back to article Insulin pump maker ignores diabetic's hack warnings

The maker of an insulin pump that's susceptible to wireless hacking was identified for the first time on Thursday by a diabetic researcher who said the company repeatedly ignored his warnings. A commercially available pump made by Medtronic, the world's biggest medical device manufacturer, is vulnerable to attacks that allow …

COMMENTS

This topic is closed for new posts.
  1. Phil Endecott

    Therac-25

    It is strange-but-true that the systems where safety is most important can often be the ones that are least carefully designed. I thoroughly recommend reading up on the "Therac-25", a radiotherapy machine that would periodically zap patients with doses tens or hundreds of times stronger than intended. Even after a few deaths, the manufacturer was claiming that the software was implemented in such a way that it could not possibly fail. The complacent comments in the current story, where the manufacturer seems more concerned to re-assure their shareholders about their product than to ensure the safety of their patients, seems rather similar.

    Start at http://en.wikipedia.org/wiki/Therac-25 and follow the links.

    1. Thomas 4
      IT Angle

      I'm no expert on wireless....

      .....so I'd appreciate an answer from someone that is. Is it possible that random wireless interference could do the same damage as a directed hack? What are the sort of probabilities involved?

      Just asking from a neutral viewpoint.

      1. Robert Carnegie Silver badge

        Safe from random accident, presumably

        Otherwise diabetics would be dying when their mobile phone rings - and turns on its own powerful radio. Or when riding in a taxi. Or operating a cordless mouse. Or meeting another diabetic person, but I read somewhere that that is an actual problem with some appliance, you start wirelessly reading each other's blood sugar level instead of your own, and randomly giving each other insulin.

        Evidently and presumably, -this- wireless device uses a digital communications encoding so that only messages digitally sent from or to its own partner control device are acted on. So interference doesn't cause a problem. But it isn't secure, and it could be interfered with deliberately.

        However, he says "the techniques he developed are hard to execute in the real world" just now. You also probably have to get very close to your victim. But if more people get interested then it will catch on.

  2. MurrayH
    Linux

    Pump you up

    Unfortunately, it will likely take multiple deaths, wholly and legally attributed to their devices being maliciously hacked to force these companies to change.

    How on earth would a medical person be able to tell the pump/device had been hacked in the first place? They are not techies, so the it is unlikely that they would be aware that this could happen, or know what to look for. And you can bet the industries lawyers know that.

    Congressional investigation is just another euphimism for "please increase your campaign contributions or we will regulate you".

  3. nyelvmark
    Trollface

    OMG, this is bad news

    In other news:

    Ford admits that terrorist mechanics could remove all the brake pads from your vehicle without needing to gain access to the cabin area. Ford owners are advised to remove all wheels and verify the existence of the brake pads before attempting to start the vehicle.

    1. Paul Crawford Silver badge

      @OMG, this is bad news

      Bad example, as I suspect most would notice someone physically entering their body to tamper with the unit.

      Maybe "Ford denies FM radio can cause steering lock up" would be more appropriate?

      Hmm, now what was the story about the Ford Pinto again....

      1. Jacqui

        Odd you pick ford...

        "Maybe "Ford denies FM radio can cause steering lock up" would be more appropriate?""

        Or perhaps more accurately a weakish EM radio pulse say from a taxi base station or CB radio can cause cruise control to lock out on full throttle leading to drivers having to learn how to switch off the engine and coast to a stop or in once case, swerve into a tree and while saving the lives of the people in front of him ended up killing himself.

        IIRC The lethal CC system was withdrawn/replaced in the US but is *still* sold in the UK - he rest of .eu is another matter - thier .gov prpbably wanted heavier brown envelopes.

      2. Mr. Byte
        Thumb Down

        Pump not inside...

        @Paul Crawford: The pumps in question are not inside a person's body, they are outside.

    2. Ralthor
      FAIL

      Re: OMG, this is bad news

      In yet other news:

      Judge tells woman she can skip customs from now on.

    3. QrazyQat

      via wireless?

      If removing your brake pads could be via wireless I'd be worried. But it can't, can it, so it's a really stupid attempt at a counter.

    4. nyelvmark

      @OMG, this is bad news (myself)

      I wonder if I was misunderstood? Let me put it more plainly.

      Almost all of the time, when someone wants to murder you, they'll pick up some nearby heavy or sharp object and attempt to employ it. Cases where they'll devise a scheme involving the cunning exploitation of high technology are mostly limited to James Bond-type stuff.

      More specifically, supplying the wrong level of insulin to most diabetics will cause them to feel ill, which will prompt them to check their blood sugar, which will tell them that the machine isn't working right. So, it's not a sure-fire method. You should probably stick with the nearby heavy object.

      1. Paul Kerton
        Alert

        Needs clarification

        Speaking as a diabetic myself, I can tell you that it would only take a high level of insulin being injected to cause blood sugards to drop to dangerous levels.

        This, in turn, manifests itself in a way that makes the diabetic appear to be drunk, rapidly followed by a diabetic coma, and potentially death if not treated rapidly.

        Most diabetics whose blood sugars drop to these low levels are unaware, and frequently unable to do anything about it until it's too late to do so.

        In a nutshell - this hack could kill, plain and simple.

        1. Anonymous Coward
          Anonymous Coward

          Not only that

          ...but presumably you could automate it and be away somewhere establishing an alibi.

      2. Anonymous Coward
        Anonymous Coward

        Re: @OMG, this is bad news (myself)

        You shoul;d take up homeopathy as you clearly have the required level of medical knowledge.

  4. Nya

    Vote with out feet

    Or more simply, next time your talking to your DSN or Consultant. Get them to bin anything with a Medtronic logo on it. If everyone drops them and makes it widely known through the NHS that there stuff can't be trusted than they will be forced through the market to respond. Sadly a slow way, but probably one of the best ways currently while they have there heads in the sand.

    It's what I'm going to do when I see mine next month. I simply won't have anything made by Medtronic until the issue is fixed connected to me.

  5. This post has been deleted by its author

    1. The BigYin

      Is the code...

      ...free software (or, at least, open source)? If not, then they are just as bad, they just haven't been caught out yet.

      1. Ru
        Stop

        Closed source is not intrinsically bad, or even relevant here

        The underlying issue here is that the manufacturer simply does not care. They have no interest in securing their systems, and their customers (in the form of private healthcare companies or national heath services or whatever) have no interest in demanding security from them.

        This whole issue is rather independent of software philosophies, and even software at all.

        These guys were caught out, publically named and shamed and they still don't care. Open or closed source firmware is irrelevant to that attitude.

        1. The BigYin

          If the code...

          ...is closed, then it has not been audited. We know the FDA does not audit the code, they rely on the company to write a report that says "All OK, guv. Honest."

          "These guys were caught out, publically named and shamed and they still don't care. Open or closed source firmware is irrelevant to that attitude."

          It's very relevant because if the code were free (not just open) then another qualified person could patch the vulnerability. The company caring or not becomes redundant as you can be sure the patients and their doctors care.

      2. Robert Carnegie Silver badge

        It uses Apache... whoops :-)

        Not really. Well, I don't know. Maybe it does.

        See http://www.theregister.co.uk/2011/08/24/devastating_apache_vuln/

        1. The BigYin

          @Robert Carnegie

          Race is on then! Let's see who gets a patch out first.

          No one said free or open software was infallible. It's written/managed by humans after all.

          1. The BigYin

            @Robert Carnegie

            And here we go, a bit later than originally planned admittedly

            http://www.computerworld.com/s/article/9219650/Apache_patches_Web_server_DoS_vulnerability

            So, has the insulin pump been patched? I somehow don't think so. One major step towards fixing a problem is admitting there is one in the first place. Free software tends to be much better at that than proprietary.

  6. Nights_are_Long
    Facepalm

    Not a good step me thinks...

    I am shocked by the companies attitude about this, medical devices should be as hevaly regulated as drugs when it comes to quality.

    I don't know if any one rembers in the last few months some one from a surgical department in a hospital who takes care of the instruments used reported that about 50% of instruments where unsafe to use because they where produced incorrectly by hand in Pakistan and India forceps that had sharp edges that where intended for heart opperations, scalpels with badly ground edges he had a display of some common failues he found that should not have left the factory let alone nearly made it into the opperating room and would have if he didn't find them. And he called for more action in regards to regulation of such devices because they can cause so much harm.

    In this case it's shocking not that it can be done, but the attituded the company seems to be takinging towards the safty of it's users because now that it's out in the open how long do you think it will be before some one trys this in the wild as it where? To much insulin will kill you or put you in a coma, to little can cause problems as well.

    1. Mentalfloss
      Megaphone

      If I were Medtronic I would ignore him as well.

      Jay Radcliffe made a mountain out of a molehill. If the pump's serial# is not included in the transmission it is ignored. A wearer of the pump would be less likely to give that out than his or her social security number.

      1. Colin Miller
        Thumb Down

        sniff serial no.

        And how easy is it to get the serial no. from sniffing and replay attacks? Wait until your victim eats in a restaurant, and changes the settings to compensate for the food.

      2. Anonymous Coward
        Anonymous Coward

        re: If the pump's serial# is not included in the transmission it is ignored.

        So you just needs to monitor transmissions to get the serial number?

      3. Dodgy Geezer Silver badge
        FAIL

        Knowing the serial number...

        How easy is the serial number to predict? And how many goes are you allowed before the system locks up?

        Easy? and Infinite? That's what I suspect....

        1. Some Beggar
          Devil

          Dear would-be murderers.

          You can extract enough polonium to kill a man from an anti-static duster.

          You don't even have to magically induce type 1 diabetes in your potential victims or wait for them to buy a certain brand of insulin pump.

          FFS. Get a grip.

          1. Ru
            Mushroom

            Re: Dear would-be murderers

            So, because you cannot protect yourself from every last threat in existence you should clearly not bother to protect yourself from any at all.

            If I could make your house or car explode and kill you just by using a remote control, would you still drive the car and live in the house? After all, a would be murder could just break into your house and kill you with an axe!

            1. Some Beggar

              @Ru

              Buy some cotton wool and wrap yourself up in it. And take some diazepam. All this panic can't be good for your blood pressure.

            2. The BigYin

              @Ru

              Curious. On the one hand you expect people to be able to take action to mitigate risks, yet on the other you argue against one measure the would permit those actions to be taken.

      4. Semaj

        a

        How many digits and/or letters are there in the serial? If it's only numbers and a few digits then it would be pretty easy to try them sequentially.

      5. Anonymous Coward
        Mushroom

        Hello there newfriend!

        Hi Mentalfloss! I notice you've just joined! And already made three posts! And all of them in this thread! Welcome! We look forward to hearing more from Medtronic about this!

    2. xlq
      Headmaster

      Re: Not a good step me thinks...

      "I don't know if any one rembers in the last few months some one from a surgical department in a hospital who takes care of the instruments used reported that about 50% of instruments where unsafe to use because they where produced incorrectly by hand in Pakistan and India forceps that had sharp edges that where intended for heart opperations, scalpels with badly ground edges he had a display of some common failues he found that should not have left the factory let alone nearly made it into the opperating room and would have if he didn't find them."

      It looks like you have run out of full stops. Here. Take these: ......................................

  7. dave 76

    speaking as a medtronic pump user...

    Am I bothered? Nah. I'm regularly checking my blood glucose levels using an meter (which is not part of the pump) and are well aware of the physical symptoms in myself if I have too much or too little insulin.

    Yes it should be addressed and resolved, but it is not an OMG the sky is falling issue. Upgrade the microcode and then as people replace their pumps (which they need to do every 4 years anyway) they get the fix.

  8. This post has been deleted by its author

    1. Mentalfloss
      Pint

      BAAAhaaahaaa.....

      I do believe it is!

  9. Some Beggar
    Unhappy

    There is no such thing as 100% secure or 100% risk free.

    "The Medtronic spokeswoman didn't address Radcliffe's claims directly, but said the “risk of deliberate, malicious or unauthorized manipulation of our insulin pumps is extremely low.” Maybe, but it's telling that a diabetic hacker thinks otherwise."

    Exactly how is this telling? And what do you think it is telling of?

    The risk _IS_ extremely low. It is low to the point of being negligible. It is not anything that a typical user would even begin to worry about. Insulin dependant diabetics have a hundred more important things to worry about before this even enters their heads and a dozen different ways they can end up in hospital that are hundreds or thousands of times more likely than this supposed hack.

    The story is that a hacker has managed to find a chink in one of the devices he owns and has used it for some self-promotion. The fact that it is an insulin pump is neither here nor there. I hope he gets a job out of it ... he clearly has some technical skills. But that's as far as it goes. Arguing that "oh but he's diabetic" is irrelevant to the point of being patronising.

    (disclaimer: I'm type 1 diabetic, have worked on the development of wireless medical devices but have no direct or indirect connection with this manufacturer)

    1. Ru
      Meh

      You can never be 100% safe, so why try be safe at all!

      Medtronic were lazy and irresponsible and they simply do not care that they have exposed users of their products to risk.

      That is what is the issue here. They just don't care, they don't care enough to design something well, they don't care enough to test it thoroughly, and they don't care enough to do anything about their mistake.

      You may feel free to continue to do business with a medical device company that has no regards for your safety or wellbeing below the bare minimum required of them.

      1. Some Beggar

        @Ru

        I've read that twice and I can't find a single phrase that usefully relates to anything I wrote in my previous post. Did you click the wrong reply button?

        1. Anonymous Coward
          Facepalm

          @some begger

          you are right, the risk of someone exploiting it is extremely low, but that's no excuse, the consequences could be fatal!

          The lapse in security is bordering on negligence! Just because people aren't generally likely to want to tamper with them, doesn't mean they won't* and doesn't excuse it making it easy.

          *some time ago, near me, a group of kids found someone drunk, passed out at a bus stop. They set him on fire "for a bit of a laugh". Imagine if they could get some cheap kit that would make anyone with an insulin pump, who walks near it, collapse and slip into a coma!

          1. Some Beggar

            @ anonymous paranoid 17:58

            Pure unadulterated whatiffery.

  10. Steen Larsen

    Standard procedure

    As industries start to build computers into their products and attach them to networks and radio transmitters they become vulnerable to all kind of new attacks they fail to understand.

    It is "standard procedure" that the go through several phases before their products eventually become secure enough to operate reliably in the new networked environment.

    The first phase is almost always: Denial.

    This is where Medtronic is now.

    Remember Microsoft, the CCTV industry, the burglar alarm people, SCADA, etc.?

  11. Cameron Colley

    Why is everyone concentrating on murder by insulin/no insulin?

    It's probably true that, when most people kill, they do so in a pretty obvious way and often in the heat of the moment with an improvised weapon.

    However, mild poisonings by jilted lovers or competing coworkers can't be all that uncommon, can they? All it would take is for your partner to think you were cheating for them to slightly up or lower your dose enough to cause you problems leaving the house, for example.

    So I'm not convinced the danger here is out-and-out murder in a James Bond style by person's unknown. After all -- I bet most poisonings are more Ex-Lax in the milk than Polonium in the sushi...

    1. Anonymous Coward
      Holmes

      Blackmail seems more likely.

      'Why is everyone concentrating on murder by insulin/no insulin?'

      Sure, there are many easier ways to bump someone off, but people are really fucking stupid, especially when they think they have a built in 'it was an hacker what killed him' defence.

      Secondly, the assumption is that the intended crime is murder; but this works way better as blackmail: 'Dear Medtronic, £1 million in used fivers or your customers start dropping. Capeesh?'

    2. Some Beggar
      Headmaster

      @Cameron Colley

      "All it would take is for your partner to think you were cheating for them to slightly up or lower your dose enough to cause you problems leaving the house, for example."

      That's not how insulin works. A slight decrease would have no short term effect. A slight increase would lead to hypoglycaemia which, depending on the subject, would mean obvious symptoms followed by a quick dose of glucose and an inspection of the pump, or falling into a coma. And if a malicious partner wanted to feck about with a diabetic's blood sugar then there are many other much simpler ways they could do it, from swapping fast- and slow-acting insulins to putting sugar instead of sweetener in a cup of coffee.

      I'm sure people can dream up a hundred different ways this hack could be exploited that might make it into a CSI:Miami script, but nobody has yet come up with a realistic real world risk.

      1. lpopman
        Headmaster

        tituler disnoblement

        "putting sugar instead of sweetener in a cup of coffee."

        I can certainly tell if there is sugar in my coffee instead of sweetner. It has a sticky texture and a totally different flavour for one.

  12. Some Beggar

    "Dear world's worst blackmailer. Ahahahahahahaha. Yours etc. Medtronic."

    [blank]

  13. Anonymous Coward
    Anonymous Coward

    http://192.168.0.1/pumpInsulin?level=99999

    What's the bets it registers a wireless network with the SSID "InsulinPump" and accepts a passwordless telnet session to 192.168.0.1, or has a cute little web interface...

  14. Anonymous Coward
    FAIL

    E&O Insurance

    How come asshats like Medtronic can stay in business making these shabby products? Yet smaller companies can barely afford, E&O insurance, or are unable to get it at any price?

    BTW, I am surprised that so many commenters seem not to care. Are you long Medtronic's stock? I'll admit the risk is very low. But you'll have to concede that the consequences are rather high. Consider the relative ease of addressing the problem, and this should be a non-decision for Medtronic (and for any regulatory body or insurance carrier if Medtronic can't be bothered).

  15. Anonymous Coward
    Pirate

    Medical devices

    Methinks they made a big mistake using a superficially modified wireless standard rather than designing their own with onetime pad based encryption.

    Given that most smart phones use weak/no security it isn't that hard to imagine a virus that attacks smart phones which has a system to search for these pumps or other implanted devices and brute force the code over time.

    Might take a week, maybe longer but if there is no built-in time lockout for n wrong codes then this could be very serious indeed.

    AC/DC

  16. Anonymous Coward
    Anonymous Coward

    Medtronic are still the bad boys here...

    instead of just dismissing the fact that the machine has vulnerabilities, they should actually state exactly what that vulnerability is in real world terms.sort of like...

    --------------------------------------------------------------------------------------------

    It has come to our attention that there is a risk that your Medtronic insulin pump may be vulnerable to an attack by a hacker. The hacker will first need to identify your pumps serial number, This can possibly be gained if the hacker remotely monitors your use of the insulin pump over several actuations of the pump. The hacker will need to be quite close to you to actually manage this. it will also be possible if the attacker has access to the insulin pump. We would recommend covering the serial number with some medical tape.

    Although their is a slight risk, we do not believe that anyone's health is in serious danger. We will be blocking this vulnerability in the near future and when a replacement pump is available we will let all of our users know and offer a free replacement.

    if you still have concerns please call our customer care line ....

    ---------------------------------------------------------------------------------------

    at least a proper statement would stop them looking like dicks.....

    1. Anonymous Coward
      FAIL

      They didn't even need to do that

      Radcliffe apparently contacted Medtronic to inform them of the vulnerability some time ago.

      All they needed to do was reply to him with something along the lines of:

      "Thanks for bringing this to our attention, we will work on securing this vulnerability in the near future and once we have a reliable fix we will issue it to all users of %Device%. In the meantime we would ask that you keep the details of this vulnerability secret to reduce the risk of it being exploited."

      If Radcliffe then went public afterwards, they could publish that reply and make him look like an evil bastard.

      As it is, Medtronic look like fools, as the public information seems to imply that all someone would need to hack a specific device would be a cheap piece of hardware and serial number, a piece of information that is printed on the device, very short and *very* predictable.

      I really hope that is not true, but I rather suspect it might be.

      Should an evil person want to exploit it, they could just wander around repeatedly transmitting "Inject maximum!" to pretty much every serial number ever built. Even with a targeted attack, to some extent it doesn't even matter whether they know the serial number of the 'target' as they could just spam a lot of serial numbers until they get the result they want.

      You might think that it's unlikely that someone would go to the trouble, but that's no reason to ignore it.

      Medtronic do appear to have now released a statement to Reuters saying that they'll fix the vulnerability in their next generation product, but it's too late - they now look like blind fools.

  17. Anonymous Bosch

    From a Medtronics user

    I don't believe how many arrogant b*llsh*tters there are commenting. First and foremost, Medtronics does provide excellent customer service. I was away from home and a short visit turned into an extended stay, and as a result, I ran out of reservoirs. They over-nighted four complete sets of res. and canulas at no charge to me. And no, they didn't charge the insurance company because I don't have one. Furthermore, a few years back they had a problem with one batch of canulas and recalled all of them even though the error affected less than 1% of them. Since all you blowhards out there are such fantastic engineers you know how trivial it is to reproduce errors that occur that frequency.

    1. Anonymous Coward
      Anonymous Coward

      I'm glad they gave you such fantastic service when away from home

      That kind of service should be shouted from the rooftops.

      However, that doesn't apply in the case of recalling of a bad batch of canulas.

      That is precisely what is legally *required* of a manufacturer of such things.

      If there's a chance that you've shipped a dangerous product that could cause harm to people, you recall or inspect/repair/replace *every single one* from the batches that might have the defect as quickly as reasonably practicable.

      If you don't do that and somebody is harmed, then your company ends up in court and would almost certainly lose - there's plenty of case law on this subject.

      Under UK law that can even result in the CEO or other senior management being convicted of corporate manslaughter which carries a prison sentence. I don't know if the US has a similar law.

      That's the silliness here. They did have a chance to look like the good guys and for some reason they took the path of "ignore it and it'll go away".

  18. Anonymous Coward
    Boffin

    I don't know about the hack/attack, but...

    In my experience, the design of many medical devices is commonly outsourced to consultants or other electronic/mechanical-product design-houses which have the relevant expertise that the Big Name medical/pharma company does not. Although all the software would have been archived in a Design History File when the device was developed, it may not necessarily be straightforward to find someone with the knowledge to *competently* modify and recompile the code some years down the line. Furthermore, I presume that following any modification, the device would have to go through a large amount of formal re-testing (and FDA/regulatory re-approval) to ensure it was still safe. Again the original test-setups will likely have been torn down by then - and even with the most expendient intentions the testing and bureaucracy could easily take a few months.

    In short, I can understand why the manufacturer would be dragging their heels on making any changes if the perceived risk is genuinely pretty small.

    a/c - you can probably figure why.

  19. Mike Powers

    Medtronic or Minimed?

    The pump in question was manufactured by an entirely different company (Minimed) that was bought out by Medtronic. Calling Minnesota gets you nothing but the head offices and the accounting department of the manufacturer's parent company. Minimed itself is in Northridge CA. If Radcliffe were indeed calling Medtronic then it's understandable why the people he was talking to would have no clue.

  20. Jop
    Joke

    Next week on CSI...

    ...the team are called to investigate the death of a man in a wifi enabled mcdonalds.

This topic is closed for new posts.

Other stories you might like