Insulin pump maker ignores diabetic's hack warnings The maker of an insulin pump that's susceptible to wireless hacking was identified for the first time on Thursday by a diabetic researcher who said the company repeatedly ignored his warnings. A commercially available pump made by Medtronic, the world's biggest medical device manufacturer, is vulnerable to attacks that allow …
It is strange-but-true that the systems where safety is most important can often be the ones that are least carefully designed. I thoroughly recommend reading up on the "Therac-25", a radiotherapy machine that would periodically zap patients with doses tens or hundreds of times stronger than intended. Even after a few deaths, the manufacturer was claiming that the software was implemented in such a way that it could not possibly fail. The complacent comments in the current story, where the manufacturer seems more concerned to re-assure their shareholders about their product than to ensure the safety of their patients, seems rather similar.
Start at http://en.wikipedia.org/wiki/Therac-25 and follow the links.
Otherwise diabetics would be dying when their mobile phone rings - and turns on its own powerful radio. Or when riding in a taxi. Or operating a cordless mouse. Or meeting another diabetic person, but I read somewhere that that is an actual problem with some appliance, you start wirelessly reading each other's blood sugar level instead of your own, and randomly giving each other insulin.
Evidently and presumably, -this- wireless device uses a digital communications encoding so that only messages digitally sent from or to its own partner control device are acted on. So interference doesn't cause a problem. But it isn't secure, and it could be interfered with deliberately.
However, he says "the techniques he developed are hard to execute in the real world" just now. You also probably have to get very close to your victim. But if more people get interested then it will catch on.
Unfortunately, it will likely take multiple deaths, wholly and legally attributed to their devices being maliciously hacked to force these companies to change.
How on earth would a medical person be able to tell the pump/device had been hacked in the first place? They are not techies, so the it is unlikely that they would be aware that this could happen, or know what to look for. And you can bet the industries lawyers know that.
Congressional investigation is just another euphimism for "please increase your campaign contributions or we will regulate you".
In other news:
Ford admits that terrorist mechanics could remove all the brake pads from your vehicle without needing to gain access to the cabin area. Ford owners are advised to remove all wheels and verify the existence of the brake pads before attempting to start the vehicle.
"Maybe "Ford denies FM radio can cause steering lock up" would be more appropriate?""
Or perhaps more accurately a weakish EM radio pulse say from a taxi base station or CB radio can cause cruise control to lock out on full throttle leading to drivers having to learn how to switch off the engine and coast to a stop or in once case, swerve into a tree and while saving the lives of the people in front of him ended up killing himself.
IIRC The lethal CC system was withdrawn/replaced in the US but is *still* sold in the UK - he rest of .eu is another matter - thier .gov prpbably wanted heavier brown envelopes.
I wonder if I was misunderstood? Let me put it more plainly.
Almost all of the time, when someone wants to murder you, they'll pick up some nearby heavy or sharp object and attempt to employ it. Cases where they'll devise a scheme involving the cunning exploitation of high technology are mostly limited to James Bond-type stuff.
More specifically, supplying the wrong level of insulin to most diabetics will cause them to feel ill, which will prompt them to check their blood sugar, which will tell them that the machine isn't working right. So, it's not a sure-fire method. You should probably stick with the nearby heavy object.
Speaking as a diabetic myself, I can tell you that it would only take a high level of insulin being injected to cause blood sugards to drop to dangerous levels.
This, in turn, manifests itself in a way that makes the diabetic appear to be drunk, rapidly followed by a diabetic coma, and potentially death if not treated rapidly.
Most diabetics whose blood sugars drop to these low levels are unaware, and frequently unable to do anything about it until it's too late to do so.
In a nutshell - this hack could kill, plain and simple.
Or more simply, next time your talking to your DSN or Consultant. Get them to bin anything with a Medtronic logo on it. If everyone drops them and makes it widely known through the NHS that there stuff can't be trusted than they will be forced through the market to respond. Sadly a slow way, but probably one of the best ways currently while they have there heads in the sand.
It's what I'm going to do when I see mine next month. I simply won't have anything made by Medtronic until the issue is fixed connected to me.
This post has been deleted by its author
The underlying issue here is that the manufacturer simply does not care. They have no interest in securing their systems, and their customers (in the form of private healthcare companies or national heath services or whatever) have no interest in demanding security from them.
This whole issue is rather independent of software philosophies, and even software at all.
These guys were caught out, publically named and shamed and they still don't care. Open or closed source firmware is irrelevant to that attitude.
...is closed, then it has not been audited. We know the FDA does not audit the code, they rely on the company to write a report that says "All OK, guv. Honest."
"These guys were caught out, publically named and shamed and they still don't care. Open or closed source firmware is irrelevant to that attitude."
It's very relevant because if the code were free (not just open) then another qualified person could patch the vulnerability. The company caring or not becomes redundant as you can be sure the patients and their doctors care.
And here we go, a bit later than originally planned admittedly
http://www.computerworld.com/s/article/9219650/Apache_patches_Web_server_DoS_vulnerability
So, has the insulin pump been patched? I somehow don't think so. One major step towards fixing a problem is admitting there is one in the first place. Free software tends to be much better at that than proprietary.
I am shocked by the companies attitude about this, medical devices should be as hevaly regulated as drugs when it comes to quality.
I don't know if any one rembers in the last few months some one from a surgical department in a hospital who takes care of the instruments used reported that about 50% of instruments where unsafe to use because they where produced incorrectly by hand in Pakistan and India forceps that had sharp edges that where intended for heart opperations, scalpels with badly ground edges he had a display of some common failues he found that should not have left the factory let alone nearly made it into the opperating room and would have if he didn't find them. And he called for more action in regards to regulation of such devices because they can cause so much harm.
In this case it's shocking not that it can be done, but the attituded the company seems to be takinging towards the safty of it's users because now that it's out in the open how long do you think it will be before some one trys this in the wild as it where? To much insulin will kill you or put you in a coma, to little can cause problems as well.
So, because you cannot protect yourself from every last threat in existence you should clearly not bother to protect yourself from any at all.
If I could make your house or car explode and kill you just by using a remote control, would you still drive the car and live in the house? After all, a would be murder could just break into your house and kill you with an axe!
"I don't know if any one rembers in the last few months some one from a surgical department in a hospital who takes care of the instruments used reported that about 50% of instruments where unsafe to use because they where produced incorrectly by hand in Pakistan and India forceps that had sharp edges that where intended for heart opperations, scalpels with badly ground edges he had a display of some common failues he found that should not have left the factory let alone nearly made it into the opperating room and would have if he didn't find them."
It looks like you have run out of full stops. Here. Take these: ......................................
Am I bothered? Nah. I'm regularly checking my blood glucose levels using an meter (which is not part of the pump) and are well aware of the physical symptoms in myself if I have too much or too little insulin.
Yes it should be addressed and resolved, but it is not an OMG the sky is falling issue. Upgrade the microcode and then as people replace their pumps (which they need to do every 4 years anyway) they get the fix.
This post has been deleted by its author
"The Medtronic spokeswoman didn't address Radcliffe's claims directly, but said the “risk of deliberate, malicious or unauthorized manipulation of our insulin pumps is extremely low.” Maybe, but it's telling that a diabetic hacker thinks otherwise."
Exactly how is this telling? And what do you think it is telling of?
The risk _IS_ extremely low. It is low to the point of being negligible. It is not anything that a typical user would even begin to worry about. Insulin dependant diabetics have a hundred more important things to worry about before this even enters their heads and a dozen different ways they can end up in hospital that are hundreds or thousands of times more likely than this supposed hack.
The story is that a hacker has managed to find a chink in one of the devices he owns and has used it for some self-promotion. The fact that it is an insulin pump is neither here nor there. I hope he gets a job out of it ... he clearly has some technical skills. But that's as far as it goes. Arguing that "oh but he's diabetic" is irrelevant to the point of being patronising.
(disclaimer: I'm type 1 diabetic, have worked on the development of wireless medical devices but have no direct or indirect connection with this manufacturer)
Medtronic were lazy and irresponsible and they simply do not care that they have exposed users of their products to risk.
That is what is the issue here. They just don't care, they don't care enough to design something well, they don't care enough to test it thoroughly, and they don't care enough to do anything about their mistake.
You may feel free to continue to do business with a medical device company that has no regards for your safety or wellbeing below the bare minimum required of them.
you are right, the risk of someone exploiting it is extremely low, but that's no excuse, the consequences could be fatal!
The lapse in security is bordering on negligence! Just because people aren't generally likely to want to tamper with them, doesn't mean they won't* and doesn't excuse it making it easy.
*some time ago, near me, a group of kids found someone drunk, passed out at a bus stop. They set him on fire "for a bit of a laugh". Imagine if they could get some cheap kit that would make anyone with an insulin pump, who walks near it, collapse and slip into a coma!
As industries start to build computers into their products and attach them to networks and radio transmitters they become vulnerable to all kind of new attacks they fail to understand.
It is "standard procedure" that the go through several phases before their products eventually become secure enough to operate reliably in the new networked environment.
The first phase is almost always: Denial.
This is where Medtronic is now.
Remember Microsoft, the CCTV industry, the burglar alarm people, SCADA, etc.?
It's probably true that, when most people kill, they do so in a pretty obvious way and often in the heat of the moment with an improvised weapon.
However, mild poisonings by jilted lovers or competing coworkers can't be all that uncommon, can they? All it would take is for your partner to think you were cheating for them to slightly up or lower your dose enough to cause you problems leaving the house, for example.
So I'm not convinced the danger here is out-and-out murder in a James Bond style by person's unknown. After all -- I bet most poisonings are more Ex-Lax in the milk than Polonium in the sushi...
'Why is everyone concentrating on murder by insulin/no insulin?'
Sure, there are many easier ways to bump someone off, but people are really fucking stupid, especially when they think they have a built in 'it was an hacker what killed him' defence.
Secondly, the assumption is that the intended crime is murder; but this works way better as blackmail: 'Dear Medtronic, £1 million in used fivers or your customers start dropping. Capeesh?'
"All it would take is for your partner to think you were cheating for them to slightly up or lower your dose enough to cause you problems leaving the house, for example."
That's not how insulin works. A slight decrease would have no short term effect. A slight increase would lead to hypoglycaemia which, depending on the subject, would mean obvious symptoms followed by a quick dose of glucose and an inspection of the pump, or falling into a coma. And if a malicious partner wanted to feck about with a diabetic's blood sugar then there are many other much simpler ways they could do it, from swapping fast- and slow-acting insulins to putting sugar instead of sweetener in a cup of coffee.
I'm sure people can dream up a hundred different ways this hack could be exploited that might make it into a CSI:Miami script, but nobody has yet come up with a realistic real world risk.
How come asshats like Medtronic can stay in business making these shabby products? Yet smaller companies can barely afford, E&O insurance, or are unable to get it at any price?
BTW, I am surprised that so many commenters seem not to care. Are you long Medtronic's stock? I'll admit the risk is very low. But you'll have to concede that the consequences are rather high. Consider the relative ease of addressing the problem, and this should be a non-decision for Medtronic (and for any regulatory body or insurance carrier if Medtronic can't be bothered).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
