Home
Artists
Search
Recent
Random
Posts
DMs
Tags
Random
Importer
Import
FAQ
Account
Register
Favorites
Login
Insulin pumps are vulnerable to hacks - ThreatWire Crosspost (Patreon)
Downloads
Content
by Shannon Morse, Threatwire
On Thursday, the Food and Drug Administration issued a news release on their website detailing warnings about Medtronic insulin pumps. These are small computerized devices that deliver insulin to patients throughout the day in specific doses. People with certain types of diabetes usually need these to maintain acceptable blood glucose levels.
The insulin pumps have brought up concerns with cybersecurity and potential life threatening attacks due to a vulnerability in the devices. The FDA warned that flawed pumps include the Medtronic MiniMed insulin pumps - MiniMed 508, and MiniMed Paradigm series. Up to 4000 patients in the US use these, and a recall has been issued while they work to identify more patients. Luckily, Medtronic is provided alternatives that include enhanced built in security capabilities. The company is not able to update the insulin pumps adequately with a software patch or update, so the FDA is helping to ensure patients get the new, more secure device they need.
The wireless communication between the insulin pump and other devices like glucose meters, monitoring systems, remote controllers and CareLink USB devices have a vulnerability that could allow an attacker to connect via wireless to a pump and change it’s settings. The attack, with CVE-2019-10964, would need to happen locally, within the wireless vicinity of the insulin pump, but could lead to life threatening issues like hypoglycemia, high blood sugar, and diabetic ketoacidosis. According to the US CERT website, the pumps’ wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data.
In the meantime, Medtronic advises patients to keep their pump serial number secret, don’t connect to third party devices, and keep the insulin pump within your control at all times. Unfortunately, Medtronic’s lack of cybersecurity awareness with their legacy devices comes at a cost to consumers. None of the replacements are free. Insurance may cover a new replacement, but out of pocket costs or a deductible may apply. Refurbs of the newer, more secure MiniMed 670G cost almost $400. And if you don’t return the legacy one, you’re charged $3200. Due to the cost, it is likely that many of the vulnerable devices will remain in use, which will continue to threaten the lives of those diabetes patients.
The FDA has determined that the attacks haven’t been used in the wild, but it is considered a high severity flaw.
Links:
Support me on alternative platforms! https://snubsie.com/support
https://www.youtube.com/shannonmorse -- subscribe to my new channel!
ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire
Insulin Pumps Flaw:
https://threatpost.com/fda-warns-of-potentially-fatal-flaws-in-medtronic-insulin-pumps/146109/
https://www.medtronicdiabetes.com/customer-support/product-and-service-updates/notice11-letter
https://www.cyberscoop.com/fda-urges-patients-ditch-vulnerable-insulin-pumps-built-medtronic/