Medtronic pump users - the sh!t storm

Can you guys confirm that you have seen this. Its a remote attack vector and I am panicking. Its just as I feared. This is NOT like other warnings that have been issued. This is a ■■■■ storm coming. I am going to seek you guys out, one by one, and confirm that you have read this. Please ask any questions you have.

It’s a Wired article from 2018 and if you read the whole thing it’s clear that it IS referring to the old Paradigm pumps that had a key-fob radio frequency remote. Really no need to panic.

The info has been publicly released (although I doubt that the app has - that will provide protection against script kiddies, but not advanced attackers, like those that go after hospital networks). It is now a ticking time bomb.

This has always been a serious attack vector - remember how I wrote about their work in that super long paper that I posted (and you actually read, I think, but it was about a year ago).

This was published yesterday. FDA is making it public because no one is listening. They keep the details quiet for a long time while they try to remedy the situation.

I am concerned about our Loop users that run comm through a phone. Thats how I would make the thing attack from afar. We can get in a variety of pump models. I imagine so can they. These are tethered IoT devices. Not particularly difficult to get into.

I’ll go smoke a cigarette and take some deep breaths, DrBB…

I thank God there are no Android phones in the mix with Loop (although, if your running Loop off an MS computer or Android phone, I personally would switch to Mac until the MS worm is definitely patched or your system is upgraded from Win 7/XP/Vista and the listed vulnerable ports (I think 3389?) are closed on your network. I am particularly uncomfortable if you are running off a VM.).

I’m gonna make a flat recommendation that Medtronic Loop users switch over to Omnipod. That would really put my mind at ease. Its time. A sh!t storm is brewing. If you think that hospital networks are secure, please think again. That may be a place of particular vulnerability.

Sorry–eyesight not what it once was. Looked like 2018 when I read this same article yesterday.

Anyway, I thought of posting it myself, but more from the angle that it seems calculated to put a doom-laden and panicky frame around something that actually only applies to a narrow slice of Medtronic users—DIY loopers—who are using essentially obsolete pumps for a specialized reason, even though it’s awfully cagey about trying to make it look like something else. Yes there are a lot of pump models on the list you pasted in, but if you look at the firmware note in that release, the radio-controller hole was closed by version 3 of the firmware, which narrows things down hugely. It actually takes some deliberate effort—as I guess you know—to get hold of one of those. For instance, I’m using an old pager-style Paradigm 723 with v. 3.00, one version too recent, alas, or I’d be trying looping myself.

My own thought was that the article was going out of its way to obfuscate these facts in order to justify a more dire and doom-laden framing. They even have an image of the old fob-controller, without any indication that hasn’t been part of the system for years. I got my Paradigm in 2012 and it was too late to get one of those even then. The whole thing seems of a piece with a recent series of publications that seem targeted at hyping this vulnerability in what is after all some very old gear, not quite like sowing panic about vulnerabilities in Windows XP but on the same continuum. Who really IS affected? Well, DIY loopers, pretty much exclusively. Which might lead you to think the real panic is that there are people out there doing stuff they shouldn’t because if only they knew what was good for 'em they’d give up their futile efforts and be absorbed by the Medtronic 670G Borg.

Of course I agree that the larger issue of security in wired devices, medical equipment generally as well as stuff like automobile braking systems, is a “sh**storm”-worthy concern, but I also think there’s something of an effort afoot to make DIY looping seem dangerous and risky. So I don’t know that playing into that is helpful.

2 Likes

Thats not what this is. They performed a remote (internet) attack against a pacemaker last year. That has NO DIY equivalent. I understand what you mean, though. I responded, initially, the same way. And, I do think this has some urgency because of the influx to Loop.

Nothing new. Who cares?
We knew this was possible. Now they proved it. Still the risk of getting killed due to this vulnerability is approximately zero. If I were looping, I wouldn’t care at all about some fearmongering researchers.

I have always been afraid to use a Medtronic pump, even one that can’t be hacked. Your talking to the wrong person.

That and creating a media sensation that might accrue benefits to the hackers raising the alarm.

1 Like

They are very well known guys. They don’t need any publicity. They are trying to do the right thing. The computer security guys aren’t a bunch of reckless hacks. They are trying to do the right thing. They are doing exactly what they are supposed to do and have always been, despite overwhelming oppression.

What would constitute a legitimate security warning in your eyes?

I am not trying to create hysteria. I am not trying to profit. I am worried about us. I like us. I like our freeware systems and understand what they represent. I do not like this particular threat. I agree with the FDA assessment.

I would also, maybe, feel better in @Tim35 made comment, but he is being awful quiet…almost suspiciously quiet. Maybe he isn’t allowed to speak on this topic or judges it best not too. Our tech experts are very quiet. That makes me nervous.

The pacemaker bit aside, what makes it seem, well, odd at the very least is that they go out of their way to make it seem like a problem with current pumps when it is not. They’re focusing on a vulnerability that only applies to pumps dating from over 7 years ago that are only being used in a single specialized case. It would be a lot more on-point if they’d successfully hacked into a 670, since that pump actually takes delivery instructions over Bt and is used by vastly more people. That would be the real target of malicious attacks. Why didn’t they expend their efforts on that?

1 Like

image

The long term security flaws HAD to have been fixed in 670g. I have to believe that they have, at a minimum, begun using encrypted communications there, after a decade. I never even considered that was threatened. RF or BT - that makes no difference. Both are easy targets. The real differentiating factor is internet connection because that’s what allows remote attack, not coming from a close geographical proximity. Thats why I have chosen to use non-internet connected devices and applications…until yesterday, which is an irritating coincidence. But, I’m on omni, so I’m still immune from attack…kinda - at least, immune from this attack. I feel pretty venerable to attack, in general. I’ll go on a commercial system as soon as one is available.

Seems like something that would have been highly relevant and useful for them to point out in the article.

I’m sure you can find out if 670g has encrypted communications. Call Medtronic. They will tell you. Its not really relevant. But, I do understand your baseline of suspicion about everyone and everything. I felt the same way for two days when stuff was announced. I was mad. But, then I spent some time thinking about it.

I have been a target of the direct panic-mongering by Medtronics (AKA Animas) trying to herd the remaining Animas pump users to a Medtronics pump. I am convinced that both situations are orchestrated by Medtronics because their dubious 670g did not generate the customer stampede they expected.

1 Like

This is not coming from Medtronic. Rios and Butts forced Medtronic’s hands, just as they have in every other case. I believe that MT tried to sue them. It was quite the fight. I had to hand it to them. But, they are our national MT security vulnerability researchers. Thats their specialty. You can try to discredit them, but they have a long history of solid, ethical conduct and I trust their analysis. I also trust that they are not releasing the really hairy material that would hurt us. I’m sure they are frustrated, and surprised, by the patient community reaction. They may not understand our reaction. American diabetics have such a complex relationship with healthcare.

People have fought hard on our behalf to get the pumps recalled. I’m sure there is confusion re: non participation.

The company is always suing or threatening to sue everybody. I guess you don’t remember the Cozmo.

Just because someones always punching you in the face, that doesn’t mean it doesn’t hurt to get punched in the face.

Your analogy is too obtuse.

I tried to PM you but, apparently, you are not open to PMs.

I totally disagree.