(Dana RS) + (#WeAreNotWaiting) = Risk or Reward?

Like @Thomas I would be very leery about medical devices and remote operation. Why? Well medical device companies are good at making lifesaving medical devices. They are terrible at ancillary things like device security. When looking back on my experience helping to create training for a wireless connection to a pacemaker, I was in a bunch of meetings and went around the world as part of a team to do testing. We were very concerned about usability, and not concerned at all about security.

3 Likes

BlueBorne is a severe issue because of its extreme reach. Almost any device that hasn’t been patched and has Bluetooth turned on can be compromised by the attacking device from a distance of up tp 32 feet.

The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. It doesn’t require the vulnerable device to do anything other than just having bluetooth on.

4 Likes

2 posts were split to a new topic: Bluborne malware: impact on Omnipod Dash?

A post was merged into an existing topic: Blueborne malware: impact on Omnipod Dash?

Interesting consensus… :slight_smile:

1 Like

Pretty much perfectly divided!

I am surprised by who ended up on which side :slight_smile:

It doesn’t surprise me that most parents voted yes. They could benefit a lot from remotely controlled pumps.

1 Like

I have to say I was confused by the question a bit.

As a parent, I would use the remote SMS bolus feature on AndriodAPS for my son. BUT as a PWD I would not because I don’t need someone on the internet micromanaging my diabetes.

But - would I use an APS on a Andriod phone? - you bet.

In case you didn’t know - AndriodAPS has a feature where you can bolus by SMS (text message) there is some basic security built line, like only allowing bolusing from a certain phone number.

1 Like

I have seen too many bad hacks and intrusions. Most are not publicized until such point as legally mandated. At my organization we have recently had two very serious intrusions - neither of which were publicized.
I could not justify the risk of exposing the controls of a pump to the internet.
IMHO the only protection would be from the lack of desire on the part of the entire hacking community.

2 Likes

IMHO the only protection would be from the lack of desire on the part of the entire hacking community.

This is somewhat true as well. At least part of my sense of security comes from knowing I’m a boring, not-remotely powerful, anonymous person with a small child who is of no interest to anyone, and that hacking into my son’s insulin pump is just not high priority for a hacker… what would anyone possibly have to gain?? Of course there are crazy and malicious people everywhere, but to me this is in the realm of thinking someone may randomly try to bite my ear off as I walk across the street. It could happen but it’s not something I spend too much time worrying about.

4 Likes

Some crackers (non-ethical hackers) don’t hack for tangible gain, they just hack to prove they can do it. These days with the advent of script kiddies, you don’t even really need to be a coder…so lots of script kiddies (and full fledged crackers) hack with tools developed by someone else just because of the challenge.

1 Like

I don’t know about the rest of it, but you are not boring!
:wink:

1 Like

Is it just my display or did the poll results vanish?

1 Like

Mine did too :frowning:

The A1c poll results are also cleared out.

OK then it is a version issue. I’ll raise Discourse.

[EDIT] just started a Discourse ticket

1 Like

OK, they just deployed a fix – it works again. Discourse is a great company!

3 Likes

Given the number of people here who are worried about attempted hacking of insulin pumps, it might be helpful to hear from a hacker. Has anyone had any practical experience?

It seems to me that any concentrated attack against a Bluetooth device could succeed, but how and why would any hacker bother against a mobile target? It’s been suggested for the fun of it, but one of the issues for a hacker is keeping within range of the device whilst conducting the attack. Secondly at around 1 in 100 of the population and fewer on pumps - far less in the UK - it would be hard to target pumps.

My Medtronic 640G comms have apparently recently been cracked by Jesus Berian and results sent to Nightscout - after two years work at home on his own device.

The importance of this and of remote control generally is that it allows software running on a phone to control the pump, getting glucose levels from a connected sensor, and bolussing accordingly.

I can’t wait.

2 Likes

Hi @jrussell88 ,
Welcome to FUD! Are you in the UK? We will have to get you properly introduced and put you on our map.

On the current omnipod, with the comms in the process of being broken, there is a theoretical possibility of someone being able to do something malicious. But it would take a lot of effort. I’ve been told, there are much easier ways to kill me.

Without knowing the pods’s ID, you would need a parabolic antenna to pick up the very limited range of communication from the PDM to the person’s pod. Then you’d need to be able to impersonate the PDM with that ID and send a command to the pod.

Do you know where they are going to be? Are you randomly walking around with your parabolic antenna hoping to find someone on omnipod? And they gotta stay in range for you to be able to intercept and also impersonate.

In theory, yes it is possible. But good luck with that attack. Much easier ways to do evil. I won’t list them here. :wink:

On the new omnipod system coming out, it will use bluetooth. That would probably make the attack more difficult. Hard to say without seeing it.

Anyway, welcome here. Introduce yourself on the welcome-introduce-yourself-here page.

2 Likes

I can think of an awful lot of more simple and effective ways to harm someone than hacking their insulin pump… wouldn’t be high in my list of concerns

2 Likes