Insulin pump hacker says vendor Medtronic is ignoring security risk

Jerome Radcliffe scared a lot of people — including himself, since he is a diabetic — when he showed how easy it was to hack an insulin pump from a distance at the Black Hat security conference in Las Vegas early this month.

At the time, Radcliffe didn’t disclose the names of vendor names or models. He withheld the information to stay within legal boundaries, to protect himself, and to make sure he did not arm criminal hackers with the means to undertake the actual hacks. Today he revealed in a conference call that the company in question was Medtronic and it has not acknowledged that there is a security risk.

“I chose not to disclose the details to protect the public safety of diabetics,” he said today in a conference call. But that was before he ran into a brick wall with Medtronic.

Now he has worked with the Department of Homeland Security and the Computer Emergency Response Team to contact the vendor of insulin pumps. He said he expected to get honest, public disclosure from the vendor about what it would do to fix the problem.

“I expect a company to be truthful with any press statements and to do fact checking,” he said. “I expect a comprehensive solution in a timely manner.”

Today, Radcliffe revealed that the company was Medtronic, which had an engineer available at his talk in early August. Radcliffe said that on Aug. 9, Medtronic posted a statement on its web site that says it wasn’t really a security problem. Radcliffe was unsettled by that and emailed the engineer again. On Aug. 12, the DHS contacted the company and got no response. On Aug. 15, Congress sent a letter to the General Accounting Office asking for an investigation. And on Aug. 24 Medtronic gave an Associated Press reporter the same reinforced PR statement. CERT also contacted Medtronic.

“Medtronic takes very seriously the issue of information security of its devices,” the company said in a statement. “It’s an integral part of the very fabric of our product design processes.” It also said, “To our knowledge, there has never been a single reported incident of wireless tampering outside of controlled laboratory experiments in more than 30 years of use.”

The company made a point to minimize the importance of Radcliffe’s work, which prompted Radcliffe’s follow-up call with reporters today.

“It was really disappointing to me they would publish this information without doing any fact-checking whatsoever,” Radcliffe said. “You should contact Medtronic and let them know you find this type of behavior unacceptable. If you are a customer, you should demand they take this issue seriously and be truthful.”

With diabetes, a patient can’t properly process sugar in his or her blood because the body can’t make enough insulin, which bonds with the sugar and turns it into fat. Patients have to inject themselves with synthetic insulin as often as several times a day to keep their blood sugar under control. If they have too little or too much sugar in their blood, the results can be incapacitating or even life threatening.

Insulin pumps use wireless sensors that detect blood sugar levels and then communicate the data to a screen on the insulin pump. The patient can monitor the readings and inject the insulin as needed. Radcliffe reverse-engineered the pumps and the wireless connectivity and figured out that the system was relatively unprotected. It was configured more like a dumb device where the manufacturers assumed no one would try to hack it.

There was no encryption, since that requires more complicated processing and would make the battery for the device run out faster. The sensor has to run on a 1.5-volt watch battery for two years. Adding encryption also makes the device more expensive. Once Radcliffe, who has used insulin pumps for a while and has been a diabetic since he was 22, understood how the devices worked, it was relatively simple to figure out how to hack them.

Radcliffe says he really wants to educate people on how to better protect medical devices. He explained how he figured out how to hack insulin pumps, which rely on wireless connectivity and are therefore vulnerable to being intercepted and compromised.

At Black Hat, Radcliffe tackled the problem of hacking the wireless sensors that collect blood sugar information and transmit it to the insulin pump. He had to figure out what kind of chips are used in the sensors, which he did with some digging. Since the devices emit wireless signals, the manufacturers have to submit designs to the Federal Communications Commission, which investigates whether the device emits anything harmful. Those filings contained valuable information on how the devices operated, Radcliffe said. The data-sheets for the chips had good information, and the patent for the $6,000 or so insulin pump was also useful.

Once he IDed the sensor, Radcliffe went through the process of deciphering what the wireless transmissions meant. These transmissions are not encrypted, since the devices have to be really cheap. The transmissions are only 76 bits and they travel at more than 8,000 bits per second. To review the signal, Radcliffe captured it with a $10 radio frequency circuit board and used an oscilloscope to analyze the bits.

He captured two 9-millisecond transmissions that were five minutes apart. But they came out looking like gibberish. He captured more transmissions. About 80 percent of the transmissions had some of the same bits. He reached out to Texas Instruments for help but didn’t have much luck. He told the TI people what he was doing and they decided not to help him.

That was as far as he got on deciphering the wireless signal from the sensor, since there was no documentation that really helped him there. He couldn’t understand what the signal said, but he didn’t need to do that. So he tried to jam the signals to see if he could stop the transmitter. With a quarter of a mile, he figured out he could indeed mess up the transmitter via a denial of service attack, or flooding it with false data.

The problem for manufacturers is that the wireless connection on the insulin pump is also not secure. He wrote a “scanner” program that could query for the device’s wireless signal and it pretty much gave itself away with no encryption to interfere with the scanning. If you can get the serial number of the specific device, you can use that to devise a transmission that issues an instruction to it. Radcliffe can control the pump from a distance. He did it on one device that he owns, not a series of devices, since it was his own personal research. He doesn’t know if some pumps are more secure. He isn’t disclosing the vendor yet, but he will work with the vendor to help create a solution.

Radcliffe figured out that if he reversed the format of the signal, he could then capture a transmission identification and then retransmit it with fake data. That would cause the insulin pump to inject too much or too little insulin into the person’s bloodstream, potentially killing the patient. The pump did nothing to inform the patient that its data had been altered.

Hacking medical devices isn’t a pretty subject. But it is perfectly possible and manufacturers of those devices shouldn’t ignore the possibility that it can be done. The problem of lack of security awareness among the manufacturers has been around for a while. In 2008, a security researcher at the Defcon security conference showed how he could turn off someone’s pacemaker.

Radcliffe says that next-generation pumps may use Bluetooth wireless radio, which has also been hacked in the past. Research is being done into whether the pumps and the sensors can be integrated so that humans don’t have to make their own assessments about how much insulin they need.

Radcliffe said he has ordered a new insulin pump from a Medtronic rival, Animas. The vulnerable pumps are the Paradigm models 512, 522, 712, and 722. He said that the risks are still low in terms of a hacking attack against individual users. But he said users should be concerned about the behavior of companies.

“I can’t continue supporting a company I find unethical,” he said. “I will continue to be committed to fully disclosing and cooperating with Medtronic no matter what their conduct is. Public safety is the top security.”

0 comments