Forgot your password?
typodupeerror
Medicine Security Science

McAfee Claims Successful Insulin Pump Attack 196

Posted by Soulskill
from the as-if-we-needed-more-biological-vulnerabilities dept.
judgecorp writes "Intel security subsidiary McAfee has claimed a successful wireless attack on insulin pumps that diabetics rely on to control blood sugar. While previous attempts to attack insulin pumps have met with mixed success, McAfee's Barnaby Jack says he has persuaded an insulin pump to deliver 45 days worth of insulin in one go, without triggering the pump's vibrating alert safety feature. All security experts still say that surgical implants are a benefit overall."
This discussion has been archived. No new comments can be posted.

McAfee Claims Successful Insulin Pump Attack

Comments Filter:
  • by the eric conspiracy (20178) on Tuesday April 10, 2012 @05:15PM (#39637511)

    There is always that conspiracy theory that many if not most viruses are written by anti-virus software vendors.

    After all we didn't have many viruses until these things appeared on the market.

    I'm not one to believe this sort of conspiracy theory, but McAfee isn't doing themselves any favors by publicizing this.

  • Usual run-of-the-mill computer viruses and exploits don't usually harm one's health in the say that this has the potential to do. I mean, seriously - a virus could infect your insulin pump and kill you??

    I know it's naïve to even ask, but would this be used in the wild? What special sort of sicko would do this for kicks?
    • by LordNimon (85072)

      What special sort of sicko would do this for kicks?

      Seriously? You have to ask?

    • by Nidi62 (1525137) on Tuesday April 10, 2012 @05:31PM (#39637715)

      I know it's naïve to even ask, but would this be used in the wild? What special sort of sicko would do this for kicks?

      The Darzhavna Sigurnost (Bulgarian Secret Police) and the KGB killed Georgi Markov on a bridge in London by stabbing him in the back with an umbrella that fired a ricin filled pellet. The ability to assassinate someone by infecting their insulin pump would be a goldmine.

      • by Guy Harris (3803)

        The Darzhavna Sigurnost (Bulgarian Secret Police) and the KGB killed Georgi Markov on a bridge in London by stabbing him in the back with an umbrella that fired a ricin filled pellet. The ability to assassinate someone by infecting their insulin pump would be a goldmine.

        ...if your target happens to be a diabetic with an implanted insulin pump. Otherwise, it's just a pyrite mine. A poison will get you whether you happen to have an insulin pump or not.

        • Yes, but poison requires access. You have to be close enough to put it in the target's food or drink, or inject the target with the poison. Shooting the target leaves evidence - the bullet etc. However, this is a wireless attack, with a good antenna it probably can be done from quite far away and would leave no evidence.

        • by Nidi62 (1525137)
          I was using that as an example of how intelligence agencies love unconventional methods of eliminating targets. Now, granted, this kind of thing doesn't really happen too often, but it's always nice to have one more tool in the bag if you need it.
      • by Sir_Sri (199544)

        It's things like this that make me wonder if maybe dick cheney's new heart, which is uncommon for a 70 year old to get, might have been in part a security issue with the device he did have (not necessarily a problem like the one described in TFA).

    • by couchslug (175151)

      Needn't be "kicks", and could be for profit.

    • by AHuxley (892839)
      The family and/or leadership of 'bad' country. The boss of a 'bad' company. The boss of a 'bad' area exporting drugs/weapons without state support.
      The top science person of a "bad" research centre.. That lone wolf blogger who "was" somebody/got a real story....
      You really think all the interest in home wireless is just to watch your web cam, track your power needs and log your mail/web 2.0 use?
      http://www.wired.com/dangerroom/2012/03/petraeus-tv-remote/ [wired.com]
    • by Meeni (1815694)

      Or a lunatic could cough at you with the flu and kill you. Stop the paranoia.

    • by nurb432 (527695)

      It wouldn't really be a virus.But instead a direct attack.

      Stuxnet could cause death too, with poorly designed lockouts ( for example ). Just have a robot wait a few moments after the lock is engaged then swing wildly.. trying to catch a person in the cage with it.

  • Next up (Score:4, Funny)

    by Hentes (2461350) on Tuesday April 10, 2012 @05:27PM (#39637655)

    McAfee releases an antivirus product for insulin pumps.

  • I can also just stab the old lady with a kitchen knife. But either way I'm probably going to jail for the rest of my life, which keeps me from doing it.
    • by zAPPzAPP (1207370)

      Or, you know... conscience.

    • by sjames (1099)

      That's just the thing though, with this exploit, you could kill that old lady at a distance in a way that looks like an equipment malfunction and leaves no evidence that you were ever there. It's a much smaller pool of potential victims and a smaller pool of potential perpetrators, but a much lower risk crime.

      All in all, I think people with an insulin pump would rather not have the vulnerability.

  • The Matrix giveth, and the Matrix taketh away.

  • by Anonymous Coward on Tuesday April 10, 2012 @05:32PM (#39637727)

    An insulin pump is NOT implanted inside the user's body, and it is NOT a medical implant. A small, disposable cannula attached to the pump via plastic tubing is inserted by the user under the skin just a few mm, and is exchanged by the user every few days. There is no permanently inserted component to an insulin pump.

    Also, pump's cartridges to hold insulin typically range from 200-300 units. Contrary to the article's claims, this is not 45 days worth! Someone who is not insulin resistant using a 200 unit model would get 6, 7 days out of it tops. People who use the bigger ones because they are very insulin resistant might use 300 units in just a couple of days.

    The BBC article also states "Mr Jack said diabetics typically needed a dose of 5-10 units of insulin after a heavy meal to help regulate blood sugar. Making the device empty its cartridge into a host's bloodstream would cause "deep trouble"."

    This is very flawed as well. Typically, insulin is taken before a meal whenever possible, and how "heavy" the meal is, is irrelevant. What matters is the user's insulin to carb ratio (how much insulin they need to properly use a gram of carbs) and how many carbs the item they eat contains. Some people require a very large amount of insulin for very small amounts of carbs, some people require barely any insulin for a large amount. Also, when a person relies on an insulin pump, they're not just adding insulin to their body during mealtimes, the vast majority will be using it to deliver a "basal" dose of insulin, or a small amount of insulin 24/7 to stay alive (as this is a function normal non-diabetic bodies perform.) They also use it to deliver corrections, or small doses of insulin in response to blood glucose levels that are higher than expected after meals or throughout the day. A pump is not just a device you use after a "heavy meal."

    While it is true that an insulin cartridge unwillingly emptied into a patient poses significant danger, even without an alarm, I suspect 99% of people would be able to quickly notice such a large dose of insulin being delivered. You can see and feel insulin being delivered that rapidly. And if they happened to miss it, that's what frequent monitoring of blood glucose (which is required for all insulin pump users) is for. Sure, taking 200-300 units more than you should have would be a world of suck, but if you had access to food to eat or a sweet drink or glucose tablets, it's very likely an experienced diabetic would survive that sort of incident... to say nothing of if the cartridge wasn't full. But that's all assuming we're taking someone who has clearly made several mistakes in their reasoning for their word when they say they can access these devices.

    If more security were implemented in an insulin pump, there would certainly be no "frequent surgeries to replace the batteries," as the battery is (like the entire pump) stored in an external pump. It would involve the manufacturer mailing you a replacement and you switching it out.

    • by Guy Harris (3803) <guy@alum.mit.edu> on Tuesday April 10, 2012 @06:01PM (#39638053)

      An insulin pump is NOT implanted inside the user's body

      Except when it is [diabeteshealth.com], although you might have to live in Europe to get it [diabeteshealth.com].

      Also, pump's cartridges to hold insulin typically range from 200-300 units. Contrary to the article's claims, this is not 45 days worth!

      In an implanted pump, it probably would be a larger supply.

      The BBC article also states "Mr Jack said diabetics typically needed a dose of 5-10 units of insulin after a heavy meal to help regulate blood sugar. Making the device empty its cartridge into a host's bloodstream would cause "deep trouble"."

      This is very flawed as well. Typically, insulin is taken before a meal whenever possible, and how "heavy" the meal is, is irrelevant. What matters is the user's insulin to carb ratio (how much insulin they need to properly use a gram of carbs) and how many carbs the item they eat contains.

      I suspect by "heavy meal" he meant "carb-heavy meal". It might have been clearer had he said "carb-heavy meal", so nobody thought that chowing down, say, a 16-ounce filet would require a large bolus. And, yes, your mileage may vary depending on the insulin/carbs ratio. I'm not sure either of those are severely bad oversimplifications, though.

      Also, when a person relies on an insulin pump, they're not just adding insulin to their body during mealtimes, the vast majority will be using it to deliver a "basal" dose of insulin, or a small amount of insulin 24/7 to stay alive (as this is a function normal non-diabetic bodies perform.) They also use it to deliver corrections, or small doses of insulin in response to blood glucose levels that are higher than expected after meals or throughout the day. A pump is not just a device you use after a "heavy meal."

      Again, a simplification, but I'm not sure it's a severe oversimplification in an article written for a general audience; it doesn't invalidate the point of the article.

      While it is true that an insulin cartridge unwillingly emptied into a patient poses significant danger, even without an alarm, I suspect 99% of people would be able to quickly notice such a large dose of insulin being delivered. You can see and feel insulin being delivered that rapidly. And if they happened to miss it, that's what frequent monitoring of blood glucose (which is required for all insulin pump users) is for. Sure, taking 200-300 units more than you should have would be a world of suck, but if you had access to food to eat or a sweet drink or glucose tablets, it's very likely an experienced diabetic would survive that sort of incident... to say nothing of if the cartridge wasn't full.

      Well, for an implanted pump, it could be a lot more than 300 units; how fast it takes action is another matter, so maybe spending a while with your local store's entire supply of orange juice might be sufficient.

      If more security were implemented in an insulin pump, there would certainly be no "frequent surgeries to replace the batteries," as the battery is (like the entire pump) stored in an external pump.

      Again, not for an implanted pump.

      • by slash.dt (701002)
        yes there is such a beast as an implanted pump, but in practice, the things are very, very rare and you are unlikely to meet any diabetic who is even aware that the device exists, let along find someone who has one.

        The version that is out there is 20 years old and is basically being maintained, there isn't new models coming out all the time. Common approaches to security 20 years ago is not the same as we would view them now.

        Yes, it is something that should be addressed in future models (if they ever

      • by rtb61 (674572)

        Of course you can just, 'um', check wikipedia http://en.wikipedia.org/wiki/Insulin_pump [wikipedia.org]. So not all insulin pumps are wireless just some, some are even bluetooth. Simplest wireless security that doesn't need any money going to macaffee, an on/off switch for the wireless controller and just to make sure a red warning led when wireless is active . As for security some units have a backup controller which checks the main controller for accurate function many times a day.

      • by tirerim (1108567)
        Even from the (rather poor) description in the article, it's clear that they're describing a standard Medtronic brand external insulin pump. (There are other brands, but Medtronic is by far the biggest.) 300 units is the standard reservoir size for those; that's about a 4.5 day supply for me, a typical Type 1 diabetic, so I'm guessing that they simply misplaced a decimal point.

        As for surviving a 300-unit overdose... well, for me, that would require about 3,600 grams of carbohydrate to make up for it.
    • by Chirs (87576) on Tuesday April 10, 2012 @06:35PM (#39638415)

      There are different kinds of pumps. The most common is the type you describe, but there are in fact implantable insulin pumps which get refilled via syringe, and this is the type described in the article:

      "The pumps hold 300 units of insulin, enough for about 45 days, and are refilled by a syringe."

    • Do not discount the threat of this process overnight. With my mom's history her real danger is at night. She has slept through the pump alerts including vibration. There are advantages to having a small dog or two on the bed.

  • ... it seems like if beaming a RF signal is all it takes to control the device, it's a terrible, terrible design.

    If I were designing an implantable device that I wanted to be robust to attacks like this, I'd build in a two-stage security system. The first would be a piezoelectric element connected to an oscillator tuned to a particular frequency that acts as a switch for the radio receiver; only when exposed to a strong signal at the appropriate frequency will it even start *listening* for an RF signal. The

    • That's like saying "we should have a phone that we call to turn on the phone we want to call". If they're going to require solid contact with the patient, they might as well use some sort of contact-based communication, like ultrasound or small currents or whatnot. What if you have a jumper sticking out of your arm, and when you short it, the RF control mode is activated? (I'm only half joking)

  • by holophrastic (221104) on Tuesday April 10, 2012 @06:36PM (#39638433)

    Who needs to update their heart from 300 feet away? One of the articles discusses encryption as a solution -- because the person is an idiot. My heart doesn't have any encryption. It has one very important security feature: it doesn't talk to devices 300 feet away.

    It's very easy to screw with my organs, you come up to me and you hit them. It's really easy.

    So who decided that an insulin pump needed full-range wireless connectivity? How about 3 inches. 3 inches would have been great. It's already refilled by a seringe. Ignoring, for the moment, that a seringe-like probe could have updated it without anything being wireless, a simple short-range induction or vibrational signal, or even IR -- actually, IR would have been fantastic because it would have been obscured by clothing, a security device that has resulted in every doctor everywhere asking patients to disrobe, and then leaving for another random amount of time.

    but no, let's use a technology designed for long-distance communication. We talk to space telescopes and voyager probes this way, so it clearly makes sense that implanted devices be accessed this same way -- you know, in case voyager wants to screw with us.

    • The Borg, Skynet, The Matrix...sure, let's connect a bunch of machines in our bodies wirelessly and hope they don't kill us.

  • ... they're figuring out how to kill people.

    Isn't THAT wonderful news?

  • by tragedy (27079)

    Why does this kind of security vulnerability even exist in this day and age? Considering how compact solid state data storage is these days, there's no reason I can think of whatsoever that a vulnerability like this should exist. This is the perfect use case for a one time pad. It's simple. You generate some random data and save a copy of it on three storage devices. One copy goes into the pump, another copy goes into the external wireless controller, and the last copy goes into a safe somewhere. When the w

The major difference between bonds and bond traders is that the bonds will eventually mature.

Working...