Vulnerabilities / Threats
11:19 AM
Connect Directly

Insulin Pump Hack Controversy Grows

Security researcher--and pump user--who found the flaw takes medical device manufacturer Medtronic to task for its response to the security vulnerability.

Health IT Boosts Patient Care, Safety
(click image for larger view)
Slideshow: Health IT Boosts Patient Care, Safety
At least four models of insulin pumps sold by Medtronic are vulnerable to being wirelessly hacked. In particular, an attacker could remotely disable the pumps or manipulate every setting, including the insulin dosage that's automatically delivered--every three minutes--to the user.

That was the report given by security researcher Jerome Radcliffe at a press conference on Thursday. Radcliffe, himself a diabetic, demonstrated the pump vulnerability earlier this month at the Black Hat conference in Las Vegas, by remotely disabling his own insulin pump live on stage. Executing the attack required less than 60 seconds, and would work from up to 100 feet away using Radcliffe's demonstration setup. But with some modifications, he said, an attack could be made to work from up to half a mile away.

At the time, Radcliffe declined to name the manufacturer or model of his pump, and obscured everything but the pump's LCD panel when demonstrating the attack. Following ethical disclosure guidelines, Radcliffe said he wanted to give the vendor time to address the flaws, which he exploited using a radio frequency transmitter and 10 lines of Perl code.

On Thursday, however, Radcliffe named names, saying that the vulnerable pumps are the Medtronic Paradigm 512, 522, 712, and 722. Radcliffe said that he'd been dismayed by the lack of "honest public discourse" on the part of Medtronic, which is the number-one seller of insulin pumps in the United States. For the first time, he also disclosed that the radio frequency transmitter that he'd used in the exploit was the Medtronic Minimed Comlink (model number MMT-7304NA) that shipped with his insulin pump, and which is available new, via eBay, for $20. Finally, Radcliffe said his attempts at helping Medtronic quickly identify the underlying issues, so that it could explore a fix, had failed due to its ignoring, obfuscating, or outright lying--in its press releases--about the vulnerability.

According to Radcliffe, things started off well. A Medtronic engineer who attended his presentation at Black Hat afterwards asked for a copy of the slides, as well as his contact information, which Radcliffe said he provided the next day. Three days later, however, having received no response, he emailed the engineer again, and received no response.

But the next day, Amanda Sheldon, director of public relations for the diabetes business unit of Medtronic, released a blog post. "Thanks to Medtronic's information security measures, we strongly believe it would be extremely difficult for a third-party to wirelessly tamper with your insulin pump," she said, in a section titled, "Why shouldn't I be concerned?" If someone did wirelessly adjust the dosage, according to the post, the pump would play a series of tones to alert the user that their bolus (dose) had changed.

Furthermore, she said, any such attack could be easily prevented by disabling the insulin pump's wireless capabilities. "After reviewing the research presented last week, we discovered that the researcher was only able to 'hack' his own pump using in-depth knowledge about the product, such as the serial number of both the insulin pump and remote device," said Sheldon. "He also TURNED ON the wireless feature and had access to specialized equipment which he used to rebroadcast the RF signal in a controlled environment."

Radcliffe, however, disputed those assertions. "This is probably the largest lie in the PR statement. The wireless ability that I'm exploiting can't be turned off, it is permanently turned on, and the only way to turn it off is to take the battery out of the device," he said. Furthermore, the device's six-digit serial number, which is required to exploit the pump in this type of attack, could be retrieved by writing a simple radio frequency scanning application. "It was very disappointing to me that they would publish this information without doing any fact-checking at all," said Radcliffe.

The Food and Drug Administration, which regulates medical devices, was not immediately available on Friday to respond to questions about whether Medtronic may have violated any existing regulations, if it released inaccurate statements about how its insulin pumps operate.

In the interest of "public safety," Radcliffe said he'd also approached Medtronic with the help of two intermediaries--U.S. CERT, as well as the Department of Homeland Security (DHS). He said that both organizations contacted Medtronic, with DHS emailing the CEO on August 10, then talking to the head of Medtronic public relations on August 12. Meanwhile, on August 15, two members of Congress wrote to the Government Accountability Office (GAO) and asked them to review the Federal Communication Commission's approach to regulating medical devices that use wireless technology, making explicit reference to Radcliffe's Black Hat demonstration.

Radcliffe said that on Wednesday, he provided Medtronic with an advance copy of all of the criticisms that he planned to voice during the Thursday press conference. In response, he said, Medtronic sent him back a statement that read in part, "our products incorporate encryption and other proprietary security measures." In addition, it said that "Medtronic has not been formally contacted by the Department of Homeland Security" but said that if it was contacted it "would of course comply with any requests that they may have."

"I was floored by this," said Radcliffe. "It's totally unacceptable and unethical to deny that you were contacted multiple times by CERT and Department of Homeland Security. It's also an irresponsible use of the word encryption. In today's world this means AES, RSA, or some other type of modern encryption. I can say with 110% certainty that there's no modern encryption used in the communication of these devices."

Asked to comment on Radcliffe's assertions, Medtronic's Sheldon said via email: "We are vigilant in reviewing the external security landscape, which is why we attended Jay Radcliffe's presentation at the Black Hat conference and have been analyzing his results. We are open to speaking with Mr. Radcliffe and others to better understand his findings and results." In addition, she reiterated that the company had not been "formally contacted" by DHS.

In response Medtronic's handling of this episode, Radcliffe said that as a customer, he's chosen to work with someone else. "The first thing I did was, I stopped doing business with them, and last week I ordered a new pump from a company called Animas, which is owned by Johnson & Johnson," he said.

But Radcliffe noted that owners of the vulnerable Medtronic insulin pumps face virtually no threat of attack, and that the benefit of using insulin pump technology far outweighs any risks. "Don't freak out, keep using your pump, continue doing your insulin therapy," he said. "The risk at this point is exceptionally low to individual users."

Join InformationWeek Healthcare for an on-demand virtual event on electronic health records. You can access presentations and content surrounding EHR selection, deployment, and use, all at your own convenience. Find out more.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.