Insulin Pump Hack Controversy Grows
Security researcher--and pump user--who found the flaw takes medical device manufacturer Medtronic to task for its response to the security vulnerability.
That was the report given by security researcher Jerome Radcliffe at a press conference on Thursday. Radcliffe, himself a diabetic, demonstrated the pump vulnerability earlier this month at the Black Hat conference in Las Vegas, by remotely disabling his own insulin pump live on stage. Executing the attack required less than 60 seconds, and would work from up to 100 feet away using Radcliffe's demonstration setup. But with some modifications, he said, an attack could be made to work from up to half a mile away.
More Security Insights
White PapersMore >>
At the time, Radcliffe declined to name the manufacturer or model of his pump, and obscured everything but the pump's LCD panel when demonstrating the attack. Following ethical disclosure guidelines, Radcliffe said he wanted to give the vendor time to address the flaws, which he exploited using a radio frequency transmitter and 10 lines of Perl code.
On Thursday, however, Radcliffe named names, saying that the vulnerable pumps are the Medtronic Paradigm 512, 522, 712, and 722. Radcliffe said that he'd been dismayed by the lack of "honest public discourse" on the part of Medtronic, which is the number-one seller of insulin pumps in the United States. For the first time, he also disclosed that the radio frequency transmitter that he'd used in the exploit was the Medtronic Minimed Comlink (model number MMT-7304NA) that shipped with his insulin pump, and which is available new, via eBay, for $20. Finally, Radcliffe said his attempts at helping Medtronic quickly identify the underlying issues, so that it could explore a fix, had failed due to its ignoring, obfuscating, or outright lying--in its press releases--about the vulnerability.
According to Radcliffe, things started off well. A Medtronic engineer who attended his presentation at Black Hat afterwards asked for a copy of the slides, as well as his contact information, which Radcliffe said he provided the next day. Three days later, however, having received no response, he emailed the engineer again, and received no response.
But the next day, Amanda Sheldon, director of public relations for the diabetes business unit of Medtronic, released a blog post. "Thanks to Medtronic's information security measures, we strongly believe it would be extremely difficult for a third-party to wirelessly tamper with your insulin pump," she said, in a section titled, "Why shouldn't I be concerned?" If someone did wirelessly adjust the dosage, according to the post, the pump would play a series of tones to alert the user that their bolus (dose) had changed.
Furthermore, she said, any such attack could be easily prevented by disabling the insulin pump's wireless capabilities. "After reviewing the research presented last week, we discovered that the researcher was only able to 'hack' his own pump using in-depth knowledge about the product, such as the serial number of both the insulin pump and remote device," said Sheldon. "He also TURNED ON the wireless feature and had access to specialized equipment which he used to rebroadcast the RF signal in a controlled environment."
Radcliffe, however, disputed those assertions. "This is probably the largest lie in the PR statement. The wireless ability that I'm exploiting can't be turned off, it is permanently turned on, and the only way to turn it off is to take the battery out of the device," he said. Furthermore, the device's six-digit serial number, which is required to exploit the pump in this type of attack, could be retrieved by writing a simple radio frequency scanning application. "It was very disappointing to me that they would publish this information without doing any fact-checking at all," said Radcliffe.
The Food and Drug Administration, which regulates medical devices, was not immediately available on Friday to respond to questions about whether Medtronic may have violated any existing regulations, if it released inaccurate statements about how its insulin pumps operate.
In the interest of "public safety," Radcliffe said he'd also approached Medtronic with the help of two intermediaries--U.S. CERT, as well as the Department of Homeland Security (DHS). He said that both organizations contacted Medtronic, with DHS emailing the CEO on August 10, then talking to the head of Medtronic public relations on August 12. Meanwhile, on August 15, two members of Congress wrote to the Government Accountability Office (GAO) and asked them to review the Federal Communication Commission's approach to regulating medical devices that use wireless technology, making explicit reference to Radcliffe's Black Hat demonstration.
Radcliffe said that on Wednesday, he provided Medtronic with an advance copy of all of the criticisms that he planned to voice during the Thursday press conference. In response, he said, Medtronic sent him back a statement that read in part, "our products incorporate encryption and other proprietary security measures." In addition, it said that "Medtronic has not been formally contacted by the Department of Homeland Security" but said that if it was contacted it "would of course comply with any requests that they may have."
"I was floored by this," said Radcliffe. "It's totally unacceptable and unethical to deny that you were contacted multiple times by CERT and Department of Homeland Security. It's also an irresponsible use of the word encryption. In today's world this means AES, RSA, or some other type of modern encryption. I can say with 110% certainty that there's no modern encryption used in the communication of these devices."
Asked to comment on Radcliffe's assertions, Medtronic's Sheldon said via email: "We are vigilant in reviewing the external security landscape, which is why we attended Jay Radcliffe's presentation at the Black Hat conference and have been analyzing his results. We are open to speaking with Mr. Radcliffe and others to better understand his findings and results." In addition, she reiterated that the company had not been "formally contacted" by DHS.
In response Medtronic's handling of this episode, Radcliffe said that as a customer, he's chosen to work with someone else. "The first thing I did was, I stopped doing business with them, and last week I ordered a new pump from a company called Animas, which is owned by Johnson & Johnson," he said.
But Radcliffe noted that owners of the vulnerable Medtronic insulin pumps face virtually no threat of attack, and that the benefit of using insulin pump technology far outweighs any risks. "Don't freak out, keep using your pump, continue doing your insulin therapy," he said. "The risk at this point is exceptionally low to individual users."
Join InformationWeek Healthcare for an on-demand virtual event on electronic health records. You can access presentations and content surrounding EHR selection, deployment, and use, all at your own convenience. Find out more.