "hit" (lawsuit).

      Recently, I noticed legal advertising for patients who take certain blood thinners who suffered varied injuries as a result of the software in a PT-INR1 testing machine producing the wrong results. Just the ticket to prod manufacturers....

      1 In layman's terms: the time for your blood to clot.

    2. Missing Semicolon Silver badge
      1. Richard 12 Silver badge

        Re: Check out the Fort Pinto

        And courts then prove them wrong.

  3. Dan 55 Silver badge
    Facepalm

    Didn't Homeland do this already?

    Only with a pacemaker.

    No need to worry unless you're a politician.

    1. Voland's right hand Silver badge

      Re: Didn't Homeland do this already?

      No need to worry unless you're a politician.

      No need to worry unless you are an investigative journalist.

      1. Anonymous Blowhard

        Re: Didn't Homeland do this already?

        "No need to worry unless you're a politician."

        No need to worry unless you are a diabetic customer of Animas.

        (Hint: you can't change the first, but you can change the latter - consumer pressure does work on companies if you hit them in the wallet)

    2. salamamba too

      Re: Didn't Homeland do this already?

      Insulin overdose by hacking occurred in Person of Interest to an abusive husband.

  4. rsole

    Warning people that it could be triggered remotely.

    The user must presumably already know it can be triggered remotely as that is a selling point.

    What they should be warning them is that it could be controlled by someone else in the vicinity, assuming it is not an IOT device, or could be triggered by a random radio transmission.

    Also, unless they are monitoring the device how can they possibly know this has not already happened.

    Are they offering to recall the device and rectify the problem? It doesn't sound like it.

  5. wolfetone Silver badge

    I bet those diabetic people who have this device are thinking through all the people they've pissed off recently and whether any of them are handy with a computer...

  6. Pen-y-gors

    And people wonder why I don't trust modern technology!

    I know most of us make our living wrangling electronic gadgetry into some form of submission, but I do sometimes wonder whether Nedd Ludd had the right idea...

    1. Anonymous Coward
      Anonymous Coward

      Re: And people wonder why I don't trust modern technology!

      I am left wondering whether the designers considered encrypting the communications and chose not to, or it simply did not cross their mind.

      1. breakfast Silver badge

        Re: And people wonder why I don't trust modern technology!

        Knowing how these things go, they probably whipped up a simple proof of concept prototype to demonstrate how it might work and that immediately got seized on and released as production software.

    2. Dagg Silver badge
      Flame

      Re: And people wonder why I don't trust modern technology!

      I have no problems with the concept of modern technology it it just the way some f*ckwits implement it. Seriously what the f*ck where the thinking sending anything in the clear! Absolute bloody tools, this is basically criminally negligent.

  7. Sweeper

    Pumps have many challenges, security is certainly one.

    The security side of things is one reason I have never even considered a pump, even after over forty years of multiple insulin injections daily. But it's a shame you haven't a picture of an insulin pump.

    1. Pen-y-gors

      Re: Pumps have many challenges, security is certainly one.

      Pity they couldn't even find a photo of an up-to-date injection system like Kwikpen - who uses a traditional syringe these days?

      1. Robert Helpmann??
        Childcatcher

        Re: Pumps have many challenges, security is certainly one.

        ...who uses a traditional syringe these days?

        Perhaps someone attempting a visual pun to go with the term "injection attack".

        I followed the link to the Medtronic post. They seem to want to address security issues with their devices but don't entirely understand what that entails. For example, they say this:

        "However, the pump will not recognize commands from the USB device without the proper insulin pump serial number. If you’re still concerned, we recommend that you protect the serial number of your pump as you would your social security number, passwords and other important personal information."

        This leads me to guess that these devices are vulnerable to brute force attacks against their serial numbers which are used to authenticate an always-on connection to their devices. It's on their website, which means that a potential attacker researching the issue would have an easy start on this. I don't advocate security through obscurity, but let's not make it too easy.

      2. Steve the Cynic

        Re: Pumps have many challenges, security is certainly one.

        And I haven't seen a syringe that size in a *very* long time.

        And it wasn't an injection syringe, but a blood sample syringe, when I was first diagnosed with Type I diabetes in 1981. (At the age of 15, mind.)

        For a while, I had a glass-walled syringe for injections (and a need to divide doses by two because it was for 20-U insulin and I had 40-U). The one in Pulp Fiction looks sort of similar.

        Then I changed to 100-U insulin with 100-U syringes, which are skinny disposable plastic things, very vaguely similar, except much thinner and a bit shorter, to the one in the picture.

        These days I use "pens" - pre-filled cylinders with screw-on disposable needles. Twist the cap to select the dose, push the protruding tube (that wound out as you twisted the cap) to inject. They are thicker than the disposable syringes, but *still* thinner than the syringe in the picture.

        1. hypernovasoftware

          Re: Pumps have many challenges, security is certainly one.

          Check out the tandem:tslim (no wireless so no chance of hacking).

          After 38 years of multiple daily injections, I switched to this pump a few months ago and the convenience far outweighs any disadvantages (of which I know of none). Plus my control has never been better.

    2. hypernovasoftware

      Re: Pumps have many challenges, security is certainly one.

      I have been a Type I diabetic for 38 years and just switched to an insulin pump a few months ago (tandem:tslim). This one does not have any wireless communications so no chance of any hacking. I love it and will never go back to multiple injections. My control has never been better and it is so convenient.

      And yes, you'd have thought they would show a picture of an insulin pump rather than a manual injection. :(

  8. Richard 31

    The letter also recommends turning on the Vibrating Alert feature, because it could be useful to be told when insulin is about to be administered, and to set a limit on insulin doses over a given period of time.</quote>

    Surely our hacker could just disable them again using the same unencrypted commands to switch the alerts off again?

    But with this and the 10 zillion other IoT devices out there, isn't it time an idiot proof chip or framework is produced to allow people to do secure comms on small devices easily?

  9. Rich 11 Silver badge

    The what?!

    Medtronic Paradigm Bolus Wizard

    This is a joke name for a spoof product, right? Please tell me it is.

    1. Fruit and Nutcase Silver badge

      Re: The what?!

      @Rich 11

      "Medtronic Paradigm Bolus Wizard

      "This is a joke name for a spoof product, right? Please tell me it is."

      Not really - "Bolus" is a reference to the injection...

      https://en.wikipedia.org/wiki/Bolus_%28medicine%29

      http://www.diabetes.co.uk/insulin/basal-bolus.html

      1. Anonymous Coward
        Anonymous Coward

        Re: The what?!

        "Bolus Wizard" 1970's band, bit trippy but some good folk stuff, still got a couple of LP's

  10. Stoneshop

    FDA approval

    "Given that security tends to add complexity and cost to technology products, the chance that companies will adopt the FDA's cybersecurity guidelines fully can be considered to be extremely low. "

    Would they be able to withhold or retract approval if security flaws such as these are found? It's clear such testing needs to become part of the approval process for devices with remote control capabilities. And companies will pay attention to matters that can keep their product from entering the market.

    1. Version 1.0 Silver badge

      Re: FDA approval

      When the FDA get around to looking at this then they could have the product withdrawn from the market - a complete recall - if they think it's a risk. Chances are that Johnson & Johnson didn't pass this design through the FDA as the "feature" could have been rationalized away as not affecting the core functionality - thus not triggering an FDA 510(k) design review at the FDA.

      I would expect that the FDA will issue a ruling on this although probably not for a few years. The end result is that encryption will be mandated - eventually.

      1. Anonymous Coward
        Anonymous Coward

        When the FDA get around to looking at this....

        Well, they did look at it and approved it.

  11. NanoMeter

    Unhappy luddite

    I love the march of technology, but I can see we're heading in the wrong direction. I am not happy to have to think like a luddite, but it's necessary for survival. Sometimes you need to know when to say "Stop. This ain't good".

    I see they're selling DNA manipulation kits for 100 dollars on the internet. Can't be good. If there's one thing we don't need it is antibiotika resistent E.coli bacteria created by some derp in his home.

    1. Jason Bloomberg Silver badge

      Re: Unhappy luddite

      I am not sure we are heading in the wrong direction, more walking a path without fully realising we need to redirect that path. Such realisations only come with discovering where one has gone wrong.

      History is littered with 'good ideas' which turned out to not be such good ideas until we got those under control, figured out how to do them safely, and sometimes abandoned those ideas. Getting it wrong, not having as much foresight as hindsight would like us to have had, seems a part of human nature.

      One day we may improve on that, may learn the lessons of history, but it seems we have a long way to go. We can't even agree on what are best 'safe practices', when something is safe to release; only when it's proven safe to do so, or it can be released unless proven not to be safe.

      When we tend towards the latter there will be cases where what seemed like a good idea turns out not to have been. We have to accept that if we follow that course.

    2. phuzz Silver badge
      Boffin

      Re: Unhappy luddite

      Most people have DNA manipulation toolkits in their pants.

      1. Pen-y-gors

        Re: Unhappy luddite

        Most people have DNA manipulation toolkits in their pants.

        Yeah, but the outcomes are pretty unpredictable.

        1. Dagg Silver badge
          Pint

          Re: Unhappy luddite

          Yeah, but the outcomes are pretty unpredictable.

          Not at all! The more beer the uglier the result.

          Beer helping ugly people breed since forever.

    3. phil dude
      FAIL

      Re: Unhappy luddite

      despite what you read, creating an "antibiotic resistant E.coli" is really not the issue. Generally, anything we create in the lab does not compete well in the environment - the real world is *really* noisy.

      However, if you pump every living thing in the food chain full of antibiotics, you will select (as in Darwin's Natural Selection) for some really nasty variants, since they have survived the microbiological gladiatorial arena of every cell they enter.

      Read about phages, a 3 billion year old experiment into molecular robots...they're an interesting topic.

      If we lived in a rational political universe, this would prioritize research into the mechanisms of disease so we could create solutions to the problems. but our media prefers novelty to progress.

      The Dark Ages are only one lost generation away...

      P.

      1. DWRandolph

        selected evolution

        Here is one link to a recent demonstration of evolution in action. Several places picked up the story from Harvard Medical School of how fast bacteria adapts - very scary!

        https://www.wired.com/2016/09/gorgeous-unsettling-video-evolution-action/

        1. phil dude
          Pint

          Re: selected evolution

          Yes, "We'll need a bigger Petri dish".

          P.

  12. lglethal Silver badge
    FAIL

    Rather than just telling people to set limits and turning on a vibration alert feature (because knowing your about to be injected is really going to help you out if someone is trying to overdose you!), they could take the time to create some new firmware for the device which plugs the security holes. And then the advice for their patients could be to update the firmware on the device. Problem solved. No need to release such statements which look like they are saying the risk is low and they don't really care about the risks to your life anyway. They could laud instead how much they care for their patients and are taking a firm stance on security!

    Oh wait, securing the device costs money, nevermind.

  13. Doctor Syntax Silver badge

    Guidelines?

    "And the FDA released a new set of proposed guidelines at the beginning of this year."

    Something stronger than guidelines is needed.

    1. Mark 85
      Holmes

      Re: Guidelines?

      <see icon> This is and has been obvious to everyone except the FDA for quite awhile. It should also be obvious the manufacturers, but.... profit.

  14. Anonymous Coward
    Anonymous Coward

    The fun really starts when you can hack a penis or breast pump, tiitter ye not.

    1. NanoMeter

      Or getting hacked while you're having cyber sex via internet. Who knows what might happen.

    2. Pen-y-gors

      Hack a penis?

      I'm so glad my penis doesn't have a WiFi connection (or even an ethernet socket)

  15. spot

    Sophisticated equipment and proximity

    They left out the words cheap and from a car pulled up outside.

  16. adam payne

    An Animas statement says patients and healthcare providers have been contacted about this issue. "Animas continues to work with the appropriate regulatory bodies and security experts on this issue as we are always evaluating ways to further ensure patient safety and enhance security," the company said.

    Enhancing security isn't what you are doing, you are fixing a massive security hole in your product. A security hole that could be lethal to someone.

  17. Robigus
    Childcatcher

    It must be enabled to be vulnerable

    My son's Medtronic insulin pump had to be explicitly configured to listen to remote instructions for it to be vulnerable.

    All of his cohort had remote access turned off by default when setup by the hospital because it was battery thirsty.

    Also, the article doesn't mention that pumps are setup with a maximum bolus - another safety feature that prevents little people delivering shit-tons* of insulin.

    That's not to say the manufacturers aren't money-first/patient-second yacht-sailing greed-monster tooth-whitened billionaires, but the headline's a bit OTT.

    * This is the proper medical terms for large quantities of insulin.

    1. Richard 12 Silver badge

      Re: It must be enabled to be vulnerable

      And is that configuration accessible to a malicious attacker via the radio?

  18. Anonymous Coward
    Anonymous Coward

    More Concerned about Trademarks?

    That letter gives me the impression that they are more concerned about Registered Trademarks than people health.

  19. teebie

    "Since Animas Corporation launched the product in the US in 2008 and Canada in 2009, there were zero patient complaints (and no patients affected) related to this issue"

    Because all of those involved were suffering from hypos/death and couldn't communicate coherently as a result.

    "Medtronic Paradigm Bolus Wizard"

    'Bad news Jeff, the name for our new product is apparently already some sort of internet meme. The correct horse battery staple needs a new name'

    'Ok, I'll get the word list and the darts'

  20. Old Handle

    I skimmed the manual for this thing (online, I don't actually have one, thank goodness) and it talks about "pairing" the pump and remote, and also says the remote can check the pump's status. So they have two-way communication. If they hadn't that would have made security a bit difficult, but since they seem to be perfectly capable little gadgets, there's really no excuse.

  21. sanmigueelbeer

    There's a Case Study published in 2009 by well-known medical equipment manufacturer Welsh Allyn titled "

    Application of IEC 80001 in Avoiding Pitfalls of Wireless LAN System Design, Case Study".

    Scroll down to Section 5 - Security and the third paragraph near the end of the section states, "Of the vendors that support WPA, many only support Pre-Shared

    Key (PSK) authentication; again, likely because of low cost and ease of implementation. Consider that those who claim that WPA

    is secure likely don’t support WPA2."

    Some medicial equipment manufactures DO NOT have the technical skills to make their products wirelessly secure.

  22. Stevie

    Bah!

    All your meds are belong to lightbulb.

  23. 0laf Silver badge

    Misunderstandng of risk

    I've seen this before from medics with predictably dire consequences.

    They confuse probability with risk and don't take into account the impact. So yes it's very unlikely there would be an attack against diabetics with these pumps, however the impact of such an attack would be critical since people would die.

    So I would say that the risk is actually 'high' and should be addressed.

  24. Long John Baldrick

    Has anyone here actually dealt with the FDA?

    If anyone here has had experience with getting FDA approval for medical devices I would appreciate comments from them. I have experience in FDA submissions for drugs and they can be very frustrating to deal with in terms of making any changes in any aspect of the drug approval and production process. If one looks at the baby step approach that Medtronic has used in adding features to its insulin pimp line, it should be obvious that making wholesale changes to a device is time-consuming and expensive. I use a Medtronic 530g insulin pump with the CGM(continuous glucose monitor). The sensor communicates to the pump via radio. The pump and glucose meter also communicate with each other in the same fashiom. I am in far more danger of mis-entering blood glucose values manually than I am from someone trying to cause me harm by hacking my pump. These systems are low-poower systems. The pump runs on a single AAA battery which lasts about two weeks with vibration mode on. The transmitter lasts about two weeks also before being recharged but as the sensors only last six days, I recharge the transmitter each time I change a sensor. When the sensor and pump are on opposite sides of my body, communication stops. In order to have decent encryption you need a decently powered CPU which these insulin pumps don't have. Yes, you could design an entirely new pump with a "modern" CPU but then the entire unit(pump, meter, remote control, CGM transmitter) would have to be validated by the FDA. Here in the US the new versions of the pumps are available 12 - 18 months after they are in UK/EU. And that is for each of those baby step improvements.

    If a patient is worried about someone hacking their pump(I'm not) or remebering when the gave themselves their last bolus(I am) then it is simple to look at either the bolus history or amount of active insulin on the pump.

    Finally, new drugs are launched without having hundreds of thousands of test subjects, and yes, people do die from new drugs, drug interactions, and drug allergies. It is a risk-benefit analysis. I use my pump because it works for me, far better than multiple daily injections. I would say that it is far more hazardous to be driving a car either in the US, EU, or on some of those tiny hedge roads in the UK.

    1. dave 76

      Re: Has anyone here actually dealt with the FDA?

      in the newer Medtronic pumps they have disabled some of the remote features for security but although I have one, I am planning to move back to the less secure model which does allow remote control of dosing levels.

      Why? Because there are open source projects like openAPS to enable smarter control of the pump and to create an almost closed loop insulin delivery system. I consider that to be much more important to me than if someone wants to play silly buggers with my pump.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like