Researchers Build App That Kills To Highlight Insulin Pump Exploit
from the remote-fatality dept
By now the half-baked security in most internet of things (IOT) devices has become a bit of a running joke, leading to amusing Twitter accounts like Internet of Shit that highlight the sordid depth of this particular apathy rabbit hole. And while refrigerators leaking your gmail credentials and tea kettles that expose your home networks are entertaining in their own way, it's easy to lose sight of the fact that the same half-assed security in the IOT space also exists on most home routers, your car, your pacemaker, and countless other essential devices and services your life may depend on.
Case in point: just about two years ago, security researchers discovered some major vulnerabilities Medtronic's popular MiniMed and MiniMed Paradigm insulin pumps. At a talk last year, they highlighted how a hacker could trigger the pumps to either withhold insulin doses, or deliver a lethal dose of insulin remotely. But while Medtronic and the FDA warned customers about the vulnerability and issued a recall over time, security researchers Billy Rios and Jonathan Butts found that initially, nobody was doing much to actually fix or replace the existing devices.
So Rios and Butts got creative in attempting to convey the scope and simplicity of the threat: they built an app that could use the pumps to kill a theoretical patient:
"We’ve essentially just created a universal remote for every one of these insulin pumps in the world," Rios says. "I don’t know why Medtronic waits for researchers to create an app that could hurt or kill someone before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago."
To target a specific insulin pump, a hacker would need to know the proper serial number of the device they're targeting. But the app simplifies this process by quickly running through all potential serial numbers until it hits the correct one. The gambit seems to have worked: a week after the team demonstrated its proof of concept app to FDA officials in mid-June of this year, Medtronic announced a voluntary recall program. Years after Medtronic first learned about the flaws in these devices, there's now a structure in place that allows patients to use the devices if they want, and replace them for free if they don't.
That said, the researchers are still quick to point out that this kind of dysfunction (offering potentially fatally compromised products but having no avenue to correct them) is fairly common in the medical sector:
"...the climate for medical device vulnerability disclosures is still clearly fraught if researchers feel that they need to take extreme, and even potentially dangerous, steps like developing a killer app to spur action.
"If you think about it, we shouldn't be telling patients, 'hey, you know what, if you want to you could turn on this feature and get killed by a random person.' That makes no sense," QED Security Solutions' Rios says. "There should be some risk acceptance; this is a medical device. But an insecure feature like that just needs to be gone, and they had no mechanism to remove it."
And of course that's not just a problem in the medical sector, but most internet-connected tech sectors. As security researcher Bruce Schneier often points out, it's part of a cycle of dysfunction where the consumer and the manufacturer of a flawed product have already moved on to the next big purchase, often leaving compromised products, and users, in a lurch. And more often than not, when researchers are forced to get creative to highlight the importance of a particular flaw, the companies in question enjoy shooting the messenger.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: insulin pump, iot, minimed, minimed paradigm, security
Companies: medtronic
Reader Comments
Subscribe: RSS
View by: Time | Thread
I wonder if there’s an app for that yet.
[ link to this | view in thread ]
Undisclosed Connectivity
Part 1 of the safety response has to be to disclose all remote connectivity to safety critical devices so it can be disabled.
My device does not need to talk to the internet, and should not talk over a radio to WiFi.
[ link to this | view in thread ]
Very patient-focused indeed...
Researchers: It is possible for someone to bypass the downright pathetic security on these devices to kill someone.
Company: Eh.
Researchers: ... Fine. Here's a program we threw together to prove that it's not a hypothetical, and is absolutely possible to kill using these devices. Also we showed it to the FDA.
Company: Oh very well, I suppose we'll tell people that they can turn the devices in if they want to...
[ link to this | view in thread ]
Re: Undisclosed Connectivity
Since I do engarge medical folks in my IT role, I would like to point out that the doctors want some sort of connectivity to monitor and adjust such a device. They feel it is important to maintain appropriate levels, whatever that means.
[ link to this | view in thread ]
"I don’t know why Medtronic waits for researchers to create an app that could hurt or kill someone before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago."
Because the cost of a recall was > than having to pay survivors.
How often have we seen companies claim that they had the latest in security but the super hackers still managed to hack them so we can't hold them responsible... then the hackers leak how they did it using 15 yr old flaws that should have been patched & the login was admin admin and still nothing happens.
See also: Absolute Sownage; Sony Motion Pictures hack (I mean 12345 and abcde??); Equifax
The punishment for doing nothing is less than the average copyright troll extorts from 1 victim, why bother to improve?
These poor poor corporations have a duty to their shareholders to keep the stock price high & cutting security spending so the execs can have a bonus is a proper thing to do.
Now not all hacks are as serious as this, but my FSM is the FDA so toothless that we have to actually create the thing that exploits the flaw before they can get a company to think maybe kinda sorta we could do something?
[ link to this | view in thread ]
Re: Very patient-focused indeed...
Researchers: ... Fine. Here's a program we threw together to prove that it's not a hypothetical, and is absolutely possible to kill using these devices. Also we showed it to the FDA.
Company: Oh, I guess we should as the Feds to arrest everyone. And sue for slander. Easier than fixing things!
[ link to this | view in thread ]
New and Improved Markets
Just when the profit potential of ransomware has begun to wane, a new light shines, promising an even more coercive threat...pay or die.
[ link to this | view in thread ]
Re: Re: Undisclosed Connectivity
Inductive or near field connections would work, and require contact with the patient, or their device to make any adjustments. It is not like any ethical practitioner would want to adjust a remote device, they want the patient in front of them when they make any adjustments.
[ link to this | view in thread ]
My wife has used Medtronic insulin pumps for about 25 years. Every generation the quality gets worse. She is on her 4th 672g, which is the current state of the art. She has had 3 pumps fail under warranty - two were software issues IIRC. Also, they advertise them as waterproof but there are hundreds if not thousands of cases of people having the pumps fail immediately upon getting wet. They also just had a recall related to the buttons sticking due to air pressure changes in flight.
In short, the security issues just join a rather long list of problems with something that people rely on to stay alive.
[ link to this | view in thread ]
So, yes, Medtronic's response here is lame and they should feel bad.
BUT it's also true that pretty much anybody is in a position to kill pretty much anybody pretty much any time. I don't have to hack your insulin pump. I can ambush you with a baseball bat. Or I can poison your insulin. Or any number of other things.
So it gets kind of old to see this stuff hyped all the time.
[ link to this | view in thread ]
Why everything has to be connected to the internet is something I will never understand, apart from the utility of selling technology for its own sake to people who confuse technology with usefulness. Just because you CAN do something doesn't mean it's a good idea to do it. In this case, it's a perfect example of how to make a product worse (and even dangerous) by hyping technology that offers no real advantage.
[ link to this | view in thread ]
Re: Re: Re: Undisclosed Connectivity
Why is remote adjustment necessary? If it works at all, it will work and could be fine tuned as required by visiting the doctor's office. The remote connection is just one more way to make the device needlessly more expensive and collect lots of data to sell (probably to insurance companies so they have an excuse to raise rates based on the cost of ever more needlessly expensive devices.) If something goes wrong with a device, it's more likely to go wrong as complexity increases (nevermind the potential for being hacked with connected devices).
[ link to this | view in thread ]
'You can't do that, that's OUR racket!'
Not a problem, the drug companies would come down on that hard, as they've got that particular market/tactic locked down already.
[ link to this | view in thread ]
Re:
'There are others ways to kill people so the fact that the security on medical devices are so pathetic that it would be trivial to create a program to kill someone nearly undetectably taking advantage of that terrible security isn't a big deal' does not a valid argument make.
It's possible to kill someone via a car, however that would not mean that if a car manufacturer installed a system where it was trivial to remotely do the equivalent of cutting the car's brakes it wouldn't be a serious issue worth attention.
[ link to this | view in thread ]
Re:
Wow, that makes it ok then. Nothing to see here folks, just more whining by those who dislike dying.
/s
[ link to this | view in thread ]
Re:
Snake oil salesmen have been pushing their bullshit for a long time, the internet provides them a new avenue for their crap.
[ link to this | view in thread ]
Re: Re:
Living is overrated.
/s
[ link to this | view in thread ]
Perhaps the reason they need to monitor the device is to have a warning and associated cya when their patient rations the medication due to the fact that they can not afford it.
[ link to this | view in thread ]
Re: New and Improved Markets
Now if the target was the executives instead of the marks ... er ... patients, the I see no problem with this.
[ link to this | view in thread ]
Re:
There is a difference between getting all personal and risk ones life and liberty while expigating someone from the gene pool and running an app on your phone that remotely expires someone long before their due date.
[ link to this | view in thread ]
SOMEtimes connectivity is a good thing for patients
Those who say an insulin pump should only be adjustable at the doctor's office have (1) never had a pump, and (b) never had to choose between working (i.e., collecting a paycheck) and taking unpaid time off to see a doctor.
Or have never tried to get a doctor appointment, much less catch a bus crosstown, with neuropathy.
There are some very good reasons to allow remote monitoring of insulin dosages (and A1C levels), but at the very least there should be some sort of 2-factor authentication before a change can be made.
[ link to this | view in thread ]
I wonder why add wireless capabilities that go beyond a few millimeters from the device. Some sort of nfc thing. And while you aren't using it you could add some cover to block any unauthorized access. That's some basic security measure I'd think. It would still need other solid security layers that aren't in the equipment mentioned but this alone would already prevent a lot of problems.
[ link to this | view in thread ]
Re: SOMEtimes connectivity is a good thing for patients
It should not accept remote input. At the very best from a device at close proximity. Anything connected may be breached at some point because there are many points of possible failure. Ie: MITM attacks.
[ link to this | view in thread ]