Pump hack attack

[onlytwintip]

Hi pumpers,

Saw this in the news this morning and thought it was well worth sharing:

http://www.scmagazineus.com/black-hat-i ... le/209106/

I'm assuming this can only be done if you use a remote control with your pump or if you are using it with a CGM as these are the only reasons the pump would communicate with the outside world. Quite a scary thought though.

 

[catherinecherub]

I did report on this topic yesterday but nobody seemed interested.
viewtopic.php?f=5&t=23153

 

[onlytwintip]

Sorry, didn't see your post from yesterday.

 

[jopar]

Well it doesn't say what pump but does say wireless and not blue tooth..

Wonder what pump he's using, as well no chance of effecting my pump 150ft away? And do the americans call blue tooth wireless?

My pump remote is bluetooth, which uses a different bandwidth to other standard bluetooth equipement such as phones etc... Also the communtication distance is also very restricted to about 10ft!

But it seems that the pump he uses is wireless in line with normal wireless kit as in wireless network connections, phones etc.. Then you've you need his program and the insulin pump serial number to hack the pump..

Realistically,

How many hackers are likely to look to hack an insulin pump if they actually knew what one was! Don't forget they aren't an everyday item like a iphone etc.

And that is before you start to consider that the hacker has to have one vitual bit of information the serial number of the pump... Not an easy item/piece of information to get hold off when most pumps are attached or very close to the pumper 24/7!

 

[spideog]

Nothing to see here, move along.

It's a nerd hacker, at a nerdy hacker conference, showing that he has found some obscure vulnerability in the security of some obscure device that uses some wireless communications. He'll pass the details on to the manufacturer and there will be a slap on the wrist for one of their developers. They will fix the current versions of the pumps that they are releasing new and nothing more will be heard of it.

I'd expect they have a typo in the text of the article where they say the wireless is over 150ft, that seems to be at the extreme end of things for bluetooth and would even be pushing it for most wifi in anything less than perfect conditions. Can't see there being any insulin pump with wifi anyway, not unless it's also plugged into the mains electric or you recharge it everyday and that would kind of defeat part of the point of an insulin pump.

 

[onlytwintip]

Obviously this is not at likely to happen at all! I didn't post this in a "be careful all pumpers stay at home your life is in danger" sort of way. I just thought it was an interesting article for the pumpers out there.

 

[CR741]

My pump loses connection if the monitor is in a different room so I don't see how that would work with my pump

the hacker has to have one vitual bit of information the serial number of the pump... Not an easy item/piece of information to get hold off when most pumps are attached or very close to the pumper 24/7!

...and that is very true :mrgreen:

but it is interesing though.

 

[catherinecherub]

Obviously this is not at likely to happen at all! I didn't post this in a "be careful all pumpers stay at home your life is in danger" sort of way. I just thought it was an interesting article for the pumpers out there.

We are in this together twintip. :lol: :lol: :lol: I hate it when the messengers get shot.

 

[josie38]

Hi

I have read the article but it doesn't name a make of pump or anything like that. I am very wary about the 150fthe mentioned as like CR741 mine loses connection as well.

So now we have people randomly punching numbers into this programme and changing peoples pumps. Surely they need to know you have one first !!!!!!!

Josie

 

[silvarbullet1]

Obviously this is not at likely to happen at all! I didn't post this in a "be careful all pumpers stay at home your life is in danger" sort of way. I just thought it was an interesting article for the pumpers out there.

We are in this together twintip. :lol: :lol: :lol: I hate it when the messengers get shot.

I thought it was fascinating... You'd think in a medical device there would be basic security layers to get through. Even mobiles with Bluetooth rarely let you send a file unless you type a pin first which you have to tell your friend to put into their phone...

Anyway, it'll be another fancy assassination tool, they used to kill off secret agents with diabetes in the past by injecting insulin into them in their sleep, now they can do it remotely... :mrgreen:

 

[LittleGreyCat]

In this context I think that "wireless" is probably used in the general sense - i.e. information passed without the use of wires.

In that context, bluetooth is wireless but wireless is not necessarily bluetooth.

However all component level wireless systems should use a standard protocol which will include some form of authentication - such as the pairing of devices used by bluetooth phones and associated devices.

So either they have designed their own wireless protocol and components (unlikely but possible) or they have used off the shelf chips and someone has not made authentication mandatory in the soft/firmware.

The key phrase is "all you need is..." with no implication that the information is broadcast in a readable form over the wireless link.

However the number could be obtained by social engineering, or given the lack of authentication there may also be a lack of encryption of the serial number over the wireless link.

Anyway, a good wakeup call for the equipment suppliers but not a major source of worry for your average pump user unless you have really upset a hostile government which is now looking for a subtle and potentially untraceable assasination method

Cheers

LGC