back to article Scumbags can program vulnerable MedTronic insulin pumps over the air to murder diabetics – insecure kit recalled

Health implant maker MedTronic is recalling some of its insulin pumps following the discovery of security vulnerabilities in the equipment that can be exploited over the air to hijack them. Specifically, the manufacturer is recalling its MiniMed 508 and Paradigm insulin pumps, along with the CareLink USB control hub and some …

  1. Shadow Systems

    And my doc wonders why I hate them?

    If a critical-to-life device can be hacked by some bastard with a Raspberry Pi, a transmitter, & a bit of software they grabbed off the internet, then that device isn't fit for purpose.

    Ok so I'm "stuck" using insulin pens & manually administering my insulin doses, but then it's highly unlikely some slimey bastard will break into my home, fuck with my insulin supply, & put it all back exactly as they found it to try & kill me.

    It's too much work for just one victim, whereas being able to walk through a hospital with the aforementioned device in a pocket broadcasting to cripple/kill as many folks as possible is a much greater bang for their buck.

    *Shaking head in dismay & disgust*

    That folks would do such a thing in the first place makes me wish shooting them in self defense weren't such a difficult "crime" to explain to the cops.

    "Look, I'm diabetic. That guy was walking down the street with a radio in his pocket broadcasting signals to insulin pumps to try & kill all the diabetics he passed. I saw my pump go haywire as he walked past, I confronted him about it, and he *laughed in my face*. I shot the little fucker in self defense. Yeeeessss... all 15 times."

    =-\

    1. Anonymous Coward
      Anonymous Coward

      Re: And my doc wonders why I hate them?

      Sadly, that's often the same attitude they have. Wrongfully so. But they also see it as self defence. Thus the only part of the cycle we can be guaranteed to break, is ourselves. Then we can at least try to break their cycle. If that fails, well, it is on them then.

      Perhaps these devices need short range only communication. At least that way 99% of the "hacks" are negated by blocking access (as you already do with the physical pen applications).

      1. Pascal Monett Silver badge

        Re: they also see it as self defence

        Bullshit. Self defense against what ? How is a diabetic going to harm them ?

        Building a radio transmitter for a software/hardware solution made to make insulin pumps go wrong is not self defense in any way, shape or form.

        It is murder, pure and simple. And yeah, shooting is too good for 'em.

        1. stiine Silver badge

          Re: they also see it as self defence

          Well, if they're driving at the time, they could run over the perpetrator...

      2. SimonC

        Re: And my doc wonders why I hate them?

        a la the XKCD $5 wrench comic, or perhaps the one with the script to move the mouse, instead of short range communication, how about an ultra high tech plastic sliding *on/off* switch for the wireless antenna...

    2. vtcodger Silver badge

      Re: And my doc wonders why I hate them?

      Realistically, I think insulin pump sabotage is probably about number 37 on the list of hazards facing insulin dependent diabetics. Undetected insulin pump system failures of various sorts and, the unreliability of meters are probably far greater dangers. As are inaccurate/misleading food labeling.

      But still, the pumps shouldn't be hackable. And certainly not easily hackable.

      1. Yet Another Anonymous coward Silver badge

        Re: And my doc wonders why I hate them?

        Don't worry there will be a simple solution. The FDA will introduce a whole new set of cyber security requirements.

        The cost of the devices will go up by a factor of 10x and you will be required to visit a doctor ($$$) each month to change the password.

        1. Tomato42

          Re: And my doc wonders why I hate them?

          > The cost of the devices will go up by a factor of 10x and you will be required to visit a doctor ($$$) each month to change the password.

          not our fault that your healthcare is a for profit industry and lacks any morals or ethics

    3. katrinab Silver badge

      Re: And my doc wonders why I hate them?

      I don't think there is any evidence that anyone has tried to do this, though obviously the fact that they can is a good enough reason to take action.

      Mislabelled food is probably the biggest risk facing diabetics.

    4. J. R. Hartley

      Re: And my doc wonders why I hate them?

      Alexa, add tinfoil to my shopping list.

    5. Muscleguy

      Re: And my doc wonders why I hate them?

      How about you kneecap him, preventing his escape, then you roll him over and punch each kidney REALLY hard. With a bit of luck the miscreant will need dialysis if not a transplant with associate anti rejection drugs. Thus acquiring empathy into your situation and maybe be reformed.

      Yours

      A Physiologist and Anatomist.

      Personally I would also rub various pressure points where the nerves come close to the surface and run over bones. Leaves practically no marks so is deniable but can visit great discomfort and pain. I just happen to have noticed such points during my studies. I confirmed them by experimenting on myself.

      So don't get me riled. I armed with knowledge and extremely dangerous.

  2. Blockchain commentard

    Don't know much about this but if you have a pump, I'm assuming you need it to keep you alive. How do the manufacturers expect patients to survive if they have to send their pumps in first to get a 'safe' replacement? Surely they should be sending out replacements first?

    1. Borg.King

      Manual mode

      They expect the patients to revert to repeatedly checking their blood sugar levels throughout the day, and injecting the appropriate amount of insulin as a result.

      1. Richard 12 Silver badge

        Re: Manual mode

        A lot won't remember the important details of how to do that, and some will have never been able to control their blood sugar that way in the first place.

        So some will end up in hospital due to over or underdose.

        Even those who do it "perfectly" will suffer harm because the whole point of these pumps is to avoid the peaks and troughs of blood sugar that are the inevitable consequence of the manual method.

  3. Lorribot

    the boss of the company should be able to be put in court and fined personally for failing in such a big way and not running his company responsibly.

    Until we start making security the personal responsibility of the the person who gets paid the most in a company with massive personal penalties that mean that can't just leave and get a well paid job somewhere else, then this kind of stuff will keep happening. CEO, President, CIO and all the others with a C(hief) in there name should personally be fined £1m for professional ineptitude and falling asleep at the wheel.

    Perhaps then all the car companies, drug companies, personal toy companies, security camera companies, etc may actually do a proper security job that puts their customers first by default than by luck.

    1. Yet Another Anonymous coward Silver badge

      The devices are made to meet FDA standards, if there are no standards on security then are the manufactures responsible for predicting these and securing them ?

      How secure do they have to be ?

      Proof against script kiddies or against a stuxnet style Mossad attack?

      Monthly password changes, a secure-id key and 2factor authentication every time you need to change your dose? Or only doctors allowed to make changes and it being illegal to own or know about the interface electronics?

      Yes the devices obviously shouldn't have a web service with a default password, but "the shoot the CEO" demands because somebody can connect to the wireless implanted pump from 6 inches away with a homemade radio interfac kit is just Daily-Mail ism.

      Somebody can break into my house and replace my insulin because the home builders chose to use wood for the walls to save money, instead of the mixture of Titanium and Chobham armour that security would demand.

      1. Jon 37
        Stop

        It should be impossible for an attacker to wirelessly change the software or settings on a medical device unless he has the cryptographic key that is unique to that particular device. And it must be possible for a doctor to easily change the cryptographic key should it get leaked.

        That's just common sense security. You shouldn't need a regulation to tell you that. (Effectively that's passwords, like we've been using since the 1970s, but with crypto keys because we have decades of research showing that users always choose poor passwords if you let them).

        And ideally, the entire wireless protocol should be publicly documented so that security professionals can test the security claims of the manufacturers.

        The issue is that people are more likely to commit crimes if they think they can get away with them:

        * If someone breaks into your house and murders you, there will be clear physical evidence and police and forensics people have a lot of experience tracking those people down and bringing them to justice.

        * If someone walks down the street murdering people, again there will be physical evidence and witnesses and CCTV, and counter-terror police are trained and (thankfully) not too experienced dealing with that sort of thing, but they will catch or kill the perpetrator and bring them to justice.

        * If someone murders someone with a wireless insulin pump hack, it will probably get written off as a malfunction and they'll probably get away with it.

        * If someone walks down the street reprogramming wireless insulin pumps to fail after a random amount of time, they'll probably kill a bunch of people and get away with it because it will probably be written of as a flaw in the device.

        1. Turbo Beholder

          The issue is that the entire idIOTic setup is pointless and dangerous. For that matter, it does not strictly need to be MCU controlled at all, though this has obvious advantages.

          It needs only one wireless function: alarm going off when the pump runs out of medication/needs a recharge/malfunctions/fails to report at all. When the doctor needs to change settings, an USB cable would suffice — the only difference is that this can't be done sight unseen, but that's not a flaw, that's a feature. With this in mind, it would be trivial to make such a device very, very secure, by rendering irrelevant all the fool's errands and running battles of networks. Likewise, it would be easy to make such things highly resistant to malware.

      2. Turbo Beholder

        Your house needs doors so that you could get inside. It's part of the main function, your safe is a later addition.

        Conversely, vast majority of medical equipment does not need wireless interface at all, let alone allowing to control anything through it. It's just obviously not a good idea.

        A wireless interface is necessary only for real-time biometry or device diagnostics with alarm when things go wrong. In which case, the device can be separated into working and monitoring parts, former feeding signals into the latter in a way that's inherently read-only. It's trivial.

    2. LucreLout

      Until we start making security the personal responsibility of the the person who gets paid the most in a company with massive personal penalties that mean that can't just leave and get a well paid job somewhere else, then this kind of stuff will keep happening. CEO, President, CIO and all the others with a C(hief) in there name should personally be fined £1m for professional ineptitude and falling asleep at the wheel.

      I can see where you're going with this, and I don't disagree with the sentiment, but it is factually incorrect. Quite often the highest paid person isn't in the C-suite: many banks pay their rockstar traders more than the CEO, for instance - they just do it "off the books", so to speak.

  4. a_yank_lurker

    A Couple of Questions

    Where were the relevant TLA agencies on having secure communication with the devices from the start? It seems bleeding obvious to the most oblivious that any ability to remotely control a medical device should be done by a secure connection. If they had been competent this situation would not have occurred. Medical devices generally need approval before they can be marketed and used by patients. So it's not as if they did not have a chance to force the Medtronic in this case to have decent security.

    While life threatening to a Type 1 diabetic, how easy is an attack to pull off in reality? I am wondering about how do you actually control the pump settings as this would be an odd bit of software to run into for most hackers. Also, if a hacker were to kill someone, besides the hacking charges, would there also be murder charges? Over here in Feraldom, some of the locals have pretty draconian sentences (including execution) for murder and I would believe the local DA would love to nail a hacker on one.

    1. Martin Gregorie

      Re: A Couple of Questions

      Never mind the TLAs - what about the companies selling these devices. Why aren't they and the NIH required to certificate the equipment as secure before it goes on sale and the vendors mandated to recall and fix or replace equipment as faults are found?

      Virtually all the security warnings about this sort of equipment have been for Medtronic kit, so I wonder why. Is it because Medtronic is so big it dominates the market, or is it because everybody else cares about safety and security and they don't?

      1. a_yank_lurker

        Re: A Couple of Questions

        I wonder way the FDA couldn't arse itself to require secure communication for a medical devices that can communicate with other devices. They have to approve the devices for sale.

    2. Paul Crawford Silver badge

      Re: A Couple of Questions

      It is a pretty obscure attack for sure, apparently needing to be within radio range to pull it off and obviously only works for a victim using said device. However, if something can be done then sooner or later it will be done.

      The thing with radio range is often it works quite well through normal walls/floor/roof so it might be a viable and possibly less traceable (in terms of physical evidence, maybe more so if the device is not logging all commands, etc) way of knobbling a known high-value target if the killer can get an adjacent hotel room, etc. Or a high-gain antenna from across the street, etc.

  5. Danny Boyd

    It's a fast reaction from Medtronics - mere eight years since the vulnerability and way of exploit were reported. Very commendable! Keep up the good work, Medtronics!

  6. Chairman of the Bored

    Watching the knee...

    ...for a knee-jerk reaction: "Oh my gosh! We must ban software-defined radios! Think of the children!"

  7. Will Godfrey Silver badge
    Mushroom

    It's locking the door after the horse has bolted

    but hacking life support devices (with intent) should be a distinct criminal offence with a mandatory life sentence - assuming you can catch the slimeballs

    1. Paul Kinsler

      Re: hacking life support devices (with intent)

      If it's a life support device, then presumably that would (should) already be in the bracket of existing law, i.e. as either attempted murder, or murder.

      1. Omgwtfbbqtime

        Re: hacking life support devices (with intent)

        Even if it cannot be proven the intent was to kill it would be assault with a deadly weapon.

  8. martinusher Silver badge

    There's the other reason for hacking these pumps...

    There's apparently quite a black market in older, hackable, insulin pumps because people want to combine them with an embedded insulin sensor so that their insulin levels can be dynamically stabilized. This bit of home made technology isn't without its risks but the benefits are apparently so great that people are prepared to take that risk for the chance of leading a normal life, a life that most of us take for granted.

    The problem with this is, as ever, money. There isn't a commercial version of this -- yet -- and any such device would have to undergo years of bureaucratic testing and certification and sell and nosebleed prices. There's definitely a profit motive here but before it can be fully exploited companies like Medtronics need to get the older pumps off the market so that only ones with appropriate DRM -- no, they're not "hacker proof", its DRM -- are available to the public. In order to move things along a bit you'll get stories from the appropriate PR people about "hackers can kill people", something that I suppose is theoretically true but rather unlikely (anyway, if the devices were designed correctly they'd have hard limits that would prevent runaway software from causing irreversible harm).

    1. Oscar Pops

      Re: There's the other reason for hacking these pumps...

      Parent of a T1D here, by no means an expert but researching heavily into it. It's known as Looping, with open source apps for iOS and Android. When I first saw it, my reaction was, "There's no way I'm hooking up homegrown software to my kid" but having read up a lot on it I believe it can be safely tested and am intending to try it. Yes it's DIY for the reasons you state and yes there are risks if users don't do their homework, but if used responsibly it's genuinely life-changing (in a good way).

      Manufacturers are only just getting similar devices to the market and I can't help thinking it is a strange coincidence that suddenly it's of concern to them that their older devices are "vulnerable".

    2. Bah Humbug

      Re: There's the other reason for hacking these pumps...

      What you're describing is looping, and there is a commercial version of this available now by, guess who, Medtronic.

      I'm sure it's just a coincidence that, now they have a commercially available system, they're trying to get older pumps that can be used to compete with that out of the market.

  9. Martin an gof Silver badge

    What else?

    Medtronic makes quite a lot of other kit, some of which also appears to be "smart" in a similar way to these pumps. Presumably some of the same engineers worked on those other devices too.

    Just wondering when the next vulnerability will be found. And the one after that. And the one after that from a different manufacturer. Reprogramming pacemakers? Implanted defibrillators? Cochlear implants (or bone-anchored devices or just plain old hearing aids)?

    M.

  10. heyrick Silver badge

    Why is the word "Scumbags" used for the potential "hackers"?

    Shouldn't that moniker be reserved for the people that released this insecure pile of effluent that would shame the poo emoji?

    1. Sleep deprived

      Re: Why is the word "Scumbags" used for the potential "hackers"?

      Sounds like tabloid language to me.

  11. Anonymous Coward
    Anonymous Coward

    NFC

    NFC is not a fast protocol but surely it's adequate for an insulin pump?

    1. The Mole

      Re: NFC

      That's only a slight mitigation though, either the radio coms are secure or they arne't. With the right transmitters/receivers NFC can still operate within the range of meters (or just get the target to walk through a specific door). Mitigates the possibilities slightly but not significantly enough.

  12. richard.grimes

    Hacking can be good

    I've been T1D for 4 decades and MDI (multiple daily injections, sometimes 10 times a day on a bad day), I know a lot of people who use pumps so I have some knowledge about this.

    First, bear in mind that if I inject 10% too much it will send me hypo, and potentially it could be so low that I need help from others. Insulin is a dangerous drug (and I would say that when it comes to type 1 diabetes the worst people are GPs who know nothing about the condition but still want to tell people like me how to live my life yet because they are a doctor I am expected to obey them <rant over>). So hacking a pump can be dangerous.

    However, there is now a thriving community of T1Ds who are hacking their pumps. These are the so-called "loopers" who are trying to create an "artificial pancreas" by connecting a continuous glucose monitor (GCM) to a pump via a Raspberry PI (or similar). Loopers *can* get very good blood sugar control doing this. However, because it is not regulated it is *entirely* DIY. Also pumps and CGMs do not have open APIs so looping can only be carried out via hacking.

    Medtronic have their own looping system MiniMed 670G and clearly they want loopers to ONLY use their system. hence it is a closed API. It is interesting that they use an established (or some would say old fashioned) PID feedback looping. I am not a looper, but I should point out that loopers use other algorithms other than PID which are potentially better.

    Interestingly, at a recent diabetes conference there was a lot of complaints from T1Ds who use Dexcom CGM because the radio signals were interfering with other Dexcom users!

    So I do wonder if this recall is more about preventing DIY loopers from producing *better* systems.

  13. Anonymous Coward
    Anonymous Coward

    This sloppy reporting and has nothing to do with safety but everything to do with people taking advantage of that security flaw to build their own artificial pancreas.

    There are a few thousand people who have done this. The FDA is upset because people have ignoring them and going the DIY route and Medtronics wants to sell their newest pump (note sell as this is not a swap out but just a discount). If you have one of these old pumps you are not using there is a queue of people who would like to buy it from you. Have a look at openaps.org

    1. Intractable Potsherd

      This and posts above are really interesting. I don't know (or am not aware of knowing) any type-1 diabetics, so I was unaware of looping. However, now I do know, it certainly does seem suspicious that this issue, which has been known about for some years, has suddenly become actionable. I hate medical technology companies who see patients as just another revenue source, not people with their own needs.

    2. Conundrum1885
      Pirate

      This is exactly why

      We should disband the FDA and MHRA, because part of the reason that vaccines take so long (thus costing lives) is the legal and other red tape involved such as having to use special expensive hard-to-source medical grade glass for a vial which is going to be used once then thrown away.

      Also for any number of reasons such as delays in essential medical and technological advances being released to the public. Case in point, the clinical trials can take close to a decade and cost so much that people die in agony waiting for the blockbuster drug(s) they need or end up opioid addicts despite there being safer alternatives that aren't approved yet.

  14. robined

    headline slightly *cough* misleading

    Surely it should read more like: Scumbags sell super vulnerable insulin pumps to unsuspecting diabetics untill someone makes public aware and scumbags are forced to recall the faulty pumps

  15. Anonymous Coward
    Anonymous Coward

    How come life support medical devices don't have to be SIL 4? Yes it costs a lot of money, but this is no place for an Arduino board.

  16. TheSkunkyMonk

    Just no need for this stuff to have a wireless feature in the first place. When will we stop putting critical systems online.

  17. Anonymous Coward
    Anonymous Coward

    the FDA

    Good to see the Fecking Dumb Assholes still are not fit for their intended purpose.

    Bigger question is, how the F can this have got FDA clearance post submission, considering the hoops we have to jump through to sell our products in US, ahh ok Its a US healthcare org, diff rules diff locales.

  18. Turbo Beholder
    WTF?

    seriously?

    Once more, together: "S" in "IoT" stands for "secure".

  19. Anonymous Coward
    Anonymous Coward

    Over here in Feraldom

    so, that's just outside London?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like