Medtronic pump users - the sh!t storm

The company is always suing or threatening to sue everybody. I guess you don’t remember the Cozmo.

Just because someones always punching you in the face, that doesn’t mean it doesn’t hurt to get punched in the face.

Your analogy is too obtuse.

I tried to PM you but, apparently, you are not open to PMs.

I totally disagree.

I have to get back to work you guys, but keep it coming. I’ll reply to whatever I can after work because I thin its important. Our current community position is that this disclosure is irrelevant because there were no threats issued against the 670g? I’ll have to think about that…but, I’ll try to respond later. I’m not 100% sure I understand, but I’ll think about it.

Willow4, I’m on my work computer, which is unusual. I’ll probably see your message late tonight when I’m at home.

I feel a little disappointed. We are supposed to be better than Medtronic. We are supposed to care about addressing vulnerabilities. I think we do. I think this conversation is just coming off wrong.

Maybe this is the point of discontinuity between how people are reacting and what you were expecting. The study was done on pumps long past warranty running long out of date firmware, and most of the people using them are doing so for precisely that reason, because it allows them to do looping. In many cases they have gone out of their way to acquire these pumps specifically for that vulnerability. For them it’s a feature, not a bug.

Well, I think we do, but again, we’re talking about very dated tech that self-selected people are choosing to use for a very specific purpose. It’s not a perfect parallel but it’s a bit like issuing a recall on Windows NT. The study doesn’t have anything to say about more current pumps, which so far as we know are much more secure. If what you’re trying to argue is that all those MT loopers should switch over to looping with Omnipods, well, maybe they should but it’s their call.

2 Likes

@mohe0001 this Wired article is about exactly the same vulnerability that was identified in 2011 (let me repeat this for emphasis: in 2011) and discussed roughly million times in various on-line venues to absolute exhaustion, most recently on TuD here in response to FDA warning and Medtronic recall. The Wired article title is admittedly catchy and sounds alarming, but there is nothing new here and really nothing to be particularly alarmed about. Old news, recycled yet again (which is pretty amazing in it’s own right).

We do care about vulnerabilities of D-techology. A bent cannula is roughly about 1,000,000,000 times higher concern for me, but this for some reason does not seem to be an issue the esteemed security experts are interested in? Alright, maybe the cannula challenge is unfair, outside of their domain of expertise. I do have a challenge for them, which is actually interesting, and should be right in their domain:

  • Dear Billy Rios and Jonathan Butts of QED Security Solutions, I am using an automated insulin delivery system called Loop, which is exploiting (to my great benefit and pleasure) the exact Medtronic pump vulnerability you are clearly very familiar with. Loop happens to be an app that runs on my iPhone, which has Internet access essentially all the time. My concern is that someone could exploit iOS and/or Loop vulnerabilities to take control over my pump remotely over the Internet. (not over relatively nearby RF - we’ve known about that since 2001). Is that possible? If you were able to answer this real cyber-security question (a documented yes or no answer would be fantastic), I’d be very grateful, and I am sure the entire DIY/T1D community would be thankful and would celebrate your expertise. Of course, we’d do whatever we can to fix any cybersecurity vulnerabilities you may identify. Needless to say, name-promotion opportunities on TuD, Wired, etc. would be endless.

Sincerely, @Dragan1.

p.s. Loop is an open-source project, which should make the challenge much easier for you.

4 Likes

I was thinking the same, and I actually had one of those fobs.

However I recently learned that newer Medtronic pumps can be bolused remotely from contour next link meter. Assuming that signal is encrypted, with some type of secure pairing.

I think it does say something about more current pumps, which we all know function exactly the same way and have additional attack vectors. I just dont think that everything needs to be spelled out explicitly. I think its a little dangerous to do that. I ought to delete this whole conversation…I didn’t expect to generate so many comments.

Some people argue that open source projects are MORE secure because people look at them. The fault is not one in the open source systems so much as a fault in the medical device. Wouldn’t you agree?

People are not publishing the same research over and over. The body of knowledge is growing and people are developing, from scratch, a process for working with these concerns. I think its a little goofy to keep talking about how “old” this stuff is when there is not a well established paradigm for dealing with medical device threats, which has only been a field for ten years. Its brand, spankin’ new. I looked at this stuff ten years ago and I look at it now, with completely different eyes.

It concerns me that we can’t have a more insightful conversation. Our community needs to be able to do that.

Yes, the 630G anyway, which has some of the CGM integration functions of the 670 but not automode. The pairing uses the meter serial number for authentication, but I don’t know much beyond that. It’s certainly worth being concerned about whether these companies are doing due diligence when it comes to encryption or whatever else is current best practices security-wise.

I would say, as I think I did upthread, that I agree with @mohe0001 on the general point that, historically, there has been far too little thought given to security as connectivity extends to more and more components of larger systems, and medical ones in particular. I think that’s changing, and if the Wired article keeps the pressure on and makes more people aware of it, that’s a good thing. I just object to casting this as a cataclysm that’s about to strike “Medtronic Pump Users” in general, as in the title of this thread, when the findings in question actually don’t pertain to Mt pumps of anything like recent vintage, and the same objection applies to the article for obscuring that fact for the sake of sensationalizing the issue.

1 Like

These guys only do Medtronic medical devices. They specialize in that. MT is the most lax in their security. In general, our community issues a lot of backlash against MT devices. It feels suspect that suddenly, in this thread, we sound like their greatest supporters. We gotta get this conversation more straight, as a group, I think.

This is the most awful conversation ever. :smile: Carry on, though. Maybe it goes somewhere.

Yes people like to grouse about various companies, and MT comes in for its share.

But I strongly disagree that there is or should be an established group attitude about Medtronic (or any other manufacturer) as a matter of the identity of this site. As an admin, I’d say that would be totally contradictory to our charter, and as a site member totally contradictory to what I understand this community is for and about.

2 Likes

If you guys think this is a manipulative effort or that government agencies or corporate motives are responsible for this. Then, someone needs to write a very shaming letter to the FDA, the security community (who I guarantee will take it to heart, because they are a very preoccupied with morals) and its comrades in this. I, myself, started to write that letter. But, the more I thought about it, the less I was able to support my position.

If that is your belief, than that is the right thing to do. You think? How would we deal with a scenario in which patient communities are being misled by various players? I mean, that is clearly a strong sentiment. Perhaps there needs to be some dialog between FDA and patient communities in a better venue/forum, where questions can be answered.

@mohe0001 deep breath, and 1, and 2, and 3…almost everything connected to the web is susceptible to hacking. With the growing number of edge connected devices it has become.something of a cottage industry to attempt to breach security layers for.sport and bragging rights. That said, you have to ask yourself why someone would want to target your device, an insulin pump. Of the millions, nay billions of possible targets, many of which are impossibly easy to breach, why @mohe0001’s pump? You are more likely to be hit by a car, not that I would wish that on anyone. I sort of wonder if this is a dis-information campaign by a certain pump mfr who has loop compatible products and is afraid of the potential liability issues lurking around the corner if someone gets hurt looping.

1 Like

Ok, I think I know how to make this conversation work better. Thank you, El_Ver.

I hope I helped, it sounds scary and crazy, but this is a subject that has been going since the 80s. It just gets more Media attention now because of the 30minute news cycles and the need to fill air time with sensationalism.

I’m going to respond to that point, specifically, on a new thread. Yes, same topic, different strategy

The Diabetes Mine article on this puts it in the correct perspective IMO:

Whole article is a must-read on this, but here are a couple of key excerpts:

Yep, the FDA and Medtronic have both issued field safety notifications about older pumps in the Revel and Paradigm series, devices that in some cases are from a decade up to nearly 20 years old now.

Also this:

Medtronic’s Reese says: “It’s been an ongoing conversation because cybersecurity protection is constantly evolving as technology continues to rapidly improve and connected devices need to keep up with this pace… We were made aware of this in late 2011, and we began to implement security upgrades to our pumps at that time. Since then, we have released newer pump models which communicate in completely different ways. With the growing amount of attention to cybersecurity in the medical device industry today, we felt that it was important for our customers to understand the issues and risks in greater detail.”

That may be, but what has also happened over the past few years is the birth and exponential growth of the #WeAreNotWaiting DIY diabetes technology movement; today thousands of people worldwide are creating their own homemade, closed loop systems. Many of those are being built based on these exact older models of Medtronic pumps that the company has suddenly decided to speak out about.

I think more likely that with Medtronic having such an oversized share of the market, one would naturally find more complaints. People IMHO tend to complain more than complement so the company with the largest share would (IMHO again) have more feedback which (IMHO lol) I would expect to appear negative.

It does seem like both Tandem and Insulet are rapidly eating into the Medtronic market share for various reasons and as a result, it would not be surprising to me to start to see responses that seem more balanced across the companies if the market share continues to be more evenly spread.

2 Likes

Kinda like the old Operating System wars, yeah. Plenty of griping about Mac nowadays, not as much when it was the much smaller underdog against the Windows Borg. The thing is, these tend to become tribal things, religious wars spring up around them, and sites can get identified as being hostile to one side or another. That’s the kind of thing we need to avoid.

4 Likes