Using a HackRF SDR to Withhold Treatment from an Insulin Pump
Recently Arstechnica ran a story about how during this August's Black Hat security conference, researchers Billy Rios and Jonathan Butts revealed that a HackRF software defined radio could be used to withhold a scheduled dose of insulin from a Medtronic Insulin Pump. An insulin pump is a device that attaches to the body of a diabetic person and deliveries short bursts of insulin throughout the day. The Medtronic Insulin Pump has a wireless remote control function that can be exploited with the HackRF. About the exploit MiniMed wrote in response:
In May 2018, an external security researcher notified Medtronic of a potential security vulnerability with the MiniMedTM Paradigm™ family of insulin pumps and corresponding remote controller. We assessed the vulnerability and today issued an advisory, which was reviewed and approved by the FDA, ICS-CERT and Whitescope.
This vulnerability impacts only the subset of users who use a remote controller to deliver the Easy Bolus™ to their insulin pump. In the advisory, as well as through notifications to healthcare professionals and patients, we communicate some precautions that users of the remote controller can take to minimize risk and protect the security of their pump.
As part of our commitment to customer safety and device security, Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, Medtronic has already taken several concrete actions to enhance device security and will continue to make significant investments to improve device security protection.
In addition to this wireless hack they also revealed issues with Medtronic's pacemaker, where they found that they could hack it via compromised programming hardware, and cause it to deliver incorrect shock treatments.
Earlier in the year we also posted about how an RTL-SDR could be used to sniff RF data packets from a Minimed Insulin pump using the rtlmm software, and back in 2016 we posted how data could be sniffed from an implanted defibrillator.
The HackRF is a transceiver SDR (TX and RX capable).
This is the same flavor of RF exploit that the the late (SK) Barnaby Jack was going to discuss at DEFCON but died days before his presentation. https://www.rt.com/usa/hacker-pacemaker-barnaby-jack-639/
It is absolutely vital that such vulnerabilities are made public (after responsible disclosure) so that policies change and designs improve. Thank you, RTL-SDR.com, for sharing this.
Dude… the hackrf transmits… are you new here?
The image associated with this article is a new MiniMed pump (likely a 670G) while the vulnerability is reported to be in the older Paradigm line of pumps. There’s an optional “remote” that can be used by nurses or other caregivers to administer insulin without disrupting the wearer. In situations where the patient may have cognitive impairments (dementia, alzheimer’s, etc.) the controls on the pump can be disabled and the remote used to administer insulin instead to prevent inaccurate dosing. There isn’t quite quite enough information in the article, but I believe this remote is the attack vector used here. These older pumps are well known to have vulnerabilities which are exploited by the diabetic community to create more advanced therapy solutions. They operate on the 433mhz ISM band using a proprietary protocol and ship with a USB transceiver (CareLink) that can be used to control it. The protocol has been reverse engineered and the devices are secured with a simple 4 digit hex code which is easily brute forced. These researchers appear to be using an HackRF in place of the CareLink transceiver, which is a great advancement as I believe they’re no longer manufactured.
I’m a ham and a diabetic that has used both the Paradigm line of pumps as well as the 670G pictured. I follow these events with great anticipation. MiniMed makes a great pump, but they’re really bad at software.
From the official website “HackRF One from Great Scott Gadgets is a Software Defined Radio peripheral capable of transmission or reception of radio signals from 1 MHz to 6 GHz” maybe next time spend a minute to check facts.
If you know how to read a schematic ( https://github.com/mossmann/hackrf/blob/master/doc/hardware/hackrf-one-schematic.pdf ) it is easy to see that the RF section is half-duplex, everything else is not. If you do not understand schematics then you can always read the FAQ – https://github.com/mossmann/hackrf/wiki/FAQ#half-duplex-full-duplex
Correct me if I’m wrong John, but the hackRF model of SDR has full duplex mode, which would allow for simultaneously transmitting and receiving. I believe they did specify which model of SDR in the title of the article.