

Black Hat hacker details lethal wireless attack on insulin pumps - mrsebastian
http://www.extremetech.com/extreme/92054-black-hat-hacker-details-wireless-attack-on-insulin-pumps

======
hasslblad
The parent article is doing it's round on the internet at the moment. It's
linkbait.

Scott Hanselman has a better rational breakdown of the article -
[http://www.hanselman.com/blog/HackersCanKillDiabeticsWithIns...](http://www.hanselman.com/blog/HackersCanKillDiabeticsWithInsulinPumpsFromAHalfMileAwayUmNoFactsVsJournalisticFearMongering.aspx)

~~~
peterb
Thanks for the clarification. I hate it when I fall for this stuff.

~~~
timmyd
Tl;dr

Scott's most relevant points:

1\. "This is a key fob that looks like a car alarm beeper that some pump users
use to discretely give themselves insulin doses. However, I feel the need to
point out as a pump wearer myself that:

Not every Insulin Pump has a remote control feature. Not every remote-
controllable insulin pump has that feature turned on. Mine does not, for
example."

2\. "all he requires to perpetrate the hack is the target pump's serial
number. This is like saying "I can open your garage door with a 3rd party
garage door opener. Just give me the numbers off the side of your unit..."

3\. If you are a diabetic on a pump who is concerned about this kind of thing,
my suggestion is to turn off your pump's remote control feature (which is
likely off anyway) and turn off your sensor radio when you are not wearing
your CGM. Most of all, don't panic. Call the manufacturer and express your
concern. In my experience, pump manufacturers do not mess around with this
stuff. I'm not overly concerned.

~~~
burgerbrain
_"2. "all he requires to perpetrate the hack is the target pump's serial
number."_

Do we know how much entropy is in those? They could very well be sequential or
date derived.

~~~
timmyd
"Do we know how much entropy is in those? They could very well be sequential
or date derived."

Even if entropy is low are - how are you going to randomly select a person,
and know their serial ID ? Unless you know what units are distributed to what
hospitals/doctors - at exact times - at exact shipments and then from the
sample delivered know the exact unit given to any person at any particular
time.

Sure, if you know a "set of id's" you could try each one sequentially until
you finally get a hit - but even then, you must somehow ensure the person
being targeted has remote connection turned on. I'm pretty sure walking up to
them and saying "oh, hai 'dere! ... plz turn on ur remotz connetz'n 4 me?" [
said in this voice - <http://www.youtube.com/watch?v=xh_9QhRzJEs> ] - is going
to make them pretty suspicious.

There's a lot of "ifs" in there and frankly - if your aim was kill them - it
would be a lot faster to do it some other way because to actually get all
these things to line up perfectly .... your chances are pretty slim.

~~~
burgerbrain
_"how are you going to randomly select a person, and know their serial ID ? "_

You are missing the point, if the entropy is sufficiently low then _it is
feasible to guess_.

Besides, presumably if you want to kill a particular person, you might know a
bit about them.

Anyway, with _low_ entropy serial numbers is that _potentially_ it could be
feasible to just create a device that runs through all of them in a matter of
a couple of minutes or so. For example, you could check google news to get a
guestimate of approximately when perhaps a high profile politician had one of
these installed. If this is a friend or family member then that step just gets
even easier. If part of the serial number is a year/month combo (a common way
to do it) and the rest is sequential, then it will be pretty easy to figure
out. Are there easier ways? Sure, I imagine so. A hands off wireless approach
certainly is appealing though isn't it? Probably worth at least trying before
you move on to more hands on techniques.

 _"it would be a lot faster to do it some other way "_

If you are taking the time to plan out a homicide, which is going to be more
important: doing it fast. doing it so you don't get caught.

~~~
timmyd
"You are missing the point, if the entropy is sufficiently low then it is
feasible to guess."

not really - if entropy is low in a lot of things - it's feasible to implement
a disaster scenario. wireless systems across lots of things are not encrypted
and so the same logic applies.

"you might know a bit about them"

we'll you really 'would' have to know 'a lot' about them if these devices had
high entropy. which - if a person was indeed killed by this method - an
autopsy would show either a spike or lapse in delivery of insulin. such a
lapse would immediately lead to an investigation as to why the unit did not
respond ?

evidentiary burden then progresses.

i'm not disagreeing with you in the seriousness of the discovery - i just
think that these devices live in a nano-constrained world. implementing
increased data encryption increases cost, power usage and the like - it's a
difficult balance. now this has world attention - even 'basic' encryption is
really useless since even it could be hammered.

so do you implement serious encryption - but in doing so - reduce the utility
of the device so that it lacks the means to do what it is designed to do ?
deliver insulin.

On the basis of a huge number of "if's" involved. i'm not convinced.

~~~
burgerbrain
_"we'll you really 'would' have to know 'a lot' about them if these devices
had high entropy."_

That is why I'm asking what kind of entropy the serial numbers have.....

 _"which - if a person was indeed killed by this method - an autopsy would
show either a spike or lapse in delivery of insulin. such a lapse would
immediately lead to an investigation as to why the unit did not respond ?"_

I'm confused how that is related to the entropy of the serial numbers.

------
hermannj314
Let's say you find out how to make planes safer. You can cut fatalities in
half or something. And let's say doing that will drive up the cost of air
travel by $100/ticket. Well, you did a good job and saved X lives, but you
ended up killing X+k people that stopped flying planes and started driving
cars. So you did a good thing, you made planes safer and then you ended up
killing people. It would be great if somehow everytime planes got safer we
made cars more expensive, but I don't know how that would work.

Anyway, for some reason I thought about that reading this article and I
figured how tremendously interesting risk-management must be in the medical
device industry for the same types of reasons.

------
peterb
Incredible. As a minimum I would have expected all communication to be
encrypted.

~~~
beaumartinez
But how secure would that be? It's security through obscurity.

> _Ultimately, these wireless control devices must simply be built with the
> assumption that hackers will eventually break in._ > _In the case of the
> insulin pump, it should contain hardware-level sanity checking._

~~~
StavrosK
Encryption is security through obscurity? Seriously?

~~~
millerc
Yes. Tell me the algorithm you use and the bits from your decryption key, and
we can decrypt everything.

By the same token, the lock on your door is security by obscurity. Tell me the
type of lock and the position of the 5 pins, and you're in. Take 5 seconds to
communicate that over the phone, if you know what you're talking about.

~~~
burgerbrain
The phrase _"security through obscurity"_ is a term of art that is defined
such that secrecy of private key material does not count. _By definition_ ,
you are incorrect.

Now, if your security relies upon the attacker not knowing your encryption
_scheme_ , then yes. That is security through obscurity.

------
StavrosK
How is this a black hat hacker if all he did was expose the vulnerability,
rather than exploit it?

~~~
omh
"Black Hat" refers to the security conference, currently happening in Vegas.

~~~
jhamburger
Seems odd to call him a "black hat hacker" just for being at the conference.
He could very well just attend all of the security-related conferences. The
headline implies to me that he plans to use this exploit nefariously.

~~~
StavrosK
Ah, the conference is called "Black Hat". They mean "a hacker who was
attending Black Hat".

------
shabble
I've managed to hard-crash a generic infusion pump via its "output only,
entirely isolated and secure" serial connection.

Not wireless, and at least the Oh God I'm Broken buzzer worked, but still.

------
DougWebb
Can someone tell me why these devices have a range of more than just a few
feet? The point of having a remote control is to avoid having a control cable
poking through your skin. A control interface with a range of just a few
inches would suffice.

~~~
nate_meurer
There's no good way to reliably limit the range of a wireless signal like
this. A sufficiently sensitive receiver will always be able to eavesdrop from
a distance far greater than that in the design use-case. If we don't want the
signal intercepted, the answer is stronger encryption.

That said, any potential vulnerability here appears to mostly spring from the
remote control functionality, more than the remote reporting functionality.
Here again, encryption is the answer.

------
tomjen3
Fortunately it is very difficult to pull of an attack with a medical device
since you need to know the exact make and model and then find a way to exploit
it.

~~~
Hoff
Which then implies issues with replication and scale and consistency.

That many of the devices are different, with different UIs, different
firmware, different sets of cryptic icons and different and obscure buttons.

Unfortunately, some of the underlying bugs can be common, due to code re-use;
the same RT operating system might be used, for instance. Which means that the
vendors might not even immediately know what's vulnerable to what.

"Fortunate" is not the word I'd use for the mess that is the medical device
industry.

------
ams6110
If a person is intent on killing another, I don't think encrypted wireless for
his insulin pump is going to stand in the way.

~~~
tintin
Well, if the only proof is a 'broken' pump...

------
jivejones
Why would anyone try to figure something like this out? I don't think any real
hackers are going around trying to figure out how to kill people, they want
money or something else of value (not to say a life doesn't have value).

Why as a community are we allowing things like this to happen, even worse,
publicizing them and acting like its 733t and impressive. If something like
this happened at anything other than the 'Black hat' security conference this
wouldn't be alright.

~~~
daeken
People figure these things out because it's fun. Simple as that. It's the same
motivation behind me hacking the various bits of hardware sitting around me,
including a number of health-related devices. It's simple curiosity, and
sometimes that leads down a path of "well, if I could do this, what could a
malicious actor do?" Sometimes that answer isn't a good one.

