The Internet of Things has introduced security issues to hundreds of devices that previously were off-limits to hackers, turning innocuous appliances like refrigerators and toasters into gateways for data theft and spying. But most alarmingly, the Internet of Things has created a whole new set of security vulnerabilities with life-threatening risks. We're talking about the cars and, particularly, medical devices that are now in the sights of hackers—including drug infusion pumps, pacemakers, and other critical hospital equipment.
Now a California medical doctor is teaming up with technologists and patients to develop a new technical standard to secure insulin pumps used by diabetics. The standard, expected to be completed by July, could become a model to help secure other medical equipment in the future—especially because, in an unconventional move, the doctor is collaborating with patients who tinker with their own medical devices.
Dr. David Klonoff, an endocrinologist and medical director of the Diabetes Research Institute at the Mills-Peninsula Health Services facility, became concerned for the safety of his patients after reading stories about security researchers like Jay Radcliffe who found vulnerabilities in his own insulin pump in 2012. The vulnerabilities would allow a hacker to manipulate the dosage and deliver too much insulin, causing a patient's blood sugar to plummet and lead him to potentially fall into a diabetic coma or die. "Right now there is no [security] standard for any medical device," Klonoff notes. "As health-care professionals, we all want to see our patients have safe equipment and not be at risk."
Klonoff wants to find a way to secure insulin pumps to shut out nefarious hackers while still letting patients hack their own pumps for better performance.
Creating a security standard for insulin pumps, however, comes with a caveat: it has to consider the needs of a special group of do-it-yourself patients and technologists who use an existing vulnerability in current insulin pumps to hack their devices and produce better, personalized results.
The diabetes community has a heightened interest in their medical equipment that exceeds that of other patient communities. Klonoff says his committee wants to embrace that rather than discount it. "We have to keep in mind the tradeoff between wanting security and maintaining usability ... and make it possible that a do-it-yourselfer can still do some things with their device," he says. "If we make the standard too tight ... a lot of patients will complain, 'Now I can't use my device.' There is always going to be this tradeoff."
Related Stories
Submitted via IRC for SoyCow3941
About 350,000 implantable defilibrators are up for a firmware update, to address potentially life-threatening vulnerabilities.
Abbott (formerly St. Jude Medical) has released another upgrade to the firmware installed on certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices. The update will strengthen the devices' protection against unauthorized access, as the provider said in a statement on its website: "It is intended to prevent anyone other than your doctor from changing your device settings."
The patch is part a planned series of updates that began with pacemakers, programmers and remote monitoring systems in 2017, following 2016 claims by researchers that the then-St. Jude's cardiac implant ecosystem was rife with cybersecurity flaws that could result in "catastrophic results."
Source: https://threatpost.com/abbott-addresses-life-threatening-flaw-in-a-half-million-pacemakers/131709/
Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade
Submitted via IRC for SoyCow1984
Life-saving pacemakers manufactured by Medtronic don't rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients' lives, security researchers said Thursday.
At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they're implanted in patients.
Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.
Related: A Doctor Trying to Save Medical Devices from Hackers
Security Researcher Hacks Her Own Pacemaker
Updated: University of Michigan Says Flaws That MedSec Reported Aren't That Serious
Fatal Flaws in Ten Pacemakers Make for Denial of Life Attacks
After Lawsuits and Denial, Pacemaker Vendor Finally Admits its Product is Hackable
8,000 Vulnerabilities Found in Software to Manage Cardiac Devices
465,000 US Patients Told That Their Pacemaker Needs a Firmware Upgrade
Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers
(Score: 5, Insightful) by GreatAuntAnesthesia on Monday November 30 2015, @10:50AM
How about not connecting shit up to the internet unless you have a really good reason to do so?
Presumably these pumps are installed at least partially outside the body. Stick micro-USB jack on the external portion of the pump, and make it so you can only alter the pump's operation by plugging in. Stick a password on it if you're really paranoid, but if a nefarious party has sufficient physical access that s/he can plug you into his laptop then you're pretty much fucked anyway.
(Score: 3, Insightful) by Runaway1956 on Monday November 30 2015, @11:06AM
Collectively, we are idiots. We want EVERYTHING to be internet connected - and there's not one good reason why it should be.
(Score: 0) by Anonymous Coward on Monday November 30 2015, @01:19PM
Its not so much that we want everything on the broader internet, but that we want everything to talk TCP/IP because that in turn reduce wiring and equipment costs. But as TCP/IP is inherently routable, the traffic can easily jump "gaps" and get onto the wider net. Or the net can leak into places that didn't seem connected at first glance.
(Score: 2) by LoRdTAW on Monday November 30 2015, @01:27PM
I get why we want to connect everything: convenience. But I also understand why we should not: security.
Technology is supposed to make our lives better. From sci-fi to futurist tech giants, we have been promised an easier, more fulfilling life if we let machines do the dirty work. But we forgot about security and that we don't live in a utopia. One day we may, but it's a long hard road.
As for USB and air-gapping: stuxnet.
(Score: 1) by Bobs on Monday November 30 2015, @04:00PM
FYI: Why it is important.
There are 3 main reasons for access / external communication:
1) Ideally the insulin pump communicates with the device monitoring the blood sugar levels and automatically reacts by calculating the appropriate dosage.
The goal is A) continuous blood glucose monitoring and B) continuous blood glucose adjustments via the pump. Right now those system communicate via Bluetooth (not the Internet) and that opens a channel for hacking.
2) Ideally you want to get the data out of the pump and glucose monitor to A) the doctor, B) a user-friendly device for the patient to see what is going on. This would be a phone, tablet or computer. The pump and glucose monitor are made as small as possible to maximize convenience and simplify operation but that makes it better to view data on a system with a larger display.
3) Ideally you have an external system (like a phone) where you can enter food / meal data before eating which then tells the insulin pump the amount insulin that will be required, so the pump 'automatically' knows the proper amount of insulin to deliver with user intervention.
So there are compelling reasons to have the insulin pump communicate externally and this opens security holes. Except when passing data to the doctor this does not involve using the Internet.
Make sense?
(Score: 2) by bart9h on Monday November 30 2015, @04:15PM
Makes sense to have them to communicate, but not over the internet.
Bluetooth seems a good choice between the devices.
To get the data to your doctor (the only reason to involve the internet), your phone (or other device) could be used, not the pump itself.
What should be pursued is better bluetooth security.
(Score: 1, Interesting) by Anonymous Coward on Monday November 30 2015, @06:12PM
Or, ya know... Just setup an ssh tunnel between the glucose monitor/insulin pump and the control device.
Of course, what they don't even mention is there is STILL a chord attached from your stomach to the actual insulin pump: https://www.medtronic-diabetes.com.au/sites/default/files/medtronic_tummy-new-pump.jpg [medtronic-diabetes.com.au]
The only chord we're loosing is to the 2nd device that is the monitor. Why not combine the monitor and the pump? The chord is required to send insulin from the pump itself to the injection unit. Integrate a usb chord along with that.
As a diabetic, I will NEVER use one of these devices for as long as I live. I do not own a smart phone. I will never own a smart phone.
I spend 10+ hrs/day programming on 2 24" monitors. I have diabetic macula degeneration. A smart phone is useless to me as I am unable to read it. Do these dimwits even consider their target audience?
Plus, there's no way I am using a smart phone to control my insulin. My glucose monitor and my syringe and my glass vial of insulin never crashes, never needs to be rebooted, and never fucking locks up when too many ads pop up.
They can take their "technology for the sake of technology" and stuff it.
(Score: 0) by Anonymous Coward on Monday November 30 2015, @09:41PM
I spend 10+ hrs/day programming on 2 24" monitors. I have diabetic macula degeneration. A smart phone is useless to me as I am unable to read it. Do these dimwits even consider their target audience?
Yes, yes they do. You are not it.
(Score: 2) by el_oscuro on Monday November 30 2015, @11:23PM
I'm a type 1 sliding scale, and have never used a pump. I'll monitor and manage it myself thank you. It is pretty hard to hack a needle. Even a pump not connected to the internet can malfunction.
Even the test meters are a problem. In the old days, the strips changed color and could be read without a meter. Now it is all digital and the meters can fuck up too. A one-touch meter once gave me a reading of 120 followed immediately by a reading of 370. That shit will kill you too if you are on a sliding scale like me. It is for that reason that I have meters from 3 different manufacturers. So if I get an unexpected reading, I can test with the other brands to make sure it is reasonably accurate.
SoylentNews is Bacon! [nueskes.com]
(Score: 1, Insightful) by Anonymous Coward on Monday November 30 2015, @01:26PM
> Creating a security standard for insulin pumps, however, comes with a caveat: it has to consider the needs of a special group of do-it-yourself patients and technologists who use an existing vulnerability in current insulin pumps to hack their devices and produce better, personalized results.
I wish someone would think like this relative to cars. I'd sure like to add an ABS-off switch to my car for use when on deformable surfaces (snow, slush, gravel) where ABS isn't the right thing. Or the ability to re-program the electric power steering--I happen to like heavier steering forces/torques, closer to manual steering. It could be nice to change the map for throttle pedal gain too--many calibrations include the stupid "tip-in" that makes a car feel "powerful" when you first drive it...because the first bit of pedal travel is nonlinear and gives a lot of engine output.
(Score: 0) by Anonymous Coward on Monday November 30 2015, @05:41PM
I found the infamous Toyota (2003 corolla) annoying for the opposite reason:
The pedal would initially travel a lot with little engine response.
After while the car would say: "oh! you want performance!" and switch out of fuel-saving mode.
This causes the revs to jump, and if you are not paying attention, can cause a (low speed) crash.
The behavior is eerily similar to the unintended acceleration they had a recall over.
Hmm, on second thought, I may be describing the exact same problem if the pedal has travel not registered by the computer.
(Score: 0) by Anonymous Coward on Tuesday December 01 2015, @02:12AM
> I wish someone would think like this relative to cars. I'd sure like to add an ABS-off switch to my car for use when on deformable surfaces (snow, slush, gravel) where ABS isn't the right thing.
What is "the right thing?" Because the design requirements for ABS are to help you maintain control when braking and that works great on deformable surfaces.
Q: Do cars with ABS stop more quickly than cars without?
A: ABS is designed to help the driver maintain control of the vehicle during emergency braking situations, not make the car stop more quickly. ABS may shorten stopping distances on wet or slippery roads and many systems will shorten stopping distances on dry roads. On very soft surfaces, such as loose gravel or unpacked snow, an ABS system may actually lengthen stopping distances. In wet or slippery conditions, you should still make sure you drive carefully, always keep a safe distance behind the vehicle in front of you, and maintain a speed consistent with the road conditions.
http://www.nhtsa.gov/cars/problems/equipment/absbrakes.html [nhtsa.gov]
(Score: 0) by Anonymous Coward on Tuesday December 01 2015, @02:48AM
The way to slow down on deformable surfaces is to lock the wheels long enough that a "wedge" of material (snow, gravel) builds up in front of the tires. If you need to steer, then you take your foot off the brake pedal and do some steering, then lock the brakes again to slow down some more. Before ABS we were taught to pump the brakes like this on slippery surfaces and in this case the on-off times are adjusted to let the wedge of material slow the car down.
ABS (in my experience) locks-unlocks too quickly for a decent sized wedge to build up. On slush (around freezing), I've had my foot hard on the brakes and felt the ABS cycling...and not slowed down at all for a hundred feet (30 m) or more...enough time/distance to slide completely across an intersection at ~20 mph, even though I started braking early. This has happened several times in different company cars that I drove frequently.
My two current cars came without ABS (2001 and 2003 model years). When/if I have a newer car with ABS, I'll probably pull the fuse for winter driving.
(Score: 0) by Anonymous Coward on Tuesday December 01 2015, @04:39AM
> The way to slow down on deformable surfaces is to lock the wheels long enough that a "wedge" of material (snow, gravel) builds up in front of the tires.
Yes, that is correct. But as the NHTSA says, stopping/slowing as fast as possible is not the intent of ABS.
> Before ABS we were taught to pump the brakes
And now we have ABS to pump it 10 times a second and give much better control to anyone who doesn't have race-car driver skills.
(Score: 0) by Anonymous Coward on Tuesday December 01 2015, @04:54AM
> Yes, that is correct. But as the NHTSA says, stopping/slowing as fast as possible is not the intent of ABS.
And this may explain why ABS has been a wash (in the accident statistics) in terms of reducing accidents? Sometimes you just want to slow down and don't need to do much steering, so ABS can be a liability. Other times, it's possible to steer and miss whatever was in front of you (if you have had some accident avoidance practice this is much easier). ABS helps in some cases and not in others. Roughly balances out, at least in USA stats.
On the other hand, stability control has shown to improve the stats, thus made mandatory.
(Score: 0) by Anonymous Coward on Monday November 30 2015, @03:01PM
damnit! now who the hell dragged this into the spotlight?
now the whole OPs "healthier living" is falling through!
what about all the time invested in finding and cataloging all the factory machinery vulnerabilities making factory food that has too much salt and sugar and whatnot and which were to be hit overnight to only churn out healthy (maybe not so tasty) food the next morning?
not to forget releasing all the locks to caged chicken and pig farms? ^_^
(Score: 2) by hendrikboom on Monday November 30 2015, @06:37PM
Not too mention the modified fats, about which practically no research has been done to assure long-term safety. The modified fats are there primarily because it's different chemical process than hydrogenation, so no one has gotten around to regulating them. Transfats, of course were invented to replace the more natural saturated fats, but the transfats turned out to be a worse health hazard than the saturated fats they replaced.
Look at the ingredient lists on the food that you buy at the grocery store and see how many foods contain modified fats or transfats. Avoiding them severely restricts you shopping.
-- hendrik
(Score: 0) by Anonymous Coward on Tuesday December 01 2015, @03:17PM
Remote cook? I'm luvin' it ^_^
(Score: 3, Funny) by Gravis on Monday November 30 2015, @06:40PM
at first i thought the title was "The Doctor Trying to Save Medical Devices from Hackers" which resulted in a serious letdown when i realized it was just an actual medical doctor. *sigh*
(Score: 3, Insightful) by darkfeline on Tuesday December 01 2015, @02:03AM
This is basically the global variable problem:
Global variables (Internet connected/[public IP) makes things convenient: you don't have to worry about the hard work and good design that goes into properly partitioning everything into its own area of responsibility, but it makes side effects a huge pain in the ass. Anyone can come and finger your variable, causing all hell to break loose.
Before, it was "NEVER USE GLOBAL VARIABLES", now, it should be "NEVER ATTACH A DEVICE TO AN INTERNET CONNECTED IP". Because really, there are few cases where a device needs to sit directly in the Internet and not behind a firewall or two (assuming you NEED Internet functionality in the first place, of course).
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Tuesday December 01 2015, @02:16AM
Dick Cheney actually had the wireless access to his pacemaker disabled. [washingtonpost.com] Wirelessly hacking the VP's pacemaker was used as a plot-point in one of the early seasons of Homeland. They do a pretty good job of getting obscure tech facts into their storylines. Too bad they are much more slack about the bigger picture stuff.