Diabetic security researcher Jerome Radcliffe, who hacked his insulin pump at Black Hat, accused Medtronic of not taking security of its devices or his research seriously.
the Black Hat security conference earlier this month in Las Vegas, a security
researcher stood on stage and demonstrated how a malicious third party could
transmit wireless commands to
remotely disable his insulin pump.
his Aug. 4 demonstration, Jerome Radcliffe declined to disclose the name of the
manufacturer who made his pump and the technical details of how he hacked the
insulin pump. He said the pump's communications were not properly protected or
encrypted and planned to work with the company to address the lack of security
in these devices. After three weeks of not getting anywhere, he disclosed the
pump maker during a press conference on Aug. 25.
is one of the world's biggest medical device companies and makes many other
kinds of medical hardware besides insulin pumps, such as pacemakers and
defibrillators. A Medtronic engineer who had attended Radcliffe's presentation
at Black Hat received a copy of the presentation and detailed information about
the research. When Radcliffe followed up by email three days later, the
engineer did not reply, he said.
disclosing the name of the manufacturer and the model numbers of the affected
Paradigm pumps-512, 522, 712 and 722-may increase the risk of attacks on
patients with diabetes, Radcliffe said the risks to individual users remain
very low. Patients using Medtronic pumps should "not freak out" and
should keep using the pump, as it will take some time for a malicious
perpetrator to figure out his techniques. However, they should demand that the
company be more upfront about what it is doing to make the devices more secure
and keep abreast of what the company does down the road with the devices,
problems he found all centered on the fact that the pump will accept commands
from any source and execute them. There is no way for the pump to identify
which commands come from a trusted system and which are malicious. With his
technique, it is possible to program a special remote control to command
strangers' pumps to dispense the wrong dose of insulin, which could have fatal
consequences if diabetics are given too little or too much.
new CEO Omar Ishrak was asked about hacking and medical device security at the
company's annual shareholder meeting Aug. 25. He said it's something the
company "takes very seriously," but that hacking occurred only in
pointed out that just because it hasn't been attacked before doesn't mean it
will never be attacked. He also took exception to the claim that Medtronic
takes information security seriously, since the wireless communications are not
encrypted, nor are there any passwords or authentication in place. All an
attacker needs is the device's serial number, and Medtronic itself provides to
every patient all the equipment he used.
all medical devices have this problem. Radcliffe was unable to decode the
signals sent from his glucose monitor sensor and found that some pump
manufacturers use Secure Sockets Layer (SSL) certificates to secure
communications. Medtronic claims to use proprietary encryption protocols, which
Radcliffe dismissed as ineffective.
by obscurity is always a failure," he said, noting that companies
"who roll their own encryption" almost always have it cracked
immediately. While publicly scrutinized encryption methods like AES and RSA
aren't perfect, they are always better than something "one or two guys
"came up with, he said.
issued a press release Aug. 9 assuring customers there are no valid security
issues with the pumps. Having his research dismissed as being "just one
guy" was "very disconcerting" and a worrying indicator of how
the company is reacting to his findings, Radcliffe said during the press
conference. Considering he handled the disclosure "ethically" by
withholding certain details during his talk and offering to cooperate fully
with the company, he had expected "an ethical response," said
talk about ethical disclosure, but we don't really talk about ethical
response," Radcliffe said, noting that companies should respond back to
the researcher in a timely manner, cooperate with government agencies, honestly
disclose the problem to the public and work on a comprehensive resolution to
the issues. According to him, Medtronic failed on all levels.
is treating Radcliffe's research as a "marketing problem and not a
security problem," Marc Maiffret, CTO of eEye Digital Security, told
eWEEK. "This is what Microsoft would have done 10 years ago," he
said. The reaction is actually not so unusual, as many companies that haven't
dealt with security issues before try to "shift the blame to the
researcher" or dismiss the findings as nothing important "almost 99
percent of the time," Maiffret said.
the information gets more publicized and customers start saying something needs
to be done to fix the problem, that's when the company eventually comes around,
according to Maiffret. "You will see that the company will actually fix it
in time," he said.
Anna G Eshoo, D-Calif., and Edward J Markey, D-Mass., sent a letter to the
Government Accountability Office on Aug. 15 to request a review of how the
Federal Communications Commission ensures medical devices with wireless
capabilities are "safe, reliable and secure." The congressional
letter adds to the pressure on the company, Maiffret said. One of the best
things one can do is to create public pressure to get the company to respond,
researchers are beginning to look at "non-desktop and non-servers" to
ensure these devices are secure, Maiffret said. Most of these devices have no
security at all, and while no one really cares about a "novelty" item
like the refrigerator hooked up to the Internet, it's a problem if the computer
in the car that handles parallel parking is not secure, he said. With computers
becoming more prevalent in our day-to-day lives, it is imperative that they be
scrutinized for their security. It is a "safety issue," Maiffret