Scumbags can program vulnerable MedTronic insulin pumps over the air to murder diabetics – insecure kit recalled
Not a particularly sweet ending to the week
Health implant maker MedTronic is recalling some of its insulin pumps following the discovery of security vulnerabilities in the equipment that can be exploited over the air to hijack them.
Specifically, the manufacturer is recalling its MiniMed 508 and Paradigm insulin pumps, along with the CareLink USB control hub and some blood glucose monitoring devices used with the at-risk gear. America's medical drug watchdog the FDA also issued an alert this week over the holes, which can be leveraged by nearby hackers to execute commands on the pumps.
These commands can, for instance, tell the pump to inject too much insulin, causing the patient to suffer hypoglycemia and pass out or enter a seizure, or too little insulin and cause the patient to develop serious life-threatening ketoacidosis. It's a bizarre way to kill someone right by you, of course, when hitting them over the head with a wrench will do it, but you never know.
Don't have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead)READ MORE
Medtronic said the recall is voluntary, and has offered patients who send in their pumps replacement equipment: the newer MiniMed 670G models that do not suffer from the vulnerability, dubbed CVE-2019-10964. Those who cannot obtain a new pump for whatever reason are advised to avoid connecting their pump to any non-Medtronic devices and to unplug the CareLink USB device when not in use.
"The FDA has become aware that an unauthorized person (someone other than a patient, patient caregiver, or health care provider) could potentially connect wirelessly to a nearby MiniMed insulin pump with cybersecurity vulnerabilities," the drug agency said of the flaw.
"This person could change the pump’s settings to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis."
Security researchers Billy Rios, Jonathan Butts, and Jesse Young found that the wireless radio communications used between a vulnerable MiniMed pump uses and its CareLink controller device was insecure. An attacker who was in close enough physical proximity to the pump could masquerade as a CareLink unit, and send potentially life-threatening commands to the insulin pump over the air using a software-defined radio or similar kit.
"The vulnerabilities affect the radio features," Rios told The Register. "They use a custom radio protocol and the vulnerabilities were exploited through the use of software-defined radios."
The research builds on concepts first outlined by legendary infosec guru Barnaby Jack back in 2011.
Jack, who died shortly before the 2013 Black Hat security conference, was among the first group of bug hunters, including Nathanael Paul and Jay Radcliffe, to describe how Medtronic and other medical implants were using insecure radio channels to transmit and receive patient data and commands, leaving the door open for miscreants to intercept and inject their own instructions to the devices with potentially catastrophic consequences. ®