Inevitable remote attack vector is here

I thought we would have more time.
Its here…maybe.

One of the security guys just sent me this.
My RileyLink failed a couple days ago, so I’m not currently running Loop.

Remember, you can always put the RileyLink far away from you.
That will disrupt bidirectional communication between the pump and the internet.

@Terry4, @BradP, @Lorraine, @Dragon1, @Helmut, @Trying, @Laddie, @anon7061735, @Viggen,

1 Like

@Jason22, @Kelly6, @Eddie2

Cold also probably disable internet connection and run off BT if you were concerned.

For OmniPods, communications are protected by a nonce. A nonce is an arbitrary number that can only be used once in a cryptographic communication. (For pods it is only partly arbitrary, because it uses the pod’s lot and serial number to generate it.)

As a very simple example of a nonce, if you want to reset your password on a website, the site might send a nonce (such as a sequence of numbers/letter) to your email address or phone. Before being able to reset your password, you have to enter that same number/letter sequence you got in your email or phone into the website. You have established your identity because you have access to your email or phone and you got the correct nonce and entered it correctly. If someone later tries that same nonce, it no longer works. And that nonce will also expire in a few hours, so an attacker has less time to try to compromise it.

This is a simple example of how a nonce can be used.

Communication with the pod uses a nonce based on the pod’s lot number and serial number. This is established during pod activation.

I believe an attacker would need to setup a parabolic microphone during pod activation or find out your pod’s lot and serial number. And then intercept communications and try to impersonate your PDM by using the next nonce that would be generated in the next communication, in order to send an unauthorized bolus your way. And also be close enough that they could send the bolus command with their transmitter.

As my boss has told me many times, “There are much easier ways to kill you, E.”

I am not worried about this.

2 Likes

I’m Omnipod, too. Very good security. Its the MT users who are more likely to be vulnerable. I agree with you. Its always been the MT users that are more vulnerable. I messaged Terry4 directly, just to verify that he’s seen it. I’m not sure that he has yet, but he will. I’m not sure who else is a MT user.

Thanks for posting, Eddie. Its good to have little drills for Omipod and practice communicating. We are not invincible. But, I agree that this is unlikely to affect us.

About as much chance of someone getting hurt as being attacked by a herd of Pterosaurs

Too many looking for 10 minutes of fame or advertising their skills by bringing up nonsense - tired of hearing about it - IMHO

1 Like

Your cell can go down at any time. This system is a computer. You have never had a computer go down? That’s fortunate. My personal security and computer hygiene is not that good. Not at all.

My system went down this week and I didn’t even have replacement batteries for my PDM. I gotta walk for miles to get those because my car is down. It was poor planning on my part.

One of us ought to say if this involves old MT pumps or not. Security is an ongoing effort. It never stops. That’s why it sucks! Super busy today, but I’ll read about it later. We, as patient communities, should perform better than Medtronic.

@mohe0001 I’m not sure this information is all that new as the MT pumps at risk are most likely the same pumps that have been at risk for the better part of a decade. How much of this created hysteria is to try and mitigate the open-source off label use of MT products and stem the flow? Personally, I’m not all that concerned.

I read the linked file and don’t really understand the threat. I’m not saying a vulnerability doesn’t exist. What dampens my interest is the lack of a prize for any hacking effort. How could someone exploit this weakness to their benefit?

This is one of those problems that I will let lie unless and until it shows more immediate impact. There are many much smarter people than me using the DIY Loop Med-T pump system. I will wait for them to raise an alarm. In the meantime, other things vie for my attention.

4 Likes

Its new. They are claiming “possible” remote attack vector. This is the Rios & Butts thing from earlier this year when they inceased the CVE score. Just as a note - they aren’t sure. We should be answering these questions ourselves. If anyone knows, its us. Is the cited protocol used inside any old MT pumps that we use? That is the question that FDA doesn’t know the answer to.

FDA is being proactive by throwing the question out there publicly. They are asking for our help.

BTW, can anybody find where UHG called all pumps unsafe (other than MT ones) from earlier this year? I cant find it anywhere, but I think I remember that being said. It was from a post by @Mila, I think. Maybe this one: Unitedhealthcare decision — a step backwards for pump access (AGAIN)

Was that said or do I remember wrong?

Thats a good question, Terry4. I’m gonna see if anyone else can answer it.

If not, maybe we could start by figuring out this:

Whats the difference between a virus, malware, and a worm? Do any of these things ever get onto phones? How do they get there?

What type of attack was this? P.S. Consider NOT watching this if you have epilepsy. https://www.youtube.com/watch?v=gwwDutZgQrQ

@mohe0001 Appreciate the link… Also running Omnipod… I would assume they’d have to get through Pod security via RileyLink (not through iPhone) as mentioned in this thread, and therefore needing to stand really close to me in a totally inconspicuous way… :slight_smile:

Maybe your right. You dont remember that whole stupid UHG thing, do you? It was quite the post a while back. I was trying to reference it as an example of why diabetics kinda dont trust a lot of decision makers and big players - kinda related to @Tony24’s comment. Tony commented on that UHG post. Blood sugar getting low. Can’t explain this complicated diabetic perspective to the normals. UHG, as in ugh, not United Health Group. I wish my damn system wasn’t down. I think moderate low BG hits me kinda harder than it used to because I’m not used to getting low BG andymore. I’m getting irrationally frusterated. neeed cookies. Dog trying to take my cookies. So maaad!!!

1 Like

Mohe0001, the link is a short video that breaks down the terminology you were asking about.

The first known phone based worm (virus) was found in 2004 on Nokia phones running Symbian O/S and wasn’t actually an exploit as the user had to accept a BT file from a nearby phone and give permissions to unpack it. It was more a proof of concept as there wasn’t actually anything malicious (by today’s standards) that I recall (though my memory is shot, so who knows…) As I recall, I was called the Cabir worm.

Hehehehe, El_Ver. I know that you know the answer. Thats cheating. The others need to make an effort to find the answer for themselves. If they can’t find, then we can assist, LOL. That is an interesting tidbit, though. I’m dying of research here. So sick of diabetes research. I’m gonna have to find some way to still be interested in diabetes when I talk to the normals. Its super hard to fake like your interested in something if your not. People see right through that and it can seal the coffin on getting people to listen to you.

This is THE BEST picture of a hacker that I have seen lately. I’m gonna use it. Why does he look so french? Heheheheh. I like it.

1 Like

May I suggest a non - D research project then???

1 Like

Make sure you share with the puppies! Especially the good tasting ones, lol

1 Like

Here’s the details. This is why FDA forced/prompted MT to replace super old, out of warranty pumps. This is why Rios & Butts were cited in the CVE increase. They are the ‘remote attack’ guys from the MT pacemaker attack from this time last year. FDA and NIST must have known this when they increased the CVE scores.

https://www.us-cert.gov/ics/advisories/icsma-19-274-01

https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/