Vulnerabilities / Threats
8/26/2011
11:19 AM
50%
50%

Insulin Pump Hack Controversy Grows

Security researcher--and pump user--who found the flaw takes medical device manufacturer Medtronic to task for its response to the security vulnerability.

Health IT Boosts Patient Care, Safety
(click image for larger view)
Slideshow: Health IT Boosts Patient Care, Safety
At least four models of insulin pumps sold by Medtronic are vulnerable to being wirelessly hacked. In particular, an attacker could remotely disable the pumps or manipulate every setting, including the insulin dosage that's automatically delivered--every three minutes--to the user.

That was the report given by security researcher Jerome Radcliffe at a press conference on Thursday. Radcliffe, himself a diabetic, demonstrated the pump vulnerability earlier this month at the Black Hat conference in Las Vegas, by remotely disabling his own insulin pump live on stage. Executing the attack required less than 60 seconds, and would work from up to 100 feet away using Radcliffe's demonstration setup. But with some modifications, he said, an attack could be made to work from up to half a mile away.

At the time, Radcliffe declined to name the manufacturer or model of his pump, and obscured everything but the pump's LCD panel when demonstrating the attack. Following ethical disclosure guidelines, Radcliffe said he wanted to give the vendor time to address the flaws, which he exploited using a radio frequency transmitter and 10 lines of Perl code.

On Thursday, however, Radcliffe named names, saying that the vulnerable pumps are the Medtronic Paradigm 512, 522, 712, and 722. Radcliffe said that he'd been dismayed by the lack of "honest public discourse" on the part of Medtronic, which is the number-one seller of insulin pumps in the United States. For the first time, he also disclosed that the radio frequency transmitter that he'd used in the exploit was the Medtronic Minimed Comlink (model number MMT-7304NA) that shipped with his insulin pump, and which is available new, via eBay, for $20. Finally, Radcliffe said his attempts at helping Medtronic quickly identify the underlying issues, so that it could explore a fix, had failed due to its ignoring, obfuscating, or outright lying--in its press releases--about the vulnerability.

According to Radcliffe, things started off well. A Medtronic engineer who attended his presentation at Black Hat afterwards asked for a copy of the slides, as well as his contact information, which Radcliffe said he provided the next day. Three days later, however, having received no response, he emailed the engineer again, and received no response.

But the next day, Amanda Sheldon, director of public relations for the diabetes business unit of Medtronic, released a blog post. "Thanks to Medtronic's information security measures, we strongly believe it would be extremely difficult for a third-party to wirelessly tamper with your insulin pump," she said, in a section titled, "Why shouldn't I be concerned?" If someone did wirelessly adjust the dosage, according to the post, the pump would play a series of tones to alert the user that their bolus (dose) had changed.

Furthermore, she said, any such attack could be easily prevented by disabling the insulin pump's wireless capabilities. "After reviewing the research presented last week, we discovered that the researcher was only able to 'hack' his own pump using in-depth knowledge about the product, such as the serial number of both the insulin pump and remote device," said Sheldon. "He also TURNED ON the wireless feature and had access to specialized equipment which he used to rebroadcast the RF signal in a controlled environment."

Radcliffe, however, disputed those assertions. "This is probably the largest lie in the PR statement. The wireless ability that I'm exploiting can't be turned off, it is permanently turned on, and the only way to turn it off is to take the battery out of the device," he said. Furthermore, the device's six-digit serial number, which is required to exploit the pump in this type of attack, could be retrieved by writing a simple radio frequency scanning application. "It was very disappointing to me that they would publish this information without doing any fact-checking at all," said Radcliffe.

The Food and Drug Administration, which regulates medical devices, was not immediately available on Friday to respond to questions about whether Medtronic may have violated any existing regulations, if it released inaccurate statements about how its insulin pumps operate.

In the interest of "public safety," Radcliffe said he'd also approached Medtronic with the help of two intermediaries--U.S. CERT, as well as the Department of Homeland Security (DHS). He said that both organizations contacted Medtronic, with DHS emailing the CEO on August 10, then talking to the head of Medtronic public relations on August 12. Meanwhile, on August 15, two members of Congress wrote to the Government Accountability Office (GAO) and asked them to review the Federal Communication Commission's approach to regulating medical devices that use wireless technology, making explicit reference to Radcliffe's Black Hat demonstration.

Radcliffe said that on Wednesday, he provided Medtronic with an advance copy of all of the criticisms that he planned to voice during the Thursday press conference. In response, he said, Medtronic sent him back a statement that read in part, "our products incorporate encryption and other proprietary security measures." In addition, it said that "Medtronic has not been formally contacted by the Department of Homeland Security" but said that if it was contacted it "would of course comply with any requests that they may have."

"I was floored by this," said Radcliffe. "It's totally unacceptable and unethical to deny that you were contacted multiple times by CERT and Department of Homeland Security. It's also an irresponsible use of the word encryption. In today's world this means AES, RSA, or some other type of modern encryption. I can say with 110% certainty that there's no modern encryption used in the communication of these devices."

Asked to comment on Radcliffe's assertions, Medtronic's Sheldon said via email: "We are vigilant in reviewing the external security landscape, which is why we attended Jay Radcliffe's presentation at the Black Hat conference and have been analyzing his results. We are open to speaking with Mr. Radcliffe and others to better understand his findings and results." In addition, she reiterated that the company had not been "formally contacted" by DHS.

In response Medtronic's handling of this episode, Radcliffe said that as a customer, he's chosen to work with someone else. "The first thing I did was, I stopped doing business with them, and last week I ordered a new pump from a company called Animas, which is owned by Johnson & Johnson," he said.

But Radcliffe noted that owners of the vulnerable Medtronic insulin pumps face virtually no threat of attack, and that the benefit of using insulin pump technology far outweighs any risks. "Don't freak out, keep using your pump, continue doing your insulin therapy," he said. "The risk at this point is exceptionally low to individual users."

Join InformationWeek Healthcare for an on-demand virtual event on electronic health records. You can access presentations and content surrounding EHR selection, deployment, and use, all at your own convenience. Find out more.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.