Researchers Build App That Kills To Highlight Insulin Pump Exploit

from the remote-fatality dept

By now the half-baked security in most internet of things (IOT) devices has become a bit of a running joke, leading to amusing Twitter accounts like Internet of Shit that highlight the sordid depth of this particular apathy rabbit hole. And while refrigerators leaking your gmail credentials and tea kettles that expose your home networks are entertaining in their own way, it's easy to lose sight of the fact that the same half-assed security in the IOT space also exists on most home routers, your car, your pacemaker, and countless other essential devices and services your life may depend on.

Case in point: just about two years ago, security researchers discovered some major vulnerabilities Medtronic's popular MiniMed and MiniMed Paradigm insulin pumps. At a talk last year, they highlighted how a hacker could trigger the pumps to either withhold insulin doses, or deliver a lethal dose of insulin remotely. But while Medtronic and the FDA warned customers about the vulnerability and issued a recall over time, security researchers Billy Rios and Jonathan Butts found that initially, nobody was doing much to actually fix or replace the existing devices.

So Rios and Butts got creative in attempting to convey the scope and simplicity of the threat: they built an app that could use the pumps to kill a theoretical patient:

"We’ve essentially just created a universal remote for every one of these insulin pumps in the world," Rios says. "I don’t know why Medtronic waits for researchers to create an app that could hurt or kill someone before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago."

To target a specific insulin pump, a hacker would need to know the proper serial number of the device they're targeting. But the app simplifies this process by quickly running through all potential serial numbers until it hits the correct one. The gambit seems to have worked: a week after the team demonstrated its proof of concept app to FDA officials in mid-June of this year, Medtronic announced a voluntary recall program. Years after Medtronic first learned about the flaws in these devices, there's now a structure in place that allows patients to use the devices if they want, and replace them for free if they don't.

That said, the researchers are still quick to point out that this kind of dysfunction (offering potentially fatally compromised products but having no avenue to correct them) is fairly common in the medical sector:

"...the climate for medical device vulnerability disclosures is still clearly fraught if researchers feel that they need to take extreme, and even potentially dangerous, steps like developing a killer app to spur action.

"If you think about it, we shouldn't be telling patients, 'hey, you know what, if you want to you could turn on this feature and get killed by a random person.' That makes no sense," QED Security Solutions' Rios says. "There should be some risk acceptance; this is a medical device. But an insecure feature like that just needs to be gone, and they had no mechanism to remove it."

And of course that's not just a problem in the medical sector, but most internet-connected tech sectors. As security researcher Bruce Schneier often points out, it's part of a cycle of dysfunction where the consumer and the manufacturer of a flawed product have already moved on to the next big purchase, often leaving compromised products, and users, in a lurch. And more often than not, when researchers are forced to get creative to highlight the importance of a particular flaw, the companies in question enjoy shooting the messenger.

Filed Under: insulin pump, iot, minimed, minimed paradigm, security
Companies: medtronic


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Stephen T. Stone (profile), 19 Jul 2019 @ 4:04pm

    the companies in question enjoy shooting the messenger

    I wonder if there’s an app for that yet.

    reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 19 Jul 2019 @ 4:47pm

    Undisclosed Connectivity

    Part 1 of the safety response has to be to disclose all remote connectivity to safety critical devices so it can be disabled.

    My device does not need to talk to the internet, and should not talk over a radio to WiFi.

    reply to this | link to this | view in chronology ]

    • icon
      Gary (profile), 19 Jul 2019 @ 5:40pm

      Re: Undisclosed Connectivity

      Since I do engarge medical folks in my IT role, I would like to point out that the doctors want some sort of connectivity to monitor and adjust such a device. They feel it is important to maintain appropriate levels, whatever that means.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Jul 2019 @ 4:17am

        Re: Re: Undisclosed Connectivity

        Inductive or near field connections would work, and require contact with the patient, or their device to make any adjustments. It is not like any ethical practitioner would want to adjust a remote device, they want the patient in front of them when they make any adjustments.

        reply to this | link to this | view in chronology ]

        • identicon
          bobob, 20 Jul 2019 @ 2:00pm

          Re: Re: Re: Undisclosed Connectivity

          Why is remote adjustment necessary? If it works at all, it will work and could be fine tuned as required by visiting the doctor's office. The remote connection is just one more way to make the device needlessly more expensive and collect lots of data to sell (probably to insurance companies so they have an excuse to raise rates based on the cost of ever more needlessly expensive devices.) If something goes wrong with a device, it's more likely to go wrong as complexity increases (nevermind the potential for being hacked with connected devices).

          reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 19 Jul 2019 @ 5:27pm

    Very patient-focused indeed...

    Researchers: It is possible for someone to bypass the downright pathetic security on these devices to kill someone.

    Company: Eh.

    Researchers: ... Fine. Here's a program we threw together to prove that it's not a hypothetical, and is absolutely possible to kill using these devices. Also we showed it to the FDA.

    Company: Oh very well, I suppose we'll tell people that they can turn the devices in if they want to...

    reply to this | link to this | view in chronology ]

    • icon
      Gary (profile), 19 Jul 2019 @ 9:13pm

      Re: Very patient-focused indeed...

      Researchers: ... Fine. Here's a program we threw together to prove that it's not a hypothetical, and is absolutely possible to kill using these devices. Also we showed it to the FDA.

      Company: Oh, I guess we should as the Feds to arrest everyone. And sue for slander. Easier than fixing things!

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 19 Jul 2019 @ 7:25pm

    "I don’t know why Medtronic waits for researchers to create an app that could hurt or kill someone before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago."

    Because the cost of a recall was > than having to pay survivors.

    How often have we seen companies claim that they had the latest in security but the super hackers still managed to hack them so we can't hold them responsible... then the hackers leak how they did it using 15 yr old flaws that should have been patched & the login was admin admin and still nothing happens.

    See also: Absolute Sownage; Sony Motion Pictures hack (I mean 12345 and abcde??); Equifax

    The punishment for doing nothing is less than the average copyright troll extorts from 1 victim, why bother to improve?
    These poor poor corporations have a duty to their shareholders to keep the stock price high & cutting security spending so the execs can have a bonus is a proper thing to do.

    Now not all hacks are as serious as this, but my FSM is the FDA so toothless that we have to actually create the thing that exploits the flaw before they can get a company to think maybe kinda sorta we could do something?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jul 2019 @ 1:39am

    New and Improved Markets

    Just when the profit potential of ransomware has begun to wane, a new light shines, promising an even more coercive threat...pay or die.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 20 Jul 2019 @ 7:26pm

      'You can't do that, that's OUR racket!'

      Not a problem, the drug companies would come down on that hard, as they've got that particular market/tactic locked down already.

      reply to this | link to this | view in chronology ]

    • identicon
      Annonymouse, 22 Jul 2019 @ 9:48am

      Re: New and Improved Markets

      Now if the target was the executives instead of the marks ... er ... patients, the I see no problem with this.

      reply to this | link to this | view in chronology ]

  • icon
    Chris ODonnell (profile), 20 Jul 2019 @ 6:53am

    My wife has used Medtronic insulin pumps for about 25 years. Every generation the quality gets worse. She is on her 4th 672g, which is the current state of the art. She has had 3 pumps fail under warranty - two were software issues IIRC. Also, they advertise them as waterproof but there are hundreds if not thousands of cases of people having the pumps fail immediately upon getting wet. They also just had a recall related to the buttons sticking due to air pressure changes in flight.

    In short, the security issues just join a rather long list of problems with something that people rely on to stay alive.

    reply to this | link to this | view in chronology ]

  • identicon
    Sok Puppette, 20 Jul 2019 @ 7:15am

    So, yes, Medtronic's response here is lame and they should feel bad.

    BUT it's also true that pretty much anybody is in a position to kill pretty much anybody pretty much any time. I don't have to hack your insulin pump. I can ambush you with a baseball bat. Or I can poison your insulin. Or any number of other things.

    So it gets kind of old to see this stuff hyped all the time.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 20 Jul 2019 @ 7:32pm

      Re:

      'There are others ways to kill people so the fact that the security on medical devices are so pathetic that it would be trivial to create a program to kill someone nearly undetectably taking advantage of that terrible security isn't a big deal' does not a valid argument make.

      It's possible to kill someone via a car, however that would not mean that if a car manufacturer installed a system where it was trivial to remotely do the equivalent of cutting the car's brakes it wouldn't be a serious issue worth attention.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jul 2019 @ 7:07am

      Re:

      Wow, that makes it ok then. Nothing to see here folks, just more whining by those who dislike dying.
      /s

      reply to this | link to this | view in chronology ]

    • identicon
      Annonymouse, 22 Jul 2019 @ 9:53am

      Re:

      There is a difference between getting all personal and risk ones life and liberty while expigating someone from the gene pool and running an app on your phone that remotely expires someone long before their due date.

      reply to this | link to this | view in chronology ]

  • identicon
    bobob, 20 Jul 2019 @ 10:26am

    Why everything has to be connected to the internet is something I will never understand, apart from the utility of selling technology for its own sake to people who confuse technology with usefulness. Just because you CAN do something doesn't mean it's a good idea to do it. In this case, it's a perfect example of how to make a product worse (and even dangerous) by hyping technology that offers no real advantage.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jul 2019 @ 7:08am

      Re:

      Snake oil salesmen have been pushing their bullshit for a long time, the internet provides them a new avenue for their crap.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jul 2019 @ 9:29am

    Perhaps the reason they need to monitor the device is to have a warning and associated cya when their patient rations the medication due to the fact that they can not afford it.

    reply to this | link to this | view in chronology ]

  • identicon
    Burning woodchipper, 22 Jul 2019 @ 10:04am

    SOMEtimes connectivity is a good thing for patients

    Those who say an insulin pump should only be adjustable at the doctor's office have (1) never had a pump, and (b) never had to choose between working (i.e., collecting a paycheck) and taking unpaid time off to see a doctor.

    Or have never tried to get a doctor appointment, much less catch a bus crosstown, with neuropathy.

    There are some very good reasons to allow remote monitoring of insulin dosages (and A1C levels), but at the very least there should be some sort of 2-factor authentication before a change can be made.

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 22 Jul 2019 @ 11:36am

      Re: SOMEtimes connectivity is a good thing for patients

      It should not accept remote input. At the very best from a device at close proximity. Anything connected may be breached at some point because there are many points of possible failure. Ie: MITM attacks.

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 22 Jul 2019 @ 11:34am

    I wonder why add wireless capabilities that go beyond a few millimeters from the device. Some sort of nfc thing. And while you aren't using it you could add some cover to block any unauthorized access. That's some basic security measure I'd think. It would still need other solid security layers that aren't in the equipment mentioned but this alone would already prevent a lot of problems.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.