In this weeks episode, Felix delves into the security aspects of insulin pumps within the context of the Internet of Things (IoT). Insulin pumps are medical devices used by diabetics to regulate blood sugar levels, and they offer various benefits, particularly in automated insulin delivery. These wearable devices often employ Bluetooth low energy (BLE) and proprietary protocols for communication, sometimes connecting to cloud services and blood sugar monitors.
Felix discusses potential motivations for hacking insulin pumps, including the hypothetical scenario of using a hacked pump to inject a lethal amount of insulin or invading users’ privacy by tracking their movements. The host acknowledges the history of vulnerabilities in insulin pumps, with particular attention on the Medtronic brand, highlighting instances where vulnerabilities have been reported.
Several specific vulnerabilities are discussed, which involves clear text communication between the pump and wireless accessories, potentially leading to information disclosure. Another vulnerability, allows for wireless capture and replay attacks, indicating poor authentication. Felix explores another where the wireless protocol lacks proper authentication, enabling unauthorized commands that could alter pump settings and insulin delivery.
Felix acknowledges Medtronic’s efforts to address vulnerabilities, but raises concerns about the time it takes to implement fixes due to the rigorous and often stifling regulatory processes in the medical device industry. Felix critiques some of the advice given to patients, as it may not be practical or effective for the average user.
The episode delves into broader IoT vulnerabilities, specifically referencing the Ripple 20 vulnerabilities and another vulnerability discovered in Thales’ secure storage module. These vulnerabilities, although not directly confirmed to impact insulin pumps, highlight the potential risks posed by insecure software libraries in IoT devices.
Felix emphasizes the importance of staying informed about security patches for insulin pumps and suggests creating Software Bill Of Materials (S-BOMs) to track and manage software components within products. The host also advises seeking specialist assistance for proprietary protocols and performing thorough security audits.
In conclusion, the episode encourages listeners to prioritize medical advice over the discussion and highlights the importance of addressing security vulnerabilities to ensure the safety of IoT devices, particularly those critical to healthcare. It also underscores the significance of transparency and proactive measures in the medical device industry to mitigate potential risks.