Researchers Build App That Kills To Highlight Insulin Pump Exploit

from the remote-fatality dept

By now the half-baked security in most internet of things (IOT) devices has become a bit of a running joke, leading to amusing Twitter accounts like Internet of Shit that highlight the sordid depth of this particular apathy rabbit hole. And while refrigerators leaking your gmail credentials and tea kettles that expose your home networks are entertaining in their own way, it’s easy to lose sight of the fact that the same half-assed security in the IOT space also exists on most home routers, your car, your pacemaker, and countless other essential devices and services your life may depend on.

Case in point: just about two years ago, security researchers discovered some major vulnerabilities Medtronic’s popular MiniMed and MiniMed Paradigm insulin pumps. At a talk last year, they highlighted how a hacker could trigger the pumps to either withhold insulin doses, or deliver a lethal dose of insulin remotely. But while Medtronic and the FDA warned customers about the vulnerability and issued a recall over time, security researchers Billy Rios and Jonathan Butts found that initially, nobody was doing much to actually fix or replace the existing devices.

So Rios and Butts got creative in attempting to convey the scope and simplicity of the threat: they built an app that could use the pumps to kill a theoretical patient:

“We?ve essentially just created a universal remote for every one of these insulin pumps in the world,” Rios says. “I don?t know why Medtronic waits for researchers to create an app that could hurt or kill someone before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago.”

To target a specific insulin pump, a hacker would need to know the proper serial number of the device they’re targeting. But the app simplifies this process by quickly running through all potential serial numbers until it hits the correct one. The gambit seems to have worked: a week after the team demonstrated its proof of concept app to FDA officials in mid-June of this year, Medtronic announced a voluntary recall program. Years after Medtronic first learned about the flaws in these devices, there’s now a structure in place that allows patients to use the devices if they want, and replace them for free if they don’t.

That said, the researchers are still quick to point out that this kind of dysfunction (offering potentially fatally compromised products but having no avenue to correct them) is fairly common in the medical sector:

“…the climate for medical device vulnerability disclosures is still clearly fraught if researchers feel that they need to take extreme, and even potentially dangerous, steps like developing a killer app to spur action.

“If you think about it, we shouldn’t be telling patients, ‘hey, you know what, if you want to you could turn on this feature and get killed by a random person.’ That makes no sense,” QED Security Solutions’ Rios says. “There should be some risk acceptance; this is a medical device. But an insecure feature like that just needs to be gone, and they had no mechanism to remove it.”

And of course that’s not just a problem in the medical sector, but most internet-connected tech sectors. As security researcher Bruce Schneier often points out, it’s part of a cycle of dysfunction where the consumer and the manufacturer of a flawed product have already moved on to the next big purchase, often leaving compromised products, and users, in a lurch. And more often than not, when researchers are forced to get creative to highlight the importance of a particular flaw, the companies in question enjoy shooting the messenger.

Filed Under: , , , ,
Companies: medtronic

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Researchers Build App That Kills To Highlight Insulin Pump Exploit”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: Undisclosed Connectivity

Inductive or near field connections would work, and require contact with the patient, or their device to make any adjustments. It is not like any ethical practitioner would want to adjust a remote device, they want the patient in front of them when they make any adjustments.

bobob says:

Re: Re: Re: Undisclosed Connectivity

Why is remote adjustment necessary? If it works at all, it will work and could be fine tuned as required by visiting the doctor’s office. The remote connection is just one more way to make the device needlessly more expensive and collect lots of data to sell (probably to insurance companies so they have an excuse to raise rates based on the cost of ever more needlessly expensive devices.) If something goes wrong with a device, it’s more likely to go wrong as complexity increases (nevermind the potential for being hacked with connected devices).

That One Guy (profile) says:

Very patient-focused indeed...

Researchers: It is possible for someone to bypass the downright pathetic security on these devices to kill someone.

Company: Eh.

Researchers: … Fine. Here’s a program we threw together to prove that it’s not a hypothetical, and is absolutely possible to kill using these devices. Also we showed it to the FDA.

Company: Oh very well, I suppose we’ll tell people that they can turn the devices in if they want to…

That Anonymous Coward (profile) says:

"I don’t know why Medtronic waits for researchers to create an app that could hurt or kill someone before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago."

Because the cost of a recall was > than having to pay survivors.

How often have we seen companies claim that they had the latest in security but the super hackers still managed to hack them so we can’t hold them responsible… then the hackers leak how they did it using 15 yr old flaws that should have been patched & the login was admin admin and still nothing happens.

See also: Absolute Sownage; Sony Motion Pictures hack (I mean 12345 and abcde??); Equifax

The punishment for doing nothing is less than the average copyright troll extorts from 1 victim, why bother to improve?
These poor poor corporations have a duty to their shareholders to keep the stock price high & cutting security spending so the execs can have a bonus is a proper thing to do.

Now not all hacks are as serious as this, but my FSM is the FDA so toothless that we have to actually create the thing that exploits the flaw before they can get a company to think maybe kinda sorta we could do something?

Chris ODonnell (profile) says:

My wife has used Medtronic insulin pumps for about 25 years. Every generation the quality gets worse. She is on her 4th 672g, which is the current state of the art. She has had 3 pumps fail under warranty – two were software issues IIRC. Also, they advertise them as waterproof but there are hundreds if not thousands of cases of people having the pumps fail immediately upon getting wet. They also just had a recall related to the buttons sticking due to air pressure changes in flight.

In short, the security issues just join a rather long list of problems with something that people rely on to stay alive.

Sok Puppette (profile) says:

So, yes, Medtronic’s response here is lame and they should feel bad.

BUT it’s also true that pretty much anybody is in a position to kill pretty much anybody pretty much any time. I don’t have to hack your insulin pump. I can ambush you with a baseball bat. Or I can poison your insulin. Or any number of other things.

So it gets kind of old to see this stuff hyped all the time.

That One Guy (profile) says:

Re: Re:

‘There are others ways to kill people so the fact that the security on medical devices are so pathetic that it would be trivial to create a program to kill someone nearly undetectably taking advantage of that terrible security isn’t a big deal’ does not a valid argument make.

It’s possible to kill someone via a car, however that would not mean that if a car manufacturer installed a system where it was trivial to remotely do the equivalent of cutting the car’s brakes it wouldn’t be a serious issue worth attention.

bobob says:

Why everything has to be connected to the internet is something I will never understand, apart from the utility of selling technology for its own sake to people who confuse technology with usefulness. Just because you CAN do something doesn’t mean it’s a good idea to do it. In this case, it’s a perfect example of how to make a product worse (and even dangerous) by hyping technology that offers no real advantage.

Burning woodchipper (profile) says:

SOMEtimes connectivity is a good thing for patients

Those who say an insulin pump should only be adjustable at the doctor’s office have (1) never had a pump, and (b) never had to choose between working (i.e., collecting a paycheck) and taking unpaid time off to see a doctor.

Or have never tried to get a doctor appointment, much less catch a bus crosstown, with neuropathy.

There are some very good reasons to allow remote monitoring of insulin dosages (and A1C levels), but at the very least there should be some sort of 2-factor authentication before a change can be made.

Ninja (profile) says:

I wonder why add wireless capabilities that go beyond a few millimeters from the device. Some sort of nfc thing. And while you aren’t using it you could add some cover to block any unauthorized access. That’s some basic security measure I’d think. It would still need other solid security layers that aren’t in the equipment mentioned but this alone would already prevent a lot of problems.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...