

Hackers Can Kill Diabetics w/ Insulin Pumps? Facts vs. Fear Mongering - phsr
http://www.hanselman.com/blog/HackersCanKillDiabeticsWithInsulinPumpsFromAHalfMileAwayUmNoFactsVsJournalisticFearMongering.aspx

======
timmyd
As per the other post:

tl;dr

Scott's most relevant points:

1\. "This is a key fob that looks like a car alarm beeper that some pump users
use to discretely give themselves insulin doses. However, I feel the need to
point out as a pump wearer myself that:

Not every Insulin Pump has a remote control feature. Not every remote-
controllable insulin pump has that feature turned on. Mine does not, for
example."

2\. "all he requires to perpetrate the hack is the target pump's serial
number. This is like saying "I can open your garage door with a 3rd party
garage door opener. Just give me the numbers off the side of your unit..."

3\. If you are a diabetic on a pump who is concerned about this kind of thing,
my suggestion is to turn off your pump's remote control feature (which is
likely off anyway) and turn off your sensor radio when you are not wearing
your CGM. Most of all, don't panic. Call the manufacturer and express your
concern. In my experience, pump manufacturers do not mess around with this
stuff. I'm not overly concerned.

\--

Also - someone asked how much entropy was in the serial ID's on these units ?

Even if entropy is low are - how are you going to randomly select a person,
and know their serial ID ? Unless you know what units are distributed to what
hospitals/doctors - at exact times - at exact shipments and then from the
sample delivered know the exact unit given to any person at any particular
time.

Sure, if you know a "set of id's" you could try each one sequentially until
you finally get a hit - but even then, you must somehow ensure the person
being targeted has remote connection turned on. I'm pretty sure walking up to
them and saying "oh, hai 'dere! ... plz turn on ur remotz connetz'n 4 me?" [
said in this voice - <http://www.youtube.com/watch?v=xh_9QhRzJEs> ] - is going
to make them pretty suspicious.

There's a lot of "ifs" in there and frankly - if your aim was kill them - it
would be a lot faster to do it some other way because to actually get all
these things to line up perfectly .... your chances are pretty slim.

I'm a bit of sceptic on this 'hacking' - not to say that it's great that it
has been uncovered - but your dealing with minute hardware where every single
ms of processing power counts. Simple encryption should be utilized [but then
this might be easily hacked anyway ?] but for units placed inside the body
[pacemakers and the like] - splitting the units resources between keeping the
patient alive vs. encryption for wireless protocols seems to weigh more
heavily on the former than the later given how unlikely - for the majority of
the world - these 'attacks' are going to be.

~~~
palish
The "Just give me the numbers..." counter-argument isn't valid.

Right now, a hacker _can_ kill a specific person, within 30 days, given the
following assumptions:

    
    
      - that person is wearing an insulin pump with the
        remote control feature turned ON
    
      - the serial number is 32-bits or less
    
      - the attacker can test 5000 serial numbers per second
        for at least 8 hours per day, every day
    

So, given those assumptions, here's a scary scenario: Let's say a hacker wants
to kill you, and knows where you live. He builds a transmitter and plants it
next to your house, for example behind your air conditioner. The device is
configured to 1) detect when you're there, then 2) try to guess your serial
number every second you're within range, then 3) kills you.

If the attacker then retrieves the device (so it doesn't fall into the hands
of law enforcement), there would be absolutely no way to prove he killed you.

Obviously, this is an incredibly unlikely sequence of events. Nevertheless it
IS possible, which is very irresponsible of the medical industry.

~~~
ellyagg
I've never encountered a community as poor at cost/benefits analysis as
computer security. You see it every time when some new "irresponsible"
loophole is gleefully broadcast by some smug cracker. There are far, FAR more
economical and efficient ways of getting away with murder. I mean, several
orders of magnitude easier.

~~~
burgerbrain
Excuse me at being unrealistic, but I like to think that I should not be able
to kill someone with a GNU Radio setup and a cheap laptop.

I am not actually afraid that people are going to start doing this, however
such flaws and failures in security thinking are _systemic_. Bad security is
not limited to insulin pumps, but insulin pumps are a great way of getting the
publics attention and (hopefully) getting programmers to consider the impact
their laziness could have on the world.

~~~
mortenjorck
_I like to think that I should not be able to kill someone with a GNU Radio
setup and a cheap laptop._

If you want to kill someone, there are considerably cheaper options available
at your local big-box store's home and garden center.

Seriously, though, I do agree with your concern for systemic problems in
security thinking. Given the vastly more concentrated effort required, I don't
think it's a problem that one could theoretically kill with GNU Radio and a
laptop, versus any of the hundreds of tools more readily repurposed as a
murder weapon, but such exploits are best addressed while they are unfeasable.

------
hsmyers
As a diabetic (something few of the posters seem to be) I find this discussion
quite interesting if a little wrong in some of its assumptions. The first is
the idea that turning off the pump will cause the wearer to expire. In most
cases, not true. If you want to (and lets wave our magic wand and enable the
hack skipping the tech problems mentioned) kill your target, you are going
about it the wrong way. Don't turn off the supply---turn it up, way up. You
need to create an overdose based on the size of the individual and their
tolerance to insulin. Now without knowing the details of the pump industry,
I'd guess that there are built in limiters concerning overdoses. This makes
the problem far more challenging, even if you know the individual in question.
How often do you discuss with your diabetic friends just how many units it
would take to kill them? At a guess, even if you know they are diabetic, this
is probably not part of normal conversation. There is also the assumption that
the wearer never checks his equipment. In the single photo in the article
above, I notice a screen crowded with information. Again jumping over the
problems listed both in the article and here, the hack would have to adjust
the display so as not to warn the victim. Given the in-ability to decipher the
signals transmitted, this seems a bit problematic at best. No, I think the
best method of attack is the one with a hammer---'Wow you wear a pump huh? Can
I see it (victim looks down to pull up shirt) villain applies Maxwell's hammer
as solution.'

~~~
_phred
I helped watch a friend's kid last weekend who has a remote-controlled insulin
pump. The remote control refuses to dose without a recent blood-sugar test.
Kid wants to eat, no you need to wait, we need to do a finger-prick test first
ON the the remote so it knows your glucose level.

That, and the remote needs to establish an insulin baseline every few hours.

It's unclear whether the dose limiting is also hard-coded into the pump or is
on the remote side only.

It does seem like a "one in a billion" attack but, given time and repeated
access to the pump radio, it seems possible to say the least.

I assume that an adult diabetic is very aware of how glucose levels affect
their ability to function and would notice when they start to drop off
unexpectedly.

------
jmcarlin
The notion that you can kill a person with diabetes by hacking their insulin
pump is absurdly ridiculous. I can't think of an insulin pump that does not
have a setting to limit the maximum bolus. In addition, the setting typically
has a sane value and is enabled by default. Further, when a pump is setup with
a doctor/nurse practitioner, this value is set to number that is tuned to the
person with diabetes. There is also feedback when the pump is delivering
insulin. I know this is the case with Animas and Medtronic pumps.

So even if someone got in range, had your serial number, knew the protocol and
attempted an insane dosage, the worst that would happen is someone didn't
notice the delivery feedback and hit the max bolus. While this would be worst
case breach, it is not lethal. Within an hour, the victim will feel
hypoglycemic, check their blood glucose and correct it.

------
darklajid
I'd have liked a medical approach to this FUD.

Can anyone with more insight than me (medical background perhaps? Or
'experienced' diabetic, since I think this leads to a specific background just
as well) tell me what attack vector this could open?

I don't want to play this down, the argument just doesn't match with what I
(think to) know, so - please educate me.

Isn't the maximum dose limited by the pump? And the models I've seen seem to
take a long time to inject something (with a step motor, for these things).

What could you do to the 'victim'?

Supressing the basal/ongoing rate would send them on a high level of blood
sugar, something that I'd expect leads to a very clear reaction: The person,
if ~experienced~, will feel nasty, check the pump (maybe the battery died and
you didn't hear the alarm. Maybe something with the injection needle went
wrong), measure glucose level again and - depending on the result - apply a
'fast' insulin via direct injection. Am I glossing over something here?

Injecting a large(r) amount of insulin would, with a delay that seems to be
related to the type of insulin used, send the person into dangerous low levels
of blood sugar. Unless this hits at once though, I'd again expect the person
to _know_ that there's something wrong if you start craving for every food you
can imagine. Probably you'll feel like shit and start shaking etc. pp. I
assume this is the more dangerous route, but again the first reaction is
probably 'Fuck diabetes, what's going on with my levels', a check of the
current sugar levels and direct counter measures (if it's not too bad: Juice,
fructose etc. Otherwise you probably have again an injection nearby).

After typing all this I DO wonder what happens if someone causes this in your
sleep though...

So - can someone tell me how wrong I am and tell me about the purely medical
dangers?

~~~
JshWright
Dropping an unexpected dose of insulin would be much more dangerous than
simply disabling the pump.

Disabling the pump would result in an increasing level of blood glucose over a
fairly long period of time (likely a day or two). I would be very surprised if
a 'victim' didn't notice the issue with their pump long before there were any
detectable side effects.

Dumping an unexpected shot of insulin into the victim's system would crash
their blood glucose over a fairly short period of time (an hour or two). One
of the first side effects of hypoglycemia is confusion, which would reduce
their chances of noticing something is wrong.

Long story short: I wouldn't worry about "DoS'sing" the pump, but I would
worry about triggering extra insulin "dosings".

My experience with insulin pumps is limited to dealing with patients who are
having some sort of blood glucose related emergency (as an EMT).

------
hugh3
I'm much less concerned about vulnerabilities which will allow people to kill
me than about vulnerabilities which will enable people to steal my data or
money.

There's far more people who want to steal my data or money than who want to
kill me, and if somebody _does_ want to kill me and can get within range of me
then there's several thousand other ways to do it.

~~~
pavel_lishin
You're assuming a mass harvesting in the theft instance, and someone with a
personal grudge against you in the second.

I wouldn't be worried about Mysterious Assassin out to kill Pavel Lishin,
Diabetic With A Pump. I'd be worried about Teenage Sociopath, war-driving past
a clinic.

~~~
ajross
It could happen. Teenage sociopaths exist. But they're very, very rare. You're
falling victim to the Columbine fallacy here. TV news makes a poor reference
for risk management.

But yes: if this exploit is easy, eventually some diabetic is going to be
murdered through it. Far more diabetics will kill themselves via poor diet
choices, however.

~~~
hugh3
And even the Columbine sociopaths were targeting people they knew, rather than
random strangers. Random murderers targeting random strangers are even rarer.

------
d0ne
The gentlemen who wrote this post takes an approach I'm not comfortable
supporting: The signal and commands haven't been successfully reversed
engineered yet so this isn't a real threat.

A little bit about my background: 10+ years successfully (legally) reverse
engineering software technology that required both client software and packet
manipulation in industries that have been very proactive against it.

Seeing as the medical devices are hardware items issued to unique individual
recipients the issue could easily be fixed with a 1024+ Public Private Key-
Pair between the devices unique to each issuance.

However, this does nothing to protect the many millions of individuals, using
today's devices, potentially exposed to the threat described by Jay Radcliffe.

~~~
bullsbarry
It's a little less severe than that. First the device has to support remote
management, then the device has to have remote management turned on, and
finally the attacker would have to have the device's serial number (which
seems to be used as a security mechanism) in order to successfully send the
device commands.

Also, if you don't like needles, don't watch the youtube video at the bottom
of the post :|

~~~
d0ne
This is assuming you only want to control the pump. If the individual is
unable to view any information on their monitor, or their monitor is
displaying improper data, it may cause other serious health issues in high
risk patients.

Not to mention that some devices may be controlled by the monitoring device
and it may require a constant stream of good data.

I agree that not all setups and individuals are at risk but some most likely
are.

------
lubutu
I'm unsure where I stand on this subject, but this excerpt from Jaron Lanier's
"You Are Not A Gadget" seems relevant:

"There are respectable academic conferences devoted to methods of violating
sanctities of all kinds. The only criterion is that researchers come up with
some way of using digital technology to harm innocent people who thought they
were safe. ...

"If the same researchers had done something similar without digital
technology, they would at the very least have lost their jobs. Suppose they
had spent a couple of years and significant funds figuring out how to rig a
washing machine to poison clothing in order to (hypothetically) kill a child
once dressed."

~~~
_delirium
Don't people get paid to look for security vulnerabilities in pretty much any
engineering field? There are people who work full-time on thinking up ways
that a terrorist could potentially rig a chemical plant to release deadly
gases, for example.

~~~
lubutu
I suppose there are, but I'm not so sure they have fancy open conferences
devoted to chemical plant terrorism.

Like I said, I don't know where I stand.

~~~
MiguelHudnandez
Would you feel more comfortable if a few smart people figured out the same
things and _didn't tell anyone about it_ , but instead used it for profit or
to cause harm to innocent people?

------
Singletoned
To be honest, the facts are kind of boring, and the fear-mongering is kind of
dramatic.

I can definitely see how, if they didn't care about the abstract concept of
truth, people could prefer to pay attention to the fear-mongering.

~~~
_phred
You're right, it /would/ make for good TV drama: an evil nursing home wants to
kick some malingering diabetics off of their rolls in order to make space for
newer and more lucrative patients. The management cook up a scheme to hack the
patients' insulin pumps in order to kill people quietly in their sleep. Our
crack team of hackers is called to the murder scene when an potential victim's
relative notices them behaving strangely on a morning when they visit along
with an anomalously low blood sugar reading!

Yeah, it sounds a bit far-fetched even for TV.

------
shaggyfrog
This was the plotline of a 3rd season episode of Law & Order, "Virus".
<http://www.imdb.com/title/tt0629490/>

------
sabat
The Weekly World News once reported that a new, deadly computer virus could
make your computer explode. Seems sort of prophetic now, given the media
frenzy.
[http://books.google.com/books?id=9ewDAAAAMBAJ&pg=PA40...](http://books.google.com/books?id=9ewDAAAAMBAJ&pg=PA40&lpg=PA40&dq=weekly+world+news+computer+virus&source=bl&ots=2G50Gert-I&sig=zuxQYUAqCz_Lzs7q5qnxTvJapo8&hl=en&ei=kQA8TqKGNuriiAKqkKz0Cw&sa=X&oi=book_result&ct=result&resnum=4&ved=0CDAQ6AEwAw#v=onepage&q=weekly%20world%20news%20computer%20virus&f=false)

