Q&A from Medtronic about "pump hack", links to diabetes blogs, more

I was under the impression that when Radcliffe tried to decrypt the intercepted proprietary data (from meter to pump and CGM to pump) that all he was able to extract was garbled code.

A man in the middle attack like what your suggesting would work in theory, but only if you knew the algorithms used for the proprietary communication protocols. I suspect (as you stated) other methods of attack would be more rewarding for a hacker such as DoSing the pump to force a shutdown.

OK, is this just me, but, who would want to tamper with my pump or cgm??? why??? for what purpose?? It is always on me… so I think I would know since i am always checking my pump for my BG levels…I cannot understand why anyone would want to hack my pump or CGM to give me a bolus or whatever…sounds kind of ridiculous…ok, maybe i am sheltered, but, I don’t really think I am all that important or that anyone would know i wear a pump or CGM since its under my clothes…how would anyone know unless I told them?..oh well… ok…color me ignorant I guess!

Multi Millions to be made…

By me, for my meteor avoidance technique…

No, you are just using your common sense…

See my meteor avoidance technique in an earlier post. :wink:



Worry not.

Interesting.

Nice work on an interesting project. If the point was to bring attention to the subject of securing medical devices, I’d say you succeeded. So, any luck on actually delivering boluses with your hack?

Can I ask what you used to intercept the signal from the CGM? I was looking into trying to grab the signal from the meter to possibly write an Iphone app, but my RF interception skills are weak (if its even RF). I use a Dexcom CGM and in the bit of research found that they use a low level frequency for comm. between the receiver and transmitter. Were you able to decipher any of the signals you intercepted?

Welcome to TuD, by the way!

Thanks Manny. I was getting worried about someone hacking into my pump but now this makes me feel a little better.

No Jim, I have a realistic attitude.

ddevine: the three comments were deleted, within a couple of hours of posting, but he didn’t say your attitude was not realistic :wink:

A “really bad attitude” is what he said, and that’s inaccurate. I could just as easily say the same thing about people who are frightened about getting their pumps hacked, but i wouldn’t because it has nothing to do with their attitude.



Peace and Love. I was too harsh.



I hope people who are worried about their pumps being hacked are able to put their concern to constructive use and make their pump manufacturers address this.

What I interpreted from the truncated beginnings of those three comments is that Jim is, like me, a software engineer and he feels, as I do, a general responsibility for all use and misuse of software. (Because we *know* we can do it, and therefore it is our responsibility to help others know how.)

So when I say that this can be fixed, I'm not saying it because I'm worried about a personal attack, anymore than I am worried that my Tylenol might be poisoned, or that I might be shot by some guy in a hoodie while I'm walking through the woods, etc.

Understood when talking about it from a developer point of view… I agree 110% percent. My work in highly technical (software related) as well, but I’d rather not get into that. From a user point of view, however, this really is a nonstarter. That was my only focus. Otherwise, I am on board with your assessment. Now… off to my secret room with my Commodore 64 :wink:

So the pump that was hacked is the Medtronic:

http://www.dailyherald.com/article/20110825/news/708259599/

Nice piece of indirection by Jerome Radcliffe when he commented on the Animas thread ;-)
The AP article above has a good summary of the issues, The Register has a round up of information, much of which doesn't seem to have been mentioned here:

http://www.theregister.co.uk/2011/08/25/medtronic_insulin_pump_hacking/

Still, I stand by what I said before on this site; the FDA have a perfectly good way of logging issues with medical devices:

http://www.fda.gov/MedicalDevices/Safety/ReportaProblem/default.htm

Anyone can use their online forms and it is clearly the FDA's responsibility, regardless of the complaints made by US representatives suggesting it's an FCC issue:

http://markey.house.gov/index.php?option=com_content&task=view&id=4475&Itemid=177

Does anyone have a link to this original CVE disclosure from NIST?