A Million Boluses: Discovery and Disclosure of Vulnerabilities in an Insulin Pump

Hacking medical devices and cybersecurity in public health is the
subject of recent discussions [1]. The Federal Office for Information
Security (BSI) aims to improve transparent communication regarding
cybersecurity risks of networked medical devices [2]. To this end, the
BSI initiated the project ManiMed – Manipulation of Medical Devices to
facilitate a trustful communication and cooperation between
manufacturers, security researchers, and authorities. This study targets
the current cybersecurity state of smart and connected medical devices
[3,4] and illustrates what kind of questions the medical device industry
is facing by making their devices smart.
This article focuses on security vulnerabilities identified in the DANA
Diabecare RS insulin pump to illustrate what kind of questions the
medical device industry faces by making their devices smart. The
exemplifying vulnerabilities affected the pump's proprietary, Bluetooth
Low Energy (BLE)-based communication and affected patient safety.

Methods

The assessment of medical devices is highly specialized and individual
in terms of the device's medical use case, present interfaces, used
technologies and assumptions to its environment [5]. The device was
assessed following a black-box approach. The proprietary communication
protocol built on top of Bluetooth Low Energy (BLE) was
reverse-engineered using the manufacturer's Android and iOS applications
and captures of the communication between the pump and its mobile apps
using elementary BLE prototyping hardware. In the scope of the
assessment were applied cryptography, Man-in-the-Middle attacks,
eavesdropping of the communication, as well as the authentication and
pairing process.
A coordinated vulnerability disclosure process (CVD) was initiated to
keep the smart medical device on the market while ensuring that it no
longer poses a threat to patient safety. The disclosure deadline was set
with the constraint that measures must not harm the therapeutic purpose
of the medical device. The Federal Institute for Drugs and Medical
Devices (BfArM), as the national authority for vigilance in Germany, was
notified and involved.

Results

During the security assessment, client-side controls, weak generation of
encryption keys, improper verification of the pump's identity, missing
replay protection, the insecure transmission of cryptographic keys, and
an overall weak authentication mechanism were identified. By hijacking
the pump, an attacker can administer insulin boluses remotely, causing
severe patient harm [6].
The coordinated vulnerability disclosure (CVD) process was extended and
lasted several months until a patch was rolled out to patients with a
new pump firmware and major mobile application upgrades. The
manufacturer released security advisories in the forms of a Field Safety
Notice (FSN)
[7]. A Medical Advisory (ICSMA) as well as CVEs were published by the
Cybersecurity and Infrastructure Security Agency (CISA) [8].

Conclusion

This example demonstrates that mature processes for handling
cybersecurity vulnerabilities with safety impact on active medical
devices are not yet common among all medical device manufacturers, even
though recognized procedures [9, 10] based on pervasive community
knowledge are in place.

References

[1] Newman L. These Hackers Made an App That Kills to Prove a Point.
WIRED. 2019 [Accessed 15 July 2020]. Available from:
https://www.wired.com/story/medtronic-insulin-pump-hack-app/.
[2] Federal Office for Information Security (BSI). Report on the State
of IT Security in Germany 2019. 2019 [Accessed 15 July 2020]. Available
from:
https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html.
[3] Federal Office for Information Security (BSI). Medizintechnik. 2019
[Accessed 15 July 2020]. Available from:
https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eHealth/Medizintechnik/Projekte/Projekte_node.html.
[4] SPECTARIS Deutscher Industriebverband für Optik, Photonik, Analysen-
und Medizintechnik e.V. Die deutsche Medizintechnik-Industrie: SPECTARIS
Jahrbuch 2019/2020. 2019 [Accessed 15 July 2020]. Available from:
https://www.spectaris.de/fileadmin/Content/Medizintechnik/Zahlen-Fakten-Publikationen/SPECTARIS_Jahrbuch_2019-2020.pdf.
[5] German Federal Office for Information Security (BSI). Cyber Security
Requirements for Network-Connected Medical Devices. 2018 [Accessed 15
July 2020]. Available from:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/Medical_Devices_CS-E_132.pdf?__blob=publicationFile&v=2.
[6] Suleder J, Kauer B, Emmerich N, Pavlidis R. ERNW Whitepaper 69:
Safety Impact of Vulnerabilities in Insulin Pumps. In Press.
[7] Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM).
Dringende Sicherheitsinformation zu Insulinpumpe DANA Diabecare
RS;mobilen Anwendung AnyDANA von SOOIL Development Co. Ltd. 2020
[Accessed 15 July 2020]. Available from:
https://www.bfarm.de/SharedDocs/Kundeninfos/DE/07/2020/17203-19_kundeninfo_de.pdf.
[8] Cybersecurity and Infrastructure Security Agency (CISA). ICS Medical
Advisory (ICSMA-20-XXX-XX) – SOOIL DANA Diabecare RS. In Press.
[9] Food and Drug Administration (FDA). Postmarket Management of
Cybersecurity in Medical Devices. 2016 [Accessed 15 July 2020].
Available from:
https://www.fda.gov/regulatory-information/search-fda-guidance-documents/postmarket-management-cybersecurity-medical-devices.
[10] The European Commission. MDCG 2019-16 - Guidance on Cybersecurity
for medical devices. 2019 [Accessed 15 July 2020]. Available from:
https://ec.europa.eu/docsroom/documents/41863.

Slido

Julian Suleder

Julian Suleder is a Security Analyst & Researcher at ERNW Research GmbH
in Heidelberg, Germany. His research interest is the security of medical
devices as he holds a master’s degree in medical informatics from
Heidelberg University and Heilbronn University, Germany. Besides IT
security, he enjoys researching in the special interest group Consumer
Health Informatics (CHI) of the German Association for Medical
Informatics, Biometry, and Epidemiology (GMDS).