Q&A from Medtronic about "pump hack", links to diabetes blogs, more...

Aug. 4, the Washington Post and several other media published this story:
http://www.washingtonpost.com/business/technology/hackers-in-the-bl...

 

Several diabetes bloggers have shared their comments about it, including the following:
http://www.hanselman.com/blog/HackersCanKillDiabeticsWithInsulinPum...
http://sixuntilme.com/blog2/2011/08/hacked_jay_radcliffe_insulin_p....
http://www.ydmv.net/2011/08/pump-hacking-and-what-really-matters.html

 

This morning, I reached out to pump and glucose meter manufacturers, asking them for more information on this. Following I am pasting the Q&A I received from Medtronic Minimed's Director of PR:

Medtronic takes very seriously the issue of information security of devices. It is an integral part of the very fabric of our product design processes. To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.

Technology is constantly evolving and Medtronic is continually incorporating measures to maintain information security, while ensuring our devices meet their intended purpose of saving and extending lives.

We understand that there are no absolute certainties in information security. However, we also know that being vigilant in reviewing the external security landscape, designing our products with information security in mind and creating rigorous, complex safeguards will help ensure product security.

Key Questions and Answers
Q1. I’ve read a report that says a device can be manipulated and subsequently disrupted. Is this true?
A. Yes, we are aware of this report. This is the first and only such report we have seen and we do not see a reason to believe that this is a reason for concern as your device went through extensive testing to make sure it would be safe and protected from external harm.

In the reported instance, the researcher had in-depth knowledge about the product he tampered with, such as the serial number of both the insulin pump and remote device, and he TURNED ON the wireless feature. Additionally, he had access to specialized equipment which he used to rebroadcast the RF signal in a controlled environment.

Q2. Has a Medtronic device ever been manipulated?
A. To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.

Q3. How would I know if someone had manipulated my insulin pump?
A. If someone manipulated your pump to deliver a bolus of insulin that you did not want to receive, your pump would play back a series of tones to confirm the size of the bolus. So, you would be able to detect tones on the insulin pump that weren’t intentionally programmed and could intervene accordingly.

Q4. What could happen if someone tampered with a CGM monitor?
A. To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use -- including the transfer of viruses and malicious code, which includes millions of devices worldwide.

We have and will continue to be vigilant in reviewing the external security landscape, designing our products with information security in mind and creating rigorous, complex safeguards which will help ensure product security.

In the very remote chance a patient encountered wireless tampering, a CGM monitor could potentially receive an erroneous sensor value or meter value. However, our CGM labeling requires patients to confirm the sensor glucose reading with a fingerstick measurement prior to making any type of therapy decisions. So, they would have the opportunity to investigate any type of discrepancy caused by wireless tampering.

Q5. Is there really anything Medtronic can do to “prevent” manipulation of devices?
A. We recognize there are people who focus on manipulation of devices – medical and otherwise. Most do so as part of an academic pursuit or to improve existing technology. We also recognize there may be some who have malicious intent. Our job is to incorporate information security measures into our designs, vigilantly monitor potential threats and to always be proactively finding ways to make our devices more secure for you. That is what we have done and what we will continue to do.

Views: 2409

Reply to This

Replies to This Discussion

Permalink Reply by Jake on August 6, 2011 at 12:24pm
Typical Medtronic doublespeak..
Permalink Reply by Robert Hearn on August 7, 2011 at 2:15pm
I'm not a mathematician, or a security specialist, but I'd like to ask if you're talking about the same RSA that got hacked a little while back through social engineering?
Permalink Reply by Fred Goldberg on August 7, 2011 at 3:19pm
Yes, same RSA. So no matter what the technological safe-guards, if the PAYBACK is high enough, technological hacks can be achieved. The question becomes is the payback worth the effort? What benifit would anyone get hacking into an insulin pump or stealing CGMS readings?
Permalink Reply by ddevine on August 7, 2011 at 5:48pm
100% spot on. Insulin pumps are the wrong target for a hacker. Ridiculous concern. Sleep well my diabetic friends.
Permalink Reply by onesaint on August 8, 2011 at 11:12am
+1

Hackers are not attempting to kill people, at least not directly (this can be challenged with Lulz and Anon's recent release of so much personal police information). Still, for a hacker to literally want to kill someone, this would be a long shot. Additionally, according to the presentation given at BlackHat, the pump hasn't been fully hacked yet. However, I have read it can (and has) been done with the USB dongle.

Plus, I think most PWDs monitor their BGs enough that a 20u bolus or a reset of their pump would not go unnoticed.

Beyond that, almost anything is hackable with social engineering.
Permalink Reply by ddevine on August 8, 2011 at 11:19am
Astronomically minute concern. I can't believe anyone is even fretting over this. Worry about cellphones, credit cards, bank accounts, etc. Not this... at all.
Permalink Reply by Joe Lenegan on August 7, 2011 at 4:03pm
You have to keep in mind, also, that this takes more CPU cycles which consumes battery power . Our pump batteries are supposed to last a few weeks right?
Permalink Reply by jbowler on August 7, 2011 at 7:53pm

Or they could just use bluetooth with encryption, which would give more than enough security given that the CIA, Mossad, MI5, OSS, or whoever, only have a few days to crack it.  I'm assuming that pairing is inherently secure; once the devices are paired and the communication is encrypted it's as good as a hard wire.

Permalink Reply by Terry on August 6, 2011 at 1:30pm
Thanks for posting this story. I was unaware of this until now. I enjoyed following the links you provided to other diabetes online bloggers.

It seems to me that the media play that this well-intentioned hacker started may very well have unintended consequences. If it slows down or stops FDA action on medical device approvals currently in the pipeline for diabetics, then it will harm me and the entire diabetic community.

I get that hackers can have a beneficial effect on the security efforts of profit driven companies. I only wish that the hacker's efforts would not threaten to slow down the speed of an already slow FDA.
Permalink Reply by nel on August 6, 2011 at 2:07pm
Thanks Manny for posting MM's response and I will continue to follow the discussion...maybe you get more responses from pump and meter companies .
I read some of this last night on TuD and I did as kerri from sixuntilme posted : went to sleep fine until I see the " sensationalist headlines of tomorrow." .
Permalink Reply by Manny Hernandez on August 7, 2011 at 12:56pm
Permalink Reply by nel on August 7, 2011 at 1:17pm
Maybe one of the reasons pumps are expensive gadgets , compared to other electronic gadgets , such as an iPad ?

RSS

Advertisement



REsources

Groups

From the Diabetes Hands Foundation blog...

Together, We Can Get Diabetes Co-Stars to 10,000 Views!

Above is a photo of Diabetes Hands Foundation’s own Manny Hernandez with the stars of the Diabetes Co-Stars Video, “Strength in Numbers.” In case you haven’t heard the news yet, there is a new video making it’s way through the …
Continue Reading

Congratulations Diabetes Advocates Scholarship Recipients!

The Diabetes Hands Foundation and Diabetes Advocates Program is proud to announce and congratulate the members of DA who were granted scholarships to attend diabetes conferences in 2013! Thanks to a generous grant from Novo Nordisk, in 2013 we were …
Continue Reading

TuDiabetes Team

DHF STAFF

Manny Hernandez
(Co-Founder, Editor, has LADA)

Emily Coles
(Head of Communities, has type 1)

Emily Walton
(Business Manager)

Mike Lawson
(Head of Experience, has type 1)

Corinna Cornejo
(Development Manager, has type 2)

Heather Gabel
(Administrative and Programs Assistant, has type 1)

DHF VOLUNTEERS


Lead Administrator
Bradford (has type 1)

Administrators
Lorraine (mother of type 1)
Marie B (has type 1)

Teena (has type 2)

Brian (bsc) (has type 2)

jrtpup (has type 1)

 

LIKE us on Facebook

Spread the word

Loading…

Get Badge

This website is certified by Health On the Net Foundation. Click to verify. This site complies with the HONcode standard for trustworthy health information: verify here.

© 2013   A community of people touched by diabetes, run by the Diabetes Hands Foundation.

Badges  |  Contact Us  |  Terms of Service