When the insulin pump hacking story first broke two weeks ago, we viewed it mostly as a publicity stunt. But it’s had some interesting repercussions. Notably, two congressman have stepped up and requested that the Government Accountability Office (GAO) review the Federal Communications Commission’s approach to medical devices with wireless capabilities to ensure that the devices are “safe, reliable, and secure.” Well, that seems like good news…
The hullabaloo was enough for instigator Jay Radcliffe, computer security expert and type 1 PWD, to hold a follow-up webinar last Thursday. Below is a synopsis of Allison’s notes from that event:
* As of last Thursday, the manufacturer of the pump Jay hacked into has been revealed to be Medtronic Minimed.
* His reasoning and motivation for doing the hack? Jay claims he was inspired by the story of two men hacking into a city parking meter in San Francisco a few years ago. The city was forced to re-evaluate security measures for the meters. Jay apparently “had the same thing in mind” when he hacked into his own insulin pump. He says he wanted to help the companies by showing their “security vulnerabilities.”
* Reactions to Jay’s original presentation have run the gamut, but the most telling to Jay so far was that from Medtronic itself. The company largely dismissed the notion of any potential risks. That’s why Jay decided to go public with the manufacturer’s name, he says. “Blowing me off is not an ethical response.”
The upshot of this is that he seems to be in a bit of a pissing match with the company — or at least a “he says, she says” situation in which the truth probably lies somewhere inbetween:
* Jay explains: “The Electronic Frontier Foundation and I worked a lot on this issue. Quite often in the security community we will raise an issue without contacting a vendor. Companies that are not current with security issues often will try and litigate to prevent research from coming to light. It’s easy to bury legitimate research from an individual in a mountain of legal paperwork. The answer to that is ethical disclosure… Usually the company is appreciative of this gesture, and fixes the problem without having public scrutiny or pressure to rush thing. Some do not.”
* Jay picked apart Medtronic’s reaction, point by point:
Medtronic says: “information security of devices… is an integral part of the very fabric of our product design processes.”
Jay says: “this clearly isn’t the case,” as he found in his hacking there was “no authentication or encryption used” and that he publicly showed in Vegas that there are vulnerabilities.
Medtronic says: “Thanks to (our) information security measures, we strongly believe it would be extremely difficult for a third-party to wirelessly tamper with your insulin pump.”
Jay says: “There are no security measures. Needing to know the serial number of the device is not security.” He claims it would be fairly easy for any hacker to devise what the six-digit serial number is for an insulin pump. (We’re not sure how…?)
Medtronic says: “To our knowledge, there has never been a single reported incident of wireless tampering outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.”
Jay says: “Until now.” Obviously, that’s just because no one has ever thought to hack into an insulin pump. But just because no one has ever thought of doing it yet doesn’t mean no one ever will. (Guess we’d have agree there: crossing your fingers isn’t much of a security measure.)
Medtronic says: “He … TURNED ON the wireless feature and had access to specialized equipment … you can remove any uncertainty by turning OFF the wireless communication on your device.”
Jay says: “this is flat out not true” and that the wireless ability of an insulin pump cannot be turned off. This is why he was able to change any setting or configuration on his device. In addition, he has qualms with the label “specialized equipment,” saying he used his 
Carelink USB device. Although he did NOT give step-by-step instructions on how he used this equipment, Jay did perform the entire hack on stage in Las Vegas in what he says was “about a minute.”
Jay also claims that he worked with the Department of Homeland Security to contact Medtronic’s CEO’s office and left messages there on Aug. 10.
Of course, we had to look a little deeper into the other side of the story. Here’s how Medtronic responded to our inquiries:
John Mastrototaro, Medtronic’s VP of Research & Development, told us in a phone call on Aug. 26 that he had just spoken with the Department of Homeland Security in “an informal discussion in order to follow up to the claims that Jay made.” He says this was his first conversation with DHS and he was not aware that they attempted to contact Medtronic on this issue earlier.
Specifically, he says: “There is some security and authentication in the product. But there is not encryption. Those have two different meanings to these security experts.” He reiterated that their “primary method of security” is in the secrecy of the six-digit serial number, located on the back of an insulin pump. Another reaction post on the company’s blog that went up Friday stated: “We recommend that you protect the serial number of your pump as you would your social security number, passwords and other important personal information.” Hmmm.
John also stated: “One challenge for us as an organization is that we have to make trade-offs as to where we’re going to put our research dollars and what problems we’re going to solve. We’ve been very focused in the Artificial Pancreas Project… Our new platforms will have the latest encryption technology into those devices. Trying to stay way ahead of the ball is very difficult. It can take 5-7 years for new technology to get out. There is always going to be a potential risk that there’s an evolution of the technology that gets further ahead of the products. Our approach has definitely been proactive and serious, even though it is a remote risk as Jay has said. We want to incorporate solutions to our future iterations of product so that we make it harder still for this sort of thing to occur.”
One interesting factoid is that the security in the Paradigm insulin pump is 12-14 years old. “This was created before 9/11, before malicious intent really came about — when you used to be able to take a water bottle onto the plane,” John says. Twelve to 14 years? Haven’t enough new insulin pumps come out since then that they could have done just a little upgrading on security? We’ll admit, probability of hacking seems pretty low. But still, more than a decade and no security upgrades?
The two congressmen entering the fray are Reps. Anna Eshoo of California and Edward Markey of Massachusetts, both Democrats. In their letter to the Government Accountability Office (GAO), they ask for a report on the extent to which FCC is:
- Identifying the challenges and risks posed by the proliferation of medical implants and other devices that make use of broadband and wireless technology.
- Taking steps to improve the efficiency of the regulatory processes applicable to broadband and wireless enabled medical devices.
- Ensuring wireless enabled medical devices will not cause harmful interference to other equipment.
- Overseeing such devices to ensure they are safe, reliable, and secure.
- Coordinating its activities with the Food and Drug Administration.”
They also write: “In bringing forward innovative wireless technologies and devices for healthcare, it’s critical that these devices are able to operate together and with other hospital equipment, and not interfere with each other’s activities and data transmissions.”
Jay Radcliffe is, obviously, very excited about this development. To him, the behavior of the company in response to this revelation is more worrisome than the actual hacking itself.
On that note, Jay has announced that he is no longer a Medtronic user but has switched to Animas. He plans to hack their insulin pump in a similar manner. If successful, he says, “I will take the same actions I did previously. Hopefully Animas/J&J will behave better than Medtronic has.” Look out, Animas!
So what does all this mean for the rest of us pumpers? Of course we can only cross our fingers that this won’t further bog down the already-painfully-slow FDA process for approving new diabetes devices, like the Medtronic Veo system with low-glucose suspend function (hopefully hacker-safe!).
Should we also be worried about real and immediate risks to our personal safety? I think SecurityWatch said it best when they recently stated: “Radcliffe’s hack is interesting and helpful for pressuring device manufacturers to improve their security, but not especially scary.”
* * *
Cabin Pressure Safety:
As if our worries as pumpers weren’t numerous enough, now an endocrinologist in Australia has discovered that cabin pressure changes in flight might occasionally mess with dosing.
After hearing that a 10-year-old girl went low one hour after take-off (and we;re assuming they ruled out every other possible cause of a low blood sugar?!), Bruce King of John Hunter Children’s Hospital in Newcastle, Australia, and his colleagues discovered other cases of insulin pumpers who also went low after take-off. Apparently that was enough to spark a mini-study in which they sent 10 insulin pumps up in the air and discovered that they gave, on average, 1-1.4 extra units of insulin during take-off. During descent, when cabin pressure was increasing, some insulin was sucked back into the pumps, by about 1 unit.
Of course, 10 insulin pumps is hardly a statistically significant number, and one unit of insulin is probably not going to be deal-breaker for most adult patients (but it made a big difference to the 10-year-old!). We’d say that parents of small children who tend to go low during air travel might want to take note, and adjust accordingly.
Thanks for this post!
Pump hacking. Ay yi yi.
One unit could have disastrous implications over here…would love to see a larger study!!!
So the first bit was like watching a fun tennis match
And I always thought that within an hour of getting on a plane I was mysteriously low! Hmmm…for me, a unit is usually going to cause a low. Interesting stuff and fun read today
Thanks!
My read on the pump hacking story is (FWIW, I read about it extensively before seeing it here on the ‘Mine):
Interesting, but not concerning. My first question was who is going to write the first murder mystery where hacking a medical device kills/injures/saves a character.
Kudos to you Amy for recognizing the “he said/she said” problem that has come up and that the truth lies somewhere in between.
I am perhaps most concerned with what Reps. Eshoo and Markey have done. I am politically opposed to the Tea Party, but I cringe at getting the GAO and FCC spun up and having potential new regulations developed. Surely, this is the modern definition for delay and additional cost with little benefit.
Fair Winds,
Mike
Saying “10 insulin pumps is hardly a statistically significant number” shows some misunderstanding of statistics.
10 out of a million is not statistically significant. 10 out of 10 is statistically significant.
10 pumps were tested, and all 10 pumps showed similar changes in insulin delivery depending on changes in air pressure.
And to me, this is a very similar issue to the wireless security of the pumps. It illustrates that there are gaping holes in the design of these devices.
One would expect that manufacturers of insulin pumps would know that the users of the pumps would go on airlines. One would expect that pump manufacturers would have investigated the effects of rapidly changing pressure on the pumps.
So what happened? They either didn’t investigate this or they never bothered to tell the public about what they found.
I read somewhere that you do NOT have to turn off your CGM when you fly, because the distance reached by the signal is so short. True? False? Would appreciate it if you could find out! Thanks!
I think that this can easily get out of proportion and really hurt progress. The FDA is overly causious anyway. Lots of things have the potential to hurt someone. putting all the efforts to prevent something that a crazy person or a person who is out to kill someone, is something I do not find very logical or practical. Instead of hacking a pump one could stab you with an insulin pen. What security measures will we take for this possibility?
I have flown many times with my pump and have not noticed a significant drop in my blood sugar. I will have to pay better attention next time–I usually check about 1 hour into a flight just because it’s time to check. My ISF is 1:100, and I usually begin a flight within range, so if my pump delivered an extra 1-1.4 units I would be potentially be comatose.
I chuckled a bit when I read this story. The thought had never even occured that pumps could be hacked into. I use the same Minimed pump and frequently upload the data through the same Carelink usb device. Oh and flying on a plane has no effect on a pump’s ability to work whatsoever. Trust me.
Natalie, my son regularly flies and uses CGM. We have also been told by the airline (in Australia) that it can stay on. So we do leave it on, and there have been no problems.
Latest news on the Medtronic hack is that yesterday in Miami Jay showed off an “improvement” to his hack where he can get the serial number of any device within a 300 foot radius completely wirelessly.
So, now you don’t need to have physical access to the pump in order to read the serial number.
His new hack also disables the audible “beep” warning when the dose is delivered, and disables the maximum dosage control.
In conclusion, the Medtronic pump can be hacked at a distance of up to 300 feet, the serial number can be obtained wirelessly and the pump can be ordered to empty its entire payload of insulin into you without any warning. Oh yeah, and you CANNOT turn off the wireless feature.
I think we’ve moved away from “that’s interesting” to “that’s pretty damn scary.”
I’m really rather surprised to learn about this “CANNOT TURN OFF WIRELESS” thing. I honestly want to know more about that than scare quotes by someone who wants to be The Man Who Knows The Secret.
I think the response by Medtronic is an excellent indicator of why I now use a OneTouch Ping. Mainly because Medtronic is the literal worst in customer service and caring about their users.