Tagged: medical

Using a HackRF SDR to Withhold Treatment from an Insulin Pump

A MiniMed Insulin Pump

Recently Arstechnica ran a story about how during this August's Black Hat security conference, researchers Billy Rios and Jonathan Butts revealed that a HackRF software defined radio could be used to withhold a scheduled dose of insulin from a Medtronic Insulin Pump. An insulin pump is a device that attaches to the body of a diabetic person and deliveries short bursts of insulin throughout the day. The Medtronic Insulin Pump has a wireless remote control function that can be exploited with the HackRF. About the exploit MiniMed wrote in response:

In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.

This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.

As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.

In addition to this wireless hack they also revealed issues with Medtronic's pacemaker, where they found that they could hack it via compromised programming hardware, and cause it to deliver incorrect shock treatments.

Earlier in the year we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.

Sniffing MiniMed Insulin Pump RF Packets with an RTL-SDR

A MiniMed Insulin Pump with wireless meter

Over on GitHub we've just seen the release of a program called rtlmm made by user ps2 which decodes MiniMed RF packets with an RTL-SDR. We weren't entirely such what MiniMed was, but from Googling the name it appears that it is a product by a company called Medtronic who sell medical equipment such as portable automatic insulin pumps and glucose monitors for diabetic patients. These products have RF telemetry links that transmit to a meter which can receives data and forwards it to your phone via Bluetooth LE. Sniffing the telemetry from these sensors could allow you to build up your own data without the need of the meter.

Rtlmm was inspired by a similar program called rtlomni which is a program released a few months ago and made by F5OEO. rtlomni works with Omnipod diabetes insulin pumps and monitors which are similar products to MiniMeds offerings.

Receiving and Decoding Data from an Esophageal Monitor Inside the Body

Blogger Dolske has recently posted about how he was able to receive and decode signals coming from inside his body. The signals originated from a Bravo Ph Esophageal monitor which is a small wireless sensor that is attached inside your body by a doctor. It is used to monitor pH levels within the body to help diagnose esophageal problems such as acid reflux. The monitor remains in the body for a number of days continually sending data to an external monitoring device which records and logs the pH data.

Bravo pH Esophageal Monitor
Bravo pH Esophageal Monitor

Using his RTL-SDR, Dolse was able to capture the wireless monitors signal using information he found about the monitor online. He found that the monitor used amplitude-shift keying and transmitted at 433.92 MHz. After capturing some signals with the RTL-SDR, he looked at the captured waveform in Audacity and was able to decode a few packets by hand. Finally, he went even further and wrote a Firefox browser based decoder which decodes and displays the pH data on screen.

Web Interface for Showing Decoded pH data from the Esophageal monitor.
Web Interface for Showing Decoded pH data from the Esophageal monitor.