More Medtronic Hack Malarkey: This Time It’s Insulin Pumps

The U.S. Food and Drug Administration says certain insulin pumps are hackable, and there’s no way to fix them. The pumps, made by Medtronic, are used by diabetics to help meter out insulin, instead of injections.

Are you, like me, feeling a little déjà vu? Oh yeah: Back in March, your humble blogwatcher warned, “Implanted Medical Devices Can Be Hacked Wirelessly.

DevOps Connect:DevSecOps @ RSAC 2022

Once again, there’s no encryption and precious little authentication to protect against these insulin pump hacks. In today’s SB Blogwatch, we lay off the sugar.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Tyson vs. Family Matters.

Don’t Call It a Recall

What’s the craic? Kate Fazzini reports, “Medtronic recalls some insulin pumps”:

 Medtronic is recalling some models of insulin pumps that are open to hacks, and … they cannot be patched. … It’s a rare example of a medical device recall over a cybersecurity issue, although security professionals and the FDA have raised numerous concerns … for years.

The MiniMed … pumps can’t be updated to address security flaws in the device’s firmware. … The company is offering alternatives. … Medtronic has identified around 4,000 patients using the insulin pumps [so far].

A Medtronic spokesperson said [it] was a “safety notice,” and noted: “in the medical device industry, the term ‘recall’ is used generally to cover … for example, customer or patient communications with additional instructions for use of the product.” … The company and FDA are not aware of any confirmed reports of a cyberattack.

What’s the worst that could happen? Shaun Nichols notes, “Scumbags can program vulnerable MedTronic insulin pumps over the air to murder diabetics”:

 Health implant maker MedTronic is recalling some of its insulin pumps following the discovery of security vulnerabilities … which can be leveraged by nearby hackers to execute commands on the pumps. [They could] tell the pump to inject too much insulin, causing the patient to suffer hypoglycemia and pass out or enter a seizure, or too little insulin and cause the patient to develop serious life-threatening ketoacidosis.

Medtronic said the recall is voluntary, and has offered patients … replacement equipment: the newer MiniMed 670G models that do not suffer from the vulnerability, dubbed CVE-2019-10964. … Security researchers Billy Rios, Jonathan Butts, and Jesse Young found that the wireless radio communications used between a vulnerable MiniMed pump uses and its CareLink controller device was insecure.

Should you replace yours? Or should you roll the DICE—the Division of Industry and Consumer Education, that is—“FDA Safety Communication”:

 Check to see if the model and software version of your insulin pump is affected. … Talk to your health care provider about a prescription to switch to a model with more cybersecurity protection.

To minimize the potential risk of a cybersecurity attack: … Keep your insulin pump … within your control at all times. … Do not share your pump serial number. Be attentive to pump notifications. … Monitor your blood glucose levels closely.

Get medical help right away if you: Have symptoms of severe hypoglycemia. … Have symptoms of diabetic ketoacidosis. … Have symptoms of diabetic ketoacidosis.

How do we stop this from happening? Here’s Yet Another Anonymous coward:

 A simple solution. The FDA will introduce a whole new set of cyber security requirements.

The cost of the devices will go up by a factor of 10x and you will be required to visit a doctor ($$$) each month to change the password.

However, some accuse Medtronic of sitting on a zero day for years. For example, 93 Escort Wagon’s wife:

 New Product Alert. … Sounds like this is exactly the case.

I asked my wife (who is a diabetes educator) about this – in part because I wanted to be sure she was aware of the recall. What she said was:

“Medtronic is being a bully – they don’t like DIY loop and APS community. Those are very old pumps. They don’t want more people abandoning their crappy closed loop system.

They knew about this years ago when those pumps were still in warranty, but they didn’t issue a recall.”

And Matthias Granberry alleges an allegation, with “some additional background” about the community of diabetics trying to build a closed-loop artificial pancreas by hacking old insulin pumps:

 The community has also recently reverse-engineered the currently-on-the-market Omnipod RF commands. They have a similar vulnerability surface as the Medtronic pumps, but they are a direct competitor to Medtronic.

By … publishing an advisory for decades-old insulin pumps they can push to get their competitors’ pumps pulled off the market for cybersecurity problems before their popularity increases too much.

This is a straight-up attack on patients to protect their monopoly, just like when they collaborated with the big insurance companies to drop coverage for out-of-warranty pumps by their competitors a couple years ago.

But vtcodger thinks it’s all a fuss about nothing:

 Realistically … insulin pump sabotage is probably about number 37 on the list of hazards facing insulin-dependent diabetics. Undetected insulin pump system failures of various sorts and, the unreliability of meters are probably far greater dangers.

And katrinab agrees:

 Mislabelled food is probably the biggest risk facing diabetics.

Meanwhile, alvinrod offers a scary mental vision of future ransomware:

 I think that one of the reasons we won’t see any kind of real world “cyberpunk” … augmented humans is because no one can create secure hardware and software. What good are your bionic legs when some script-kiddie from the other side of the world can hack them and make you Riverdance until you pay 3 Bitcoins?

And Finally:

This week in disturbing deepfakes

Hat tip: Stephen Glasskeys

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Marco Verch (cc:by-sa)

Richi Jennings

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 368 posts and counting.See all posts by richi