[HN Gopher] Medtronic's MiniMed 600 insulin pumps potentially at... ___________________________________________________________________ Medtronic's MiniMed 600 insulin pumps potentially at risk of compromise Author : woliveirajr Score : 64 points Date : 2022-09-30 16:29 UTC (6 hours ago) (HTM) web link (www.medtronicdiabetes.com) (TXT) w3m dump (www.medtronicdiabetes.com) | code_duck wrote: | Hmm, MedTronic already had at least one recall on this series of | pumps: | | https://diatribe.org/medtronic-provides-update-recall-thousa... | | Tandem recently released updated firmware and mobile app for | their t:slim X2 pumps which includes a function to deliver | insulin from the mobile app. To me, this seems like a dangerous | idea, given that people can die from an insulin overdose. I'm | perfectly happy keeping the function solely on the physical | device. My wariness has not been shared by the majority (or even | a small fraction) I've discussed this with online - pump users | generally desire this convenience and are not at all concerned | about potential security implications. | jwoglom wrote: | While I'm not a certified security professional, I have looked | pretty closely at Tandem's mobile pairing and remote bolus | implementation and it seems to have been designed in the right | way. After initializing a Bluetooth connection, the phone and | pump complete a handshake wherein a 16 character alphanumeric | key appears on the pump screen and you need to enter it on your | phone, which then uses it as a shared HMAC symmetric key. | Status information and responses then occur in cleartext once | authenticated, while bolus operations require messages to be | signed with the initial key. | | That being said, on the chance that there is a security flaw | here I'm willing to eat my words... | qmarchi wrote: | Would be cool if you contributed to xDrip! | | My partner uses a Tandem pump, and is annoyed that she can't | actually use most of the features of the Tandem app because | she uses an unapproved (Pixel 6 Pro) device. | jwoglom wrote: | Take a look at https://github.com/jwoglom/pumpx2, I'm | working with the AndroidAPS folks currently to make it more | broadly available. xDrip integration would happen via AAPS. | code_duck wrote: | My concern is that the phone could be compromised. Having a | phone hacked would be bad enough without giving the attacker | the option to easily hospitalize/kill you. | dsaavy wrote: | There was an entire data set released that had all the medical | device injuries and malfunctions listed. Pretty interesting to | dive into considering it wasn't previously public. | | Article mentioning the previously non-public database: | https://khn.org/news/hidden-fda-database-medical-device-inju... | | FDA database that was eventually released: | https://www.fda.gov/medical-devices/mandatory-reporting-requ... | | As a Type 1 diabetic, insulin pumps are a game changer for the | entire population that needs to use them. But I think it's | understated the risks that come with the devices. In my opinion | the benefits outweigh the risks but that is still something you | should be able to determine on your own as a user. | | Side note: One of the things I see a lot of diabetics miss with | insulin pumps is how changes in altitude and air pressure can | cause unintended delivery of insulin if you have air bubbles in | the cartridge. For those who travel with insulin pumps, make sure | to disconnect during changes in altitude (take-off and landing). | WaitWaitWha wrote: | > ... CareLink(tm) USB device that communicate wirelessly. ... | | > ... For unauthorized access to occur, a nearby person other | than you or your care partner would need to gain access to your | pump at the same time that the pump is being paired with other | system components. _This cannot be done over the internet._ ... | | >4. Disconnect the USB device from your computer when you're not | using it to download pump data. 5. DO NOT confirm remote | connection requests or any other remote action on the pump screen | unless it is initiated by you or your care partner. 6. DO NOT | share your pump's or devices' serial numbers with anyone other | than your healthcare provider, distributors, and Medtronic. | | Hmm... You have a wireless dongle connected to a PC that appears | to rely at least in part on the serial number as authZ/N, and can | provide fully remote communications over the Internet and | manipulation of the terminal device. But... " _This cannot be | done over the internet_ "? Seems to be at the time of pairing, | but can the pairing be initiated & accepted remotely? | idealmedtech wrote: | Welcome to cyber security in medicine! Stay a while! | [deleted] | Group_B wrote: | To be fair the earlier Medtronic pumps were also insecure, but it | allowed for reverse engineers to get into them and create one of | the first closed loop systems. | cperciva wrote: | Indeed. I'm using such a closed loop right now, and old | Medtronic pumps routinely sell for $500-1000 to people who want | to use them to loop. | terminalcommand wrote: | This makes me mad as a minimed user. I can't even get data out of | my pump (a 754) because minimed does not sell the reader in my | country. The 600 models are the top-off the line models that cost | $$$. | | Medtronic shouldn't be able to get away with just saying, turn | off remote bolusing to be secure. I hope they get a class-action | suit. | | Background: Medtronic is a money-hungry company. I've been using | their insulin pumps for 15 years. Over the years the quality of | their infusion sets dropped, they no longer provide a cap (the | thing you put on to close the catheter before you shower) with | each infusion set, rather than they put only one cap in a 10x | bag. The infusion sets started to fail after 2 days (the default | timespan is 3 days), whereas it used to last 4-5 days before. | TimBurman wrote: | There are some Contour Next Link (non-2.4 version) listed on | Ebay and other sites. Unless Medtronic locks the meter to one | user account, maybe you could then pair it and get the data | out, if they will ship to your country. | | Here in Canada, the infusion sets Mio 30, Mio Advance, Sure T | and Mio that I have used all came with a cap in each set. They | also charge the government C$26 each, but still that cap cannot | be worth more than a few cents, so it is a strange way to save | money. | | The sets have been failing early for me as well at the rate of | about 1 in 10. I started with the Mio Advance and my nurse said | to call Medtronic and report the failures. Medtronic sent a box | of 10 Mio Advance plus boxes of 10 Mio and 10 Sure T (metal) to | try for free. The Sure T failed less than the Mio Advance and | Mio, but I just had one fail the first day so am trying the Mio | 30 which goes in at an angle but uses plastic. | rbarnes01 wrote: | Not surprised that QA is a problem with them. They don't even | realize that one of their contract manufacturers isn't registered | with the FDA. | jmptable wrote: | It's very interesting to see an in-the-wild example of a security | flaw in the wireless pairing of a class C medical device (i.e. a | device that can severely injure or kill). Would love to see | technical details about the specific flaw here. | | Just spending a few minutes searching around I found this | interesting reverse engineering work on the Contour Next Link 2.4 | USB dongle: https://github.com/szpaku80/reverse-engineering- | contour-next... | | It looks like it's implementing 802.15.4 (the basis for ZigBee | among other protocols). | | The user manual for the Contour Next Link 2.4 device | (https://www.medtronicdiabetes.com/sites/default/files/librar...) | shows that pairing can be initiated by the USB dongle and | succeeds if the user confirms the request on the device. A serial | number is displayed but that appears to be under the control of | the hypothetical attacker. So the user must know to reject an | unexpected request even if it has the right serial number, or the | attacker will gain control of their pump and can issue a remote | bolus command. | | This example doesn't have to do with Bluetooth but there's an | interesting connection there because most BLE pairing methods | have been shown to be insecure to sniffing attacks. That imposes | constraints on how medical devices that need Bluetooth | connectivity are designed, because it may force a device to have | a screen for showing a pairing code when it otherwise would not | need one. | HeyLaughingBoy wrote: | The FDA released a Draft of the new Cybersecurity Guidance | document back in April and there was speculation that this | draft was going to become active (an actual regulation) by the | end of the year. I wonder if this news is going to speed that | up in any way. | ska wrote: | FDA is probably more concerned about getting it right[1], | than faster. | | [1] this is not a comment on how likely that is | AnthonBerg wrote: | From experience, Medtronic's software is obviously low-quality. | Obviously bad and unnecessarily bad. | morcheeba wrote: | Medtronic buys a lot of companies and rebrands their products | under their name. Software quality is going to vary a lot, | because it comes from a wide variety of sources. ___________________________________________________________________ (page generated 2022-09-30 23:00 UTC)