Black Hat Hacker Says Insulin Pump Maker Medtronic Belittles Security Flaw
At the Black Hat security conference earlier this month in Las Vegas, a security researcher stood on stage and demonstrated how a malicious third party could transmit wireless commands to remotely disable his insulin pump.
During his Aug. 4 demonstration, Jerome Radcliffe declined to disclose the name of the manufacturer who made his pump and the technical details of how he hacked the insulin pump. He said the pump's communications were not properly protected or encrypted and planned to work with the company to address the lack of security in these devices. After three weeks of not getting anywhere, he disclosed the pump maker during a press conference on Aug. 25.
Medtronic is one of the world's biggest medical device companies and makes many other kinds of medical hardware besides insulin pumps, such as pacemakers and defibrillators. A Medtronic engineer who had attended Radcliffe's presentation at Black Hat received a copy of the presentation and detailed information about the research. When Radcliffe followed up by email three days later, the engineer did not reply, he said.
While disclosing the name of the manufacturer and the model numbers of the affected Paradigm pumps-512, 522, 712 and 722-may increase the risk of attacks on patients with diabetes, Radcliffe said the risks to individual users remain very low. Patients using Medtronic pumps should "not freak out" and should keep using the pump, as it will take some time for a malicious perpetrator to figure out his techniques. However, they should demand that the company be more upfront about what it is doing to make the devices more secure and keep abreast of what the company does down the road with the devices, Radcliffe recommended.
The problems he found all centered on the fact that the pump will accept commands from any source and execute them. There is no way for the pump to identify which commands come from a trusted system and which are malicious. With his technique, it is possible to program a special remote control to command strangers' pumps to dispense the wrong dose of insulin, which could have fatal consequences if diabetics are given too little or too much.
Medtronic's new CEO Omar Ishrak was asked about hacking and medical device security at the company's annual shareholder meeting Aug. 25. He said it's something the company "takes very seriously," but that hacking occurred only in "controlled settings."
Radcliffe pointed out that just because it hasn't been attacked before doesn't mean it will never be attacked. He also took exception to the claim that Medtronic takes information security seriously, since the wireless communications are not encrypted, nor are there any passwords or authentication in place. All an attacker needs is the device's serial number, and Medtronic itself provides to every patient all the equipment he used.
Not all medical devices have this problem. Radcliffe was unable to decode the signals sent from his glucose monitor sensor and found that some pump manufacturers use Secure Sockets Layer (SSL) certificates to secure communications. Medtronic claims to use proprietary encryption protocols, which Radcliffe dismissed as ineffective.
"Security by obscurity is always a failure," he said, noting that companies "who roll their own encryption" almost always have it cracked immediately. While publicly scrutinized encryption methods like AES and RSA aren't perfect, they are always better than something "one or two guys "came up with, he said.
Medtronic issued a press release Aug. 9 assuring customers there are no valid security issues with the pumps. Having his research dismissed as being "just one guy" was "very disconcerting" and a worrying indicator of how the company is reacting to his findings, Radcliffe said during the press conference. Considering he handled the disclosure "ethically" by withholding certain details during his talk and offering to cooperate fully with the company, he had expected "an ethical response," said Radcliffe.
"We talk about ethical disclosure, but we don't really talk about ethical response," Radcliffe said, noting that companies should respond back to the researcher in a timely manner, cooperate with government agencies, honestly disclose the problem to the public and work on a comprehensive resolution to the issues. According to him, Medtronic failed on all levels.
Medtronic is treating Radcliffe's research as a "marketing problem and not a security problem," Marc Maiffret, CTO of eEye Digital Security, told eWEEK. "This is what Microsoft would have done 10 years ago," he said. The reaction is actually not so unusual, as many companies that haven't dealt with security issues before try to "shift the blame to the researcher" or dismiss the findings as nothing important "almost 99 percent of the time," Maiffret said.
As the information gets more publicized and customers start saying something needs to be done to fix the problem, that's when the company eventually comes around, according to Maiffret. "You will see that the company will actually fix it in time," he said.
Reps. Anna G Eshoo, D-Calif., and Edward J Markey, D-Mass., sent a letter to the Government Accountability Office on Aug. 15 to request a review of how the Federal Communications Commission ensures medical devices with wireless capabilities are "safe, reliable and secure." The congressional letter adds to the pressure on the company, Maiffret said. One of the best things one can do is to create public pressure to get the company to respond, he said.
researchers are beginning to look at "non-desktop and non-servers" to
ensure these devices are secure, Maiffret said. Most of these devices have no
security at all, and while no one really cares about a "novelty" item
like the refrigerator hooked up to the Internet, it's a problem if the computer
in the car that handles parallel parking is not secure, he said. With computers
becoming more prevalent in our day-to-day lives, it is imperative that they be
scrutinized for their security. It is a "safety issue," Maiffret