Two years ago, researchers discovered vulnerabilities in Medtronic’s MiniMed and MiniMed Paradigm insulin pump lines that could allow hackers to remotely withhold insulin or trigger a potentially lethal overdose.
But after months of negotiations with Medtronic and regulators with no fix forthcoming, the researchers decided to build a smartphone app that could show how the vulnerability could kill.
Billy Rios and Jonathan Butts discovered the vulnerabilities and raised awareness in August 2018, Wired reports. The two researchers, who work at security firm QED Security Solutions, publicized the issue at the Black Hat security conference in Las Vegas that year. With the presentation, the FDA, the Department of Homeland Security and Medtronic warned customers of the potential risks and vulnerabilities associated with the MiniMed pumps. However, there was no plan to fix or replace the insulin pumps. Rios and Butts wanted to trigger a full replacement program with Medtronic, so the two devised a plan to show just how the vulnerability could kill diabetics.
“We’ve essentially just created a universal remote for every one of these insulin pumps in the world,” Rios told Wired. “I don’t know why Medtronic waits for researchers to create an app that could hurt or kill someone before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago.”
Medtronic issued a recall on June 27 for two of its MiniMed insulin pumps, citing cybersecurity risks that could allow a hacker to take control of the devices. The recall affects 11 models in the Fridley, Minn.-based Medtronic’s line of MiniMed 508, MiniMed Paradigm and MiniMed Paradigm Veo pumps.
“Security researchers have identified potential cybersecurity vulnerabilities related to these insulin pumps. An unauthorized person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change settings and control insulin delivery. This could lead to hypoglycemia (if additional insulin is delivered) or hyperglycemia and diabetic ketoacidosis (if not enough insulin is delivered),” Medtronic said in a field alert.
The MiniMed systems are designed to automatically track and adjust blood sugar levels in patients with diabetes, measuring blood glucose every five minutes and automatically administering or withholding insulin. The hybrid closed-loop system features Medtronic’s SmartGuard algorithm, which the company says is the first step on its phased approach towards developing a fully automated, closed-loop system. Using buttons on the devices, diabetics are able to administer their insulin doses. The remote controls on the device give caregivers and medical professional control of the pumps from a short distance.
Rios and Butts discovered that it was east to determine what radio frequencies that remote and pump talked to each other on. They also found that the communications between the remote and the pump weren’t encrypted. The two researchers, along with Jesse Young and Carl Schuett, could easily reverse engineer the simple encoding and validity checks that were supposed to keep the signal secure. They revealed that a hacker could see the remote’s commands and use open-source software to program a radio that could act as a MiniMed remote and send commands to the pump through a smartphone app.
The QED Secure Solutions researchers said that in order to attack the MiniMed pumps, the hacker would need to know the serial number to direct commands to the correct location in the same way you need a phone number to call someone. The researchers were able to add functionality to the malicious remote they made to automatically run through every known MiniMed serial number over and over in hopes of brute-forcing any vulnerable MiniMed pumps in an area, according to Wired. The attacks are limited to the general range of the remotes and can’t be executed from miles away. However, signal-boosting equipment could allow hackers to cover a larger radius and make the range of the attack a few yards instead of a few feet.
“There’s no protection,” Schuett, who also works for QED Secure Solutions, told Wired. “If you reverse engineer the signal you can send your own signal clean enough for the pump to receive – now you’ve turned yourself into a key fob for an insulin pump.”
All an attacker would need to do is press the buttons in the app to repeatedly give a diabetic user multiple doses of insulin or override a person’s attempts to administer their own insulin.
Medtronic MiniMed pumps beep when they dispense insulin by default. That feature could alert users of unauthorized pump activity, the researchers suggested. But the hack they discovered could happen quicker than a patient is able to understand what is happening and some patients have the default beeps disabled altogether.
Medtronic has a history of cybersecurity issues, Rios and Butts in August 2018 discovered a cybersecurity flaw in Medtronic’s pacemakers, Carelink 2090 pacemaker programmer and associated infrastructure that could allow an outside agent to plant malware on the pacers that would allow them to control all shocks delivered by the device. The Department of Homeland Security in May 2018 released a report warning of cybersecurity vulnerabilities in Medtronic’s N’Vision clinician programmer designed for use with neurostimulation devices that could allow outside agents to access personal health data.
Both regulators and Medtronic have stated that there is no known way to patch the flaws on the affected MiniMed pumps or to completely disable the remote feature, according to Wired. Both organizations originally advised to manually turn off the remote access option if they wanted more protection, but that would prevent caregivers from being able to administer life-saving insulin doses.
Rios and the researchers presented their app and findings to FDA officials in mid-June this year. A week later, Medtronic recalled its devices. Though there have been no reports of unauthorized attacks on the insulin pumps, Medtronic said it had known about the vulnerabilities in the MiniMed pumps for years before Rios and Butts brought attention to it.
“Medtronic was first made aware of potential concerns in late 2011, and we began to implement security upgrades to our pumps at that time. Since then, we have released newer pump models which communicate in completely different ways,” Medtronic told Wired. “Most of our current customer base is already using insulin pumps that are not impacted by this cybersecurity concern. Of the small number of these older pumps, it is difficult to predict how many may want to exchange for a new one.”
Medtronic has reported that there are approximately 4,000 vulnerable pumps in use in the U.S.
The FDA’s deputy director and acting office director of the FDA’s Office of Strategic Partnerships and Technology Innovation Suzanne Schwartz told Wired that one reason it took as long as it did to announced a voluntary recall was the difficulty of coordinating with regulatory agencies around the world to coordinate a voluntary recall on an international level. The MiniMed pumps that can be hacked are not widely used in the U.S. anymore, but they are used a lot worldwide.