I don’t entirely agree.
Sure the pump software/firmware is clearly not been altered or rewritten. However the communication protocols are certainly being hacked into.
This happened very recently as the Omnipod (traditional - not Dash) was made available for looping.
It is what is it.
And it is not what it is not.
But no point in going overboard and trying to pretend something different.
So, if you overheard a conversation while traveling on public transportation and acted on information in that conversation, is that akin to theft? In the US, the public owns the radio frequency airwaves and collectively, through government, permits commercial interest to exploit those frequencies. If a commercial interest uses those public airwaves, is acting on that public information wrong?
I realize that this is a semantic argument and where you stand will be informed by your world view and values. Hacking implies theft; observing and using information broadcast on the public radio frequency spectrum is not.
Agreed.
The legal conclusion you draw however is not accurate.
I would say that the “hacking” part comes in when they break encryption. But, medtronic loop didn’t do any of that. Your in the clear, @Terry4
Loop for Omnipod, in my opinion, was ‘hacked.’ But, Omnipod seems cool with it. It is the whitest hat hack that has ever existed.
@Tim35, Can you help me understand the CVE? They just post all threat notifications? Then, NIST does a more thoughtful evaluation of the threat and updates the paperwork online? I need to ask around about how this works.
There is no real security threat. The “vulnerability” can only be hacked via Bluetooth 5-10 feet away. The FDA probably was instructed by Medtronic to issue the recall to prevent “hankers” from promoting viable devises to create closed loop systems. Mimimed Medtronic is trying to do the same thing but failing miserably. I met an IT person in NZ who had perfect control of his type1 diabetes with a devise that cost him less than $200USD. You can bet that a Medtronic version would cost tens of thousands of dollars. Just shows how the Trump Administration has gutted consumer protection agencies to force them to represent big business rather than US citizens.
How so? DIY developers did not break into the Omnipod encryption (instead they replicated it), they did nothing to change the communication protocol at all, they did not add or subtract anything from the PDM to pod communications, they did not compromise or alter encryption or data integrity in any way. The term you are looking for is not “hacking”, it is "reverse engineering, " which has a different meaning both in real life and in legal matters.
Maybe it has something to do with this? I’m trying to think about remote exploits because they cited Rios and Butts.
There is a ■■■■ storm brewing?
I believe this is likely the reason for the. Medtronic rerelease of the cyber security recall. (Oh I am a medtronic ambassador my usual disclaimers apply.) I am on my telephone
So yeah, it sounds like it was in response to the Medical Device Safety Action Plan, which is in itself a good thing. There’s been an incredible proliferation of devices with connectivity, and it’s only been recently that any thought has been given to security for these things. There are videos out of hackers triggering cars’ braking systems and the like. It’s a mess. Obviously medical devices ought to have a high priority when it comes to these concerns.
OTOH, (from the article):
“Medtronic recommends patients not connect the device to third-party technologies it has not authorized.”
So yeah, that too. Of course they have to say it—it’s not like it’s going to stop any loopers from doing what they’re doing.
I most worried about anybody on Windows 7. Surly no one still has XP. But, also for any overseas users who are more heavily reliant on pirated operating systems. Its time for you to back everything up, and install Windows 10. (Do as I say - not as I do.) I don’t really understand how Carelink might be affected. There was no warning about that, specifically, but that was how Rios and Butts got inside the pacemakers. They are making a big deal because this can impact hospital systems.
Medtronic loopers dont use Carelink. But, old pump users might. Don’t be plugging anything into or signing into untrusted networks (like a library or McDonalds or a Starbucks network) and then into your home network where you use your pump if you want to be on the same side. Doesn’t hurt to have backup supplies for the holiday weekend (and beyond) - That goes for everyone for the typical reasons.
I think I understand what you are saying. Unfortunately, the term “hacking” is a word that means different things to different people. Jargon. Let’s find a more precise word with less pejorative connotation (for some of us anyway).
I have a great suspicion the driving force is market forces competing with the 670G automode feature. Which btw, the 670G doesn’t have Bluetooth at all and cannot display on your phone to share data with loved ones or remotely operate which would be convenient for job interviews & such… now the only thing you can do is turn off all alerts.
I assure you that is NOT what this is. The warnings are not being issued by Medtronic. The FDA forced Medtronic to do the recall. The warning is coming from known, respected, and independent security researchers. This is the first time they have been able to force Medtronic to recall. They were able to do that because of how dangerous the threat is. Even considering that, it was difficult to achieve a recall on our behalf.
There is a fight over security and functionality. More functionality makes less security. More security makes less functionality. Its up to patients to pick their poison.