Maker of hacked insulin pump ignores risk and history of pacemakers with the same problem

Medtronic Maximo pacemakers were found in 2008 to be easily hacked and taken over

The most unexpected and inherently creepy hacking demonstration at this year's Black Hat conference was one from IBM security researcher Jay Radcliffe, who demonstrated how he was able to hack the wireless data connection on his insulin pump to take over and control it from as far as half a mile away.

He was able to increase or decrease his own dose to levels that would have been fatal, without any significant resistance from the pump, which lacked even the ability to identify whether commands were coming from a legitimate source.

Radcliffe didn't name the manufacturer in his Aug. 4 talk. He changed that during a press conference he called yesterday out of, he said, frustration at being stonewalled or ignored in three weeks worth of attempts to get Medtronic to talk about the huge security flaw and even huger potential legal liability Radcliffe found in its insulin pumps.

Medtronic CEO Omar Ishrak told eWEEK he takes the issue "very seriously," but that the hack is possible only in "controlled settings."

A PR statement from the company said it had never seen any incident like the one Radcliffe demonstrated, despite selling millions of insulin pumps and related equipment to tens of thousands of patients.

That kind of cautious response might be understandable if Medtronic had never seen another implantable medical device hacked or remote-controlled, but it has.

Medtronic pacemakers can be hacked, too

In 2008 doctors from Harvard, Univ. Massachusetts at Amherst and the University of Washington published a paper describing all the technical details of how they were able to hack and remotely control implantable cardiac defibrillators (PDF) – pacemakers that keep a patient's heart beating regularly.

Medtronic said at the time of the report it had never seen an incident in which a pacemaker had been hacked. It stuck with that position.

More than 2..6 million pacemakers had been implanted in patients in the U.S. by that time, many with wireless networking functions that allowed doctors to check on the health of both the patient and the device without cutting either one open.

The researchers published their paper at the Medical Device Security Center – an association of medical researchers who study how to balance the need for effective technologically assisted healthcare with the privacy of patients and security of devices on which they depend.

One of its areas of specific study is the security and reliability of insulin pumps for diabetics.

So, for Medtronic, at least if it were paying attention to its own business, the possibility that an insulin pump could be hacked and controlled is not a new one.

It's just one the company doesn't want to do anything about.

Insulin pump controls lack even basic security

Medtronic's Aug. 9 press release, among other things, implied that only Radcliffe's physical access to the pump, knowledge of details such as its serial number and the ability to turn on its wireless-networking function allowed the hack to work.

The exploit does require knowing the serial number, Radcliffe said. But the wireless connection is not something patients can turn on or off. It's available when the hacker wants it, and the hack works whether the attacker has physical access or not.

The tiny security flaw Radcliffe was able to exploit was based on his discovery that Medtronic Paradigm pumps accept commands via its wireless connection without any ability to identify which commands come from a legitimate source and which don't.

The wireless network uses only simple, proprietary encryption that is simple to break, requires no password or other authentication process and only needs a serial number included so it knows commands it receives are intended for it and not some other machine.

Other pieces of Radcliffe's medical equipment weren't as open; his glucose monitor sensor uses Secure Sockets Layer certificates to encrypt its communications, for example.

Medtronic sees no evil, and apparently plans to do nothing about it

Radcliffe, a senior threat intelligence analyst at IBM and diabetic who discovered the flaw using his own Medtronic pump, was criticized for revealing the flaw by (among others) ITWorld readers who said he should have gone straight to the company with the information.

When he did, following Black Hat and the publicity surrounding the exploit, the company ignored him.

A Medtronic spokesperson who attended Radcliffe's Black Hat demo said the company was still evaluating his public statements to try to decide what to do about the security flaw.

Except Radcliffe left out of his presentation and public statements most of the technical details Medtronic would need to evaluate whether the problem was real or not, Radcliffe told the AP.

Nevertheless, Medtronic has said nothing publicly about the hack and nothing privately to Radcliffe about having him help them fix the flaw, despite the company's history with exactly the same issue on another product line.

Its only direct statement is one that sounds disappointed that there are people out there who might want to tinker with medical technology, but doesn't even approach an acknowledgement that the maker of that technology has any responsibility to help prevent it.

That's worse than an irresponsible response. It's a criminally negligent one.

Once revealed on a stage as big as Black Hat, a hack will be tried out and repeated and built upon by other hackers exploring new territory. It would be shocking if no other exploits of implantable medical devices showed up, if only from researchers trying to understand how vulnerable they are.

Any company that is notified in such a public, undeniable way that a product critical to a customer's health has an obvious, easily exploited security flaw and does nothing about it is fully responsible for the consequences – especially a company that has gone through the whole process before and should know better than to leave critical healthcare systems unprotected.

Standing back and hoping the problem will go away if you ignore it is childish, petulant and criminally negligent.

Hearing that a hacker could take over and control a critical medical device and potentially kill a patient was shocking. Finding out the manufacturer knew it could be done and refused to do anything about it before the revelation or after is proof that the most bitter, cynically negative expectations of cowardly corporate executives are sometimes true.

It's also a good starting place for criminal investigations by the FDA and Dept. of Justice into just why a company like Medtronic is willing to put the lives of its customers at risk rather than teach its insulin pumps to use a password.

  From a Medtronic PR statement, Aug. 9:

Is there really anything Medtronic can do to “prevent” manipulation of devices?
A. We recognize there are people who focus on manipulation of devices – medical and otherwise. Most do so as part of an academic pursuit or to improve existing technology. We also recognize there may be some who have malicious intent. Our job is to incorporate information security measures into our designs, vigilantly monitor potential threats and to always be proactively finding ways to make our devices more secure for you. That is what we have done and what we will continue to do.
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon