Insulin Pump Hack Controversy Grows

  /     /     /  
Publicated : 22/11/2024   Category : security


Insulin Pump Hack Controversy Grows


Security researcher--and pump user--who found the flaw takes medical device manufacturer Medtronic to task for its response to the security vulnerability.



(click image for larger view)
Slideshow: Health IT Boosts Patient Care, Safety
At least four models of insulin pumps sold by Medtronic are vulnerable to being wirelessly hacked. In particular, an attacker could remotely disable the pumps or manipulate every setting, including the insulin dosage thats automatically delivered--every three minutes--to the user.
That was the report given by security researcher Jerome Radcliffe at a press conference on Thursday. Radcliffe, himself a diabetic,
demonstrated the pump vulnerability
earlier this month at the Black Hat conference in Las Vegas, by remotely disabling his own insulin pump live on stage. Executing the attack required less than 60 seconds, and would work from up to 100 feet away using Radcliffes demonstration setup. But with some modifications, he said, an attack could be made to work from up to half a mile away.
At the time, Radcliffe declined to name the manufacturer or model of his pump, and obscured everything but the pumps LCD panel when demonstrating the attack. Following
ethical disclosure
guidelines, Radcliffe said he wanted to give the vendor time to address the flaws, which he exploited using a radio frequency transmitter and 10 lines of Perl code.
On Thursday, however, Radcliffe named names, saying that the vulnerable pumps are the Medtronic Paradigm 512, 522, 712, and 722. Radcliffe said that hed been dismayed by the lack of honest public discourse on the part of Medtronic, which is the number-one seller of insulin pumps in the United States. For the first time, he also disclosed that the radio frequency transmitter that hed used in the exploit was the Medtronic Minimed Comlink (model number MMT-7304NA) that shipped with his insulin pump, and which is available new, via eBay, for $20. Finally, Radcliffe said his attempts at helping Medtronic quickly identify the underlying issues, so that it could explore a fix, had failed due to its ignoring, obfuscating, or outright lying--in its press releases--about the vulnerability.
According to Radcliffe, things started off well. A Medtronic engineer who attended his presentation at Black Hat afterwards asked for a copy of the slides, as well as his contact information, which Radcliffe said he provided the next day. Three days later, however, having received no response, he emailed the engineer again, and received no response.
But the next day, Amanda Sheldon, director of public relations for the diabetes business unit of Medtronic, released a
blog post
. Thanks to Medtronics information security measures, we strongly believe it would be extremely difficult for a third-party to wirelessly tamper with your insulin pump, she said, in a section titled, Why shouldnt I be concerned? If someone did wirelessly adjust the dosage, according to the post, the pump would play a series of tones to alert the user that their bolus (dose) had changed.
Furthermore, she said, any such attack could be easily prevented by disabling the insulin pumps wireless capabilities. After reviewing the research presented last week, we discovered that the researcher was only able to hack his own pump using in-depth knowledge about the product, such as the serial number of both the insulin pump and remote device, said Sheldon. He also TURNED ON the wireless feature and had access to specialized equipment which he used to rebroadcast the RF signal in a controlled environment.
Radcliffe, however, disputed those assertions. This is probably the largest lie in the PR statement. The wireless ability that Im exploiting cant be turned off, it is permanently turned on, and the only way to turn it off is to take the battery out of the device, he said. Furthermore, the devices six-digit serial number, which is required to exploit the pump in this type of attack, could be retrieved by writing a simple radio frequency scanning application. It was very disappointing to me that they would publish this information without doing any fact-checking at all, said Radcliffe.
The Food and Drug Administration, which regulates medical devices, was not immediately available on Friday to respond to questions about whether Medtronic may have violated any existing regulations, if it released inaccurate statements about how its insulin pumps operate.
In the interest of public safety, Radcliffe said hed also approached Medtronic with the help of two intermediaries--U.S. CERT, as well as the Department of Homeland Security (DHS). He said that both organizations contacted Medtronic, with DHS emailing the CEO on August 10, then talking to the head of Medtronic public relations on August 12. Meanwhile, on August 15,
two members of Congress
wrote to the Government Accountability Office (GAO) and asked them to review the Federal Communication Commissions approach to regulating medical devices that use wireless technology, making explicit reference to Radcliffes Black Hat demonstration.
Radcliffe said that on Wednesday, he provided Medtronic with an advance copy of all of the criticisms that he planned to voice during the Thursday press conference. In response, he said, Medtronic sent him back a statement that read in part, our products incorporate encryption and other proprietary security measures. In addition, it said that Medtronic has not been formally contacted by the Department of Homeland Security but said that if it was contacted it would of course comply with any requests that they may have.
I was floored by this, said Radcliffe. Its totally unacceptable and unethical to deny that you were contacted multiple times by CERT and Department of Homeland Security. Its also an irresponsible use of the word encryption. In todays world this means AES, RSA, or some other type of modern encryption. I can say with 110% certainty that theres no modern encryption used in the communication of these devices.
Asked to comment on Radcliffes assertions, Medtronics Sheldon said via email: We are vigilant in reviewing the external security landscape, which is why we attended Jay Radcliffes presentation at the Black Hat conference and have been analyzing his results. We are open to speaking with Mr. Radcliffe and others to better understand his findings and results. In addition, she reiterated that the company had not been formally contacted by DHS.
In response Medtronics handling of this episode, Radcliffe said that as a customer, hes chosen to work with someone else. The first thing I did was, I stopped doing business with them, and last week I ordered a new pump from a company called Animas, which is owned by Johnson & Johnson, he said.
But Radcliffe noted that owners of the vulnerable Medtronic insulin pumps face virtually no threat of attack, and that the benefit of using insulin pump technology far outweighs any risks. Dont freak out, keep using your pump, continue doing your insulin therapy, he said. The risk at this point is exceptionally low to individual users.
Join InformationWeek Healthcare for an on-demand virtual event on electronic health records. You can access presentations and content surrounding EHR selection, deployment, and use, all at your own convenience.
Find out more
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Insulin Pump Hack Controversy Grows