
Insulin Pumps, Decapped Chips and Software Defined Radios - colinprince
https://blog.usejournal.com/insulin-pumps-decapped-chips-and-software-defined-radios-1be50f121d05
======
zaroth
This is the story of Hacking the Omnipod, worthy of the front page of Wired.

What an amazing story, and with so many incredible details along the way.

The proprietary technique for reading contents of the locked chip is pretty
fascinating in the context of Secure Enclave...

The reverse engineering efforts were stymied for months by a bug in Omnipod’s
CRC calculation!

The perseverence in bringing this all to fruition is one of the best things
I’ve woken up to on HN in a long while.

Both my kids have T1D and use Omnipods. I’ve been looking forward to this for
years.

EDIT: Is it just me, or is a bad title significantly holding back this post?
This story is worth way more than 23 points in 5 hours.

~~~
GiorgioG
Have you looked @ Tandem's upcoming (2nd half of this year) ControlIQ for
their X2 pump? It probably won't be as user-tweakable as OpenAPS. I couldn't
convince myself to try OpenAPS for my 7 year old T1D. He recently switched to
a Tandem pump and we are eagerly awaiting this software update.

~~~
beached_whale
This is more Loop. Does OpenAPS work with RileyLink and Omnipod now?

------
joshstrange
My boyfriend is T1D and uses Omnipods so this is exciting news. He has also
used a Dexcom (G6 I think) to monitor glucose levels. Unfortunately the
Dexcom's are a bit pricy and so he can't always afford them. I have talked to
him about Nightscout and closed loops or even semi-closed loops and while he
is interested I haven't pursued it heavily because he isn't as technically
inclined (or interested) as I am. If I were a T1D I would using some form of a
closed loop system but I worry too much about bugs or problems he might run
into that he wouldn't be able to solve or diagnose quickly.

While nightscout is pretty mature and the pumps/monitors they've cracked
fairly reliable I think he will probably just wait for some of the closed loop
systems that are starting to enter the market (or are they still just semi-
closed, or maybe they call them hybrid, I can't remember). Even then I'm sure
it will be a few years yet until they are affordable enough.

~~~
Guest42
If he is on Android I'd recommend xDrip+ for the CGM readings. It is really
nice to have on the phone with control over the data and ability to upload if
he wants. Also great to be able to snooze and set the alarms as desired.

~~~
Guest42
Similar program Spike for ios

------
Odenwaelder
I'd be interested how they test a Class C medical device that can kill you if
you send the wrong commands. It surely is an amazing story and a great write-
up, but I'd be wary of hacking insulin pumps, let alone using them.

~~~
zaroth
You can read about the “We Are Not Waiting” movement and the ethical
considerations of doing this research, writing the software, and documenting
and even to an extent productizing the software for mass consumption.

It is not a zero sum game. Not having this control over the pump can also kill
you, because the systems that were available before this movement got started
were so poor.

When the hacker community started putting together remote monitoring systems
for the CGMs that allowed, e.g. parents to watch their kids at school, or
through the night from the next room, that improved quality of life and maybe
even saved lives.

Hackers have already tapped into the Medtronic pump to build the world’s first
closed loop system. The OnniPod is just another pump in line to be reverse
engineered.

If you saw first hand the quality of software being put out by Dexcom and
Insulet, this work is serving as an important check&balance as well as pushing
them to invest in R&D versus sitting back and milking their patents.

It’s also worth noting that the pod has important hardware safeguards that
mitigate the impact of a software error on the remote control side. You can’t
just send a message asking for 100 units of insulin because the hardware won’t
dose it. You can also hear (and somewhat feel) each 0.05 unit of insulin being
delivered as a _click_ about once every 1.5 seconds.

And again I’ll reiterate that it’s not a zero sum game. The software and UI is
so bad on the Insulet/Omnipod side that it’s easy to screw up a basal program,
or when applying a temp basal on top of an extended bolus, or when changing a
pod while an extended bolus is active. All these events can result in low
blood sugar events that are potentially dangerous.

Efforts like Nightscout have actually saved lives and while they are not
without risk (what thing worth doing is?), the T1D world has been measurably
improved because of their efforts.

Finally I’ll says that the reverse engineering effort already uncovered one
significant bug in the protocol that we know of. They didn’t delve into the
details of the “nonce” but I’m willing to bet that imaging the chip was not
actually necessary and that the “encryption” is some homebrew POS which is
highly insecure. We deserve to know the protocol which is protecting the
communication between the pod and the controller, for example is there a
secure DH key exchange happening when a new pod is paired and initialized? Can
a third-party controller potentially spoof commands to my kids’ pods? OmniPod
would never disclose how this works, so I’m supppsed to just _trust_ them.

~~~
arafa
I know folks that work on Nightscout and I agree with everything in this post.
I find them to be very thoughtful and circumspect about the work (the
contributors often have T1D or family with T1D). Besides that, a closed loop
system (which as yet is only partially implemented or is still somewhat
inconsistent) is a holy grail for a lot of these folks.

Most of them are already well acquainted with manually managing insulin and
the existing products and can handle any mishaps for the most part.

~~~
gh02t
I don't really understand in detail how insulin pumps work, so I want to ask
why are there not commercial closed-loop systems available? It seems like an
obvious development that pump makers should have implemented a long time ago.
Is there a complication that makes it harder than it sounds, or is it
something like regulatory concerns or just plain laziness?

~~~
GiorgioG
Few competitors, no reason to innovate. And they're charging $8-12,000 for a
new pump setup. That was our experience 5 years ago with Medtronic. Not a
single update in 4 years with our son's 530g pump. With his new pump (from
Tandem) we're expecting a pretty big software patch/upgrade later this year.
Beta Bionics is working on their artificial pancreas (dual hormone) that
should be out next year. So newer/more-nimble players are forcing the bigger
companies to start innovating. Having said that, it never comes soon enough ;)

~~~
ZucchiniZe
I got a chance to try out the beta bionics artificial pancreas in a research
trial and it is a truly new innovation in this field, it lifted about 90% of
the constant thinking about bolus and blood sugar from me and allowed me to
live my life. It truly deserves all the hype that it is getting.

~~~
GiorgioG
Wow that's great to hear! Was it insulin-only or did it also have glucagon
onboard? I know they're working towards releasing the insulin-only version
first. I can't wait for the dual-hormone version to become available. It'll
allow my wife and I to sleep through the night without worrying that our son
won't wake up when he drops too low.

------
cflat
For those who aren't initiated in the world of T1D there is some amazing
research coming out of the Faustman lab (MGH). There is both a promising cure
(BCG vaccine), but also research which indicates that islet cells _do_
regenerate for decades after diagnoses. Islet cells are the part of the
pancreas that generates insulin - needed to store/save sugar. That means, that
the pancreas is constantly trying to repair the damage from the immune system.

Let that sink in.

Many diabetics suffer from 'random' lows or highs that can't be explained. Not
because they aren't doing the right things - because they are - but more
likely because their body is bringing islet cells online, producing _extra_
insulin, then the immune system promptly kills them and knocks off the extra
production. It's a war within the body!

This is why Loop is sooo amazing and needed. You need a closed loop system
that monitors and calibrates to these kinds of bio and environmental changes.
Unexpected sprint for two blocks to get to class in time? no problem.
Unexpected insulin production in the blood stream? no problem. This project is
truly hero work.

As a spouse to a T1D, life is sometimes scary. I, like many partners always
have a backup plan in the back of our minds for that that fateful day of an
extreme low will not be caught in time. It's scary.

I for one, look forward to life with a bionic partner.

~~~
beached_whale
I've been five years from a cure for a lot of years. The research on islet
cells and cures like like watching the development of fusion power.

~~~
cflat
Totally agree. To be clear, I wasn’t trying to overhype the ‘cure’ but rather
emphasize that the problem is way more complicated than many believe because
of the islet regeneration. That’s why I’m a believer in the tech we have now
because it’s the most viable path to long term management.

~~~
beached_whale
I'll get my hopes up when something is released. For now it's Loop and some
other things. One trend that I don't like is fully automatic without a way to
do manual override of all things. The variation between people and needs and
even the same person is too great and hasn't been codified. Loop with Omnipod
is somewhat on this side currently, but it is still new too.

------
cflat
I wonder what would be necessary to spin up a device lab for proper TDD for
the Loop?

This is such an amazing story of classical "hacking". This is what makes
technology fun.

------
looperhacks
My girlfriend has a Medtronic 640g pump and I still hope that one day, she can
use it to close the loop. I looked into the wireless communication (which can
read the current glucose levels and send boluses), but apparently the protocol
is encrypted. I would like to work at the protocol, but decrypting a wireless
protocol seems too hard for me. But I still hope that some day, the Medtronic
pumps will be hacked, too.

------
Lowkeyloki
Hats off to the author! This is an incredible story and you're made of
stronger stuff than I. I'd be too afraid of the consequences of screwing up to
attempt something like this.

------
CamperBob2
Gotta believe that at some point it's easier, as well as safer, to just design
a new "open pod" from scratch. This was a truly heroic reverse-engineering
effort, and the people behind it are more than equal to the task of designing
a new product. (Or at least they'd _better_ be.)

The company can and will invalidate all of this hard work with the click of a
mouse button. What's the long-term goal here?

------
loocsinus
Too much insulin pumped into human body can literally kill a person. I don't
think it is safe for hobbyist to hack a medical device like this.

~~~
ron0c
Too much of anything is bad, that is the definition of 'too much'.

~~~
GiorgioG
An single extra unit (or less) of insulin can kill a type 1 diabetic. I don't
expect non-diabetics to understand what that means, but it's not more than a
few drops of insulin.

~~~
Adirael
What ISF does your kid have that a single unit will kill him/her? A single
unit is barely noticeable on the graph for me.

I've been using Loop for a few weeks now and the improvements in quality of
life are so huge that any concerns I had about safety went away. Reading the
docs, which are a great example on how documentation should be written, helped
a lot with that too.

~~~
ineedasername
The typical level of sensitivity is absolutely in range for a single unit to
produce a catastrophic event.

It sounds like you may have a low sensitivity factor. The usual starting point
for estimating this, along with using the "1800 rule", puts typical
sensitivity around a drop of 50 points in blood sugar for every unit of
insulin. This based on a weight around 65-70 kilos and 0.5 units/day/kilo.

Of course it depends on other details too, even time of day. (My wife, who
uses a medtronic pump, clocks in at right about this level but is less
sensitive in mornings and more so later on. her pump is programmed for these
time-dependent sensitivity fluctuations )

This level of sensitivity absolutely has lethal potential with a single-unit
swing. If you're in the low end of normal at 75 points and take another unit
dropping it to 25, this is plenty low to cause a person to pass out and
thereby be unable to take corrective action, with lethal consequences,
especially if the pump is still delivering a basal dose inching levels even
lower.

You might argue that careful people shouldn't encounter this situation, and
you'd be right. But it still can and does happen, meaning a hobbyist setup
that gets something even a little bit wrong has that same potential.

