1. "This is a key fob that looks like a car alarm beeper that some pump users use to discretely give themselves insulin doses. However, I feel the need to point out as a pump wearer myself that:
Not every Insulin Pump has a remote control feature.
Not every remote-controllable insulin pump has that feature turned on. Mine does not, for example."
2. "all he requires to perpetrate the hack is the target pump's serial number. This is like saying "I can open your garage door with a 3rd party garage door opener. Just give me the numbers off the side of your unit..."
3. If you are a diabetic on a pump who is concerned about this kind of thing, my suggestion is to turn off your pump's remote control feature (which is likely off anyway) and turn off your sensor radio when you are not wearing your CGM. Most of all, don't panic. Call the manufacturer and express your concern. In my experience, pump manufacturers do not mess around with this stuff. I'm not overly concerned.
"Do we know how much entropy is in those? They could very well be sequential or date derived."
Even if entropy is low are - how are you going to randomly select a person, and know their serial ID ? Unless you know what units are distributed to what hospitals/doctors - at exact times - at exact shipments and then from the sample delivered know the exact unit given to any person at any particular time.
Sure, if you know a "set of id's" you could try each one sequentially until you finally get a hit - but even then, you must somehow ensure the person being targeted has remote connection turned on. I'm pretty sure walking up to them and saying "oh, hai 'dere! ... plz turn on ur remotz connetz'n 4 me?" [ said in this voice - http://www.youtube.com/watch?v=xh_9QhRzJEs ] - is going to make them pretty suspicious.
There's a lot of "ifs" in there and frankly - if your aim was kill them - it would be a lot faster to do it some other way because to actually get all these things to line up perfectly .... your chances are pretty slim.
"how are you going to randomly select a person, and know their serial ID ? "
You are missing the point, if the entropy is sufficiently low then it is feasible to guess.
Besides, presumably if you want to kill a particular person, you might know a bit about them.
Anyway, with low entropy serial numbers is that potentially it could be feasible to just create a device that runs through all of them in a matter of a couple of minutes or so. For example, you could check google news to get a guestimate of approximately when perhaps a high profile politician had one of these installed. If this is a friend or family member then that step just gets even easier. If part of the serial number is a year/month combo (a common way to do it) and the rest is sequential, then it will be pretty easy to figure out. Are there easier ways? Sure, I imagine so. A hands off wireless approach certainly is appealing though isn't it? Probably worth at least trying before you move on to more hands on techniques.
"it would be a lot faster to do it some other way "
If you are taking the time to plan out a homicide, which is going to be more important: doing it fast. doing it so you don't get caught.
"You are missing the point, if the entropy is sufficiently low then it is feasible to guess."
not really - if entropy is low in a lot of things - it's feasible to implement a disaster scenario. wireless systems across lots of things are not encrypted and so the same logic applies.
"you might know a bit about them"
we'll you really 'would' have to know 'a lot' about them if these devices had high entropy. which - if a person was indeed killed by this method - an autopsy would show either a spike or lapse in delivery of insulin. such a lapse would immediately lead to an investigation as to why the unit did not respond ?
evidentiary burden then progresses.
i'm not disagreeing with you in the seriousness of the discovery - i just think that these devices live in a nano-constrained world. implementing increased data encryption increases cost, power usage and the like - it's a difficult balance. now this has world attention - even 'basic' encryption is really useless since even it could be hammered.
so do you implement serious encryption - but in doing so - reduce the utility of the device so that it lacks the means to do what it is designed to do ? deliver insulin.
On the basis of a huge number of "if's" involved. i'm not convinced.
"we'll you really 'would' have to know 'a lot' about them if these devices had high entropy."
That is why I'm asking what kind of entropy the serial numbers have.....
"which - if a person was indeed killed by this method - an autopsy would show either a spike or lapse in delivery of insulin. such a lapse would immediately lead to an investigation as to why the unit did not respond ?"
I'm confused how that is related to the entropy of the serial numbers.
I would think that protection (on the pump side) against the user sitting on the remote or the remote going haywire (e.g. rate limiting dosages) would prevent any fatalities.
Let's say you find out how to make planes safer. You can cut fatalities in half or something. And let's say doing that will drive up the cost of air travel by $100/ticket. Well, you did a good job and saved X lives, but you ended up killing X+k people that stopped flying planes and started driving cars. So you did a good thing, you made planes safer and then you ended up killing people. It would be great if somehow everytime planes got safer we made cars more expensive, but I don't know how that would work.
Anyway, for some reason I thought about that reading this article and I figured how tremendously interesting risk-management must be in the medical device industry for the same types of reasons.
If it was, you run the risk of paramedics/different hospital not being able to get the key when you have some sort of critical incident, and need to adjust it. Or some super-secure nation (world?)-wide system that you can authenticate against and get the key for. (choke splutter) Given the state of most EPRs, you'd be lucky if your own doctor knew what the code was after a week or two.
This is for wireless communication to/from the device and not operating it from the control panel. For critical incidents paramedics would use their own tools (glucometer & needle).
Hmm. Would the alternative method still be stable if someone had deliberately altered the internal pump to deliver in random, high-dosage spurts (or whatever else that would be hard to counter)? Of course, it starts getting a whole lot less stealthy then.
Would paramedics/well-equippped ambulance ever go as far as trying to disable an internal pump before reaching the hospital?
Edit: Also, what's the difference between the 'control panel' and the 'wireless [controller]'? My understanding was it was entirely implanted, with no external connections (and even recharged via induction loop, or surgical replacement). If that's the case, then all comms are, by necessity, wireless. NFC control might mitigate the threat a little, at least from a range perspective, but I can't see where there could otherwise be a difference.
Most definitely. If the patient's presentation suggests hypoglycemia, it isn't uncommon for a medic to test the glucose level with their machine and administer oral glucose (D50 IV if obtunded) without even getting to a detailed physical that would reveal the implanted pump/monitor. If an amp of D50 failed to raise the blood sugar, then we'd start hunting for other causes like exogenous insulin overdose.
But how secure would that be? It's security through obscurity.
> Ultimately, these wireless control devices must simply be built with the assumption that hackers will eventually break in.
> In the case of the insulin pump, it should contain hardware-level sanity checking.
DRM is one thing, an encrypted wireless protocol is another. Think using WPA with user- or factory-settable keys to talk between the base/elements (I'm not sure how insulin pumps work).
Yes. Tell me the algorithm you use and the bits from your decryption key, and we can decrypt everything.
By the same token, the lock on your door is security by obscurity. Tell me the type of lock and the position of the 5 pins, and you're in. Take 5 seconds to communicate that over the phone, if you know what you're talking about.
The phrase "security through obscurity" is a term of art that is defined such that secrecy of private key material does not count. By definition, you are incorrect.
Now, if your security relies upon the attacker not knowing your encryption scheme, then yes. That is security through obscurity.
To expound slightly on burgerbrain's comment, this phrase is universally used to refer to schemes whose security relies critically on the suppression of information about the system. The term simply does not apply to strong encryption with configurable keys.
The term doesn't apply to door locks either, at least not in practice. If I were forever prevented from changing the locks on my house, then yes my security would depend critically on you never knowing about the key. In practice though, I can change the locks at will, and this is an effective remedy against the persistent threat posed by the release of the key.
A good example of security though obsurity is the CSS system used on DVDs, which was designed such that once the key was discovered, the system became forever and irretrievably broken.
Seems odd to call him a "black hat hacker" just for being at the conference. He could very well just attend all of the security-related conferences. The headline implies to me that he plans to use this exploit nefariously.
Can someone tell me why these devices have a range of more than just a few feet? The point of having a remote control is to avoid having a control cable poking through your skin. A control interface with a range of just a few inches would suffice.
There's no good way to reliably limit the range of a wireless signal like this. A sufficiently sensitive receiver will always be able to eavesdrop from a distance far greater than that in the design use-case. If we don't want the signal intercepted, the answer is stronger encryption.
That said, any potential vulnerability here appears to mostly spring from the remote control functionality, more than the remote reporting functionality. Here again, encryption is the answer.
Probably economies of scale. Various low power RF chipsets for ISM bands with range in hundreds of feet with simple RF matching circuit are used in many different applications and thus surprisingly cheap. Limiting range of that is going to induce significant additional costs (either you have to modify antenna and it's matching circuit or use completely different silicon).
Fortunately it is very difficult to pull of an attack with a medical device since you need to know the exact make and model and then find a way to exploit it.
Which then implies issues with replication and scale and consistency.
That many of the devices are different, with different UIs, different firmware, different sets of cryptic icons and different and obscure buttons.
Unfortunately, some of the underlying bugs can be common, due to code re-use; the same RT operating system might be used, for instance. Which means that the vendors might not even immediately know what's vulnerable to what.
"Fortunate" is not the word I'd use for the mess that is the medical device industry.
Why would anyone try to figure something like this out? I don't think any real hackers are going around trying to figure out how to kill people, they want money or something else of value (not to say a life doesn't have value).
Why as a community are we allowing things like this to happen, even worse, publicizing them and acting like its 733t and impressive. If something like this happened at anything other than the 'Black hat' security conference this wouldn't be alright.
People figure these things out because it's fun. Simple as that. It's the same motivation behind me hacking the various bits of hardware sitting around me, including a number of health-related devices. It's simple curiosity, and sometimes that leads down a path of "well, if I could do this, what could a malicious actor do?" Sometimes that answer isn't a good one.
Research like this is really important. For all we know this type of hacking may already have been used to assasinate someone.
Now that this is public there will be a huge pressure on the manufacturer to secure their devices as quickly as possible. If this hadn't been released, there would have been no pressure on the manufacturer to fix it and the assasins could theoretically proceed undetected for a long time.
Scott Hanselman has a better rational breakdown of the article - http://www.hanselman.com/blog/HackersCanKillDiabeticsWithIns...