Researcher battles insulin pump maker over security flaw
Medtronic downplays security researcher's concerns about the medical device he was able to hack.
Elinor MillsFormer Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
A security researcher who has proven he can remotely disable the insulin pump he relies on to keep his diabetes in check says the device maker is refusing to acknowledge the problem and misleading the public.
However, Medtronic, the maker of the insulin pump in question and one of the largest medical device manufacturers in the world, insists that the risk is very low.
Other insulin pumps allow for software updates, but to plug any holes in the software of the Medtronic pump would require a recall of all the devices now in use by patients--a costly endeavor and potentially a huge loss in revenue if patients switch to devices from other manufacturers, security researcher Jay Radcliffe told CNET today. Such devices can run $10,000 or more.
"The Medtronic device offers no function for software updates like the other manufacturers do," he said. "Even if they fix the problem in the next generation of devices, that is two to three years away."
The pump regulates how much and how frequently insulin is given to a patient. It fits on a belt clip or in a pocket and shoots the medicine at regular intervals through a thin plastic tube attached into the fatty tissue of a patient's stomach. Every three minutes or so, Radcliffe gets a dose. If he forgets to re-attach the device to his body, his blood sugar level shoots up to unsafe levels and he can get sick.
The device is programmed with a USB Carelink device from Medtronic that is plugged into a computer and channels to the Medtronic Web site. Radcliffe reverse engineered the software used on the devices and discovered that there was no encryption used to scramble the wireless transmissions and no authentication to verify that the devices communicating with each other are legitimate, he said.
On stage during his presentation at the Black Hat security conference in Las Vegas earlier this month, Radcliffe demonstrated how he can disable the pump remotely.
"I won't disclose the technical details," he said. "More concerning is that I'm able to change any setting on the insulin pump without the user's knowledge," he said. "I could change the equations on how a device calculates how much insulin is given...so next time the device would give too much."
"The device should use some kind of encryption or security algorithms," similar to the SSL (Secure Sockets Layer) protocol that protects data sent wirelessly to the Internet from snooping, Radcliffe said.
His research prompted two U.S. to ask the Government Accountability Office a week ago to examine whether the Federal Communications Commission is ensuring that new medical devices and implants that use wireless technology can't be tampered with.
In statements released by Medtronic's public relations department, the company counters that an attacker would need to know the serial number of the device, the wireless feature would have to be turned on, and that encryption is used. However, Radcliffe says it isn't hard to find the serial number of a device, the wireless feature that is vulnerable can not be turned off, and that he can say with "110 percent certainty" that there is no "modern" encryption used.
Medtronic also has claimed that it has not been "formally" contacted by the Department of Homeland Security about the issue. Radcliffe bristles at that notion, providing a list of dates on which he and DHS representatives who examined his work contacted the company, including DHS leaving a message with the Medtronic CEO's office on August 10 and DHS talking to the head of public relations on August 12.
Radcliffe said he did not reveal that Medtronic was the manufacturer of the device he was able to hack until this week when it seemed clear to him that Medtronic was unwilling to acknowledge the issue and resolve it.
Medtronic PR Director Amanda Sheldon said the company has been working over the past several years to incorporate "powerful encryption and security measures into" its future products.
"Medtronic believes the risk of deliberate, malicious, or unauthorized manipulation of our insulin pumps is extremely low. To our knowledge, there has never been a single reported incident of a deliberate attack on an insulin pump user in more than 25 years of insulin pump use," she said in a statement. "We are vigilant in reviewing the external security landscape, which is why our security engineers attend conferences like the Black Hat conference, and incorporate the latest research into our design process."
In response, Radcliffe says that saying an attack hasn't been reported doesn't mean it hasn't happened or won't happen in the future.
John Mastrototaro, vice president of research and development for Medtronic's diabetes division, told Reuters that he "had ordered closer scrutiny of potential security vulnerabilities in the company's next-generation line of insulin pumps, which are currently in development" but that it would be difficult to make changes to pumps currently in use because Federal Drug Administration regulations require approval before changes are made in products. "Medtronic would likely have to recall each pump so that technicians could install the new software," he said. Mastrototaro was unavailable to speak to CNET today.
The significance of computerized medical devices reaches beyond the pump Radcliffe wears every day. Not only are wireless communications becoming increasingly used in medical devices, but devices are being integrated with other technologies for convenience and functionality purposes. "If insulin pumps can talk to Android phones in a few years...this will open up a whole new can of worms and a new threat Medtronic hasn't thought about," Radcliffe said.
Meanwhile, researchers released a paper (PDF) in 2008 that concludes that a Medtronic heart defibrillator is "potentially susceptible to malicious attacks."
With the insulin pump it's true that not just anyone could attack a device. But for someone with the know-how and the hacking skills it's "trivial" to exploit the vulnerability, according to Radcliffe. However, he urged patients to keep using their Medtronic devices for now, but to also pressure the company to address the problems and be upfront about security issues.
"The risk to individual users is very, very low. It's miniscule," he said. The bigger problem is Medtronic's response to the situation, he added. "Their statement is not accurate and that is harmful to customers. They are behaving unethically."