Ultra Intelligence & Communications

Hackers can steal your life savings – and now your life

August 28th, 2019 / By

In late June, the FDA issued a warning that certain models of the Medtronic MiniMed insulin pumps could be vulnerable to hackers. The unit has wireless capability to exchange information with blood glucose meters, glucose monitoring systems, and the remote controller and CareLink USB device that can be attached to a computer to control the MiniMed’s settings. Because of that connectivity, it’s possible for a hacker to gain access to the pump, increasing insulin delivery and prompting a hypoglycemic event. The hacker could also halt insulin delivery, leading to high blood sugar and diabetic ketoacidosis (a buildup of acids called ketones in the blood). If left untreated, these conditions can lead to serious health issues and can even be fatal.

This is not the first security incident involving Medtronic medical devices. Medtronic has history when it comes to insulin pump flaws, falling prey in 2011 to the discovery of separate wireless vulnerability in now-defunct models of insulin pumps. And as recently as March 2019, Medtronic issued an alert after Dutch researchers uncovered security vulnerabilities in the Conexus wireless protocol used by a wide range of the company’s implantable heart monitoring products. It’s disappointing that researchers continue to discover these flaws in vital medical care devices, but these incidents also draw attention to the way Medtronic has handled wireless security in many of its critical medical devices – a flaw that is all too common with companies that have placed cost savings over security assurance.

The vulnerability in the MiniMed system is the wireless capability which allows the unit to exchange information with blood glucose meters and glucose monitoring systems. That wireless capability has been shown to be vulnerable to key reinstallation attacks, or KRACK. KRACK was discovered in 2017, and posed a significant threat to all devices using encrypted WiFi networks because it exploits the WiFi protocol itself, not specific products or implementations. KRACK targets the third step in a four-way authentication “handshake” performed when the WiFi client device attempts to connect to a protected WiFi network. The encryption key can be resent multiple times during step three, and if attackers collect and replay those retransmissions in particular ways, WiFi security encryption can be broken.

KRACK was identified by security experts before any significant instances were noted in the wild, and software manufacturers quickly began releasing patches to protect devices using their OS. Installing those patches was vital to protecting those networks against KRACK, but the patches were only effective if the device has security software installed that could be patched.

KRACK is used to steal sensitive data transmitted over networks, like login credentials or credit card numbers, or perform man-in-the-middle attacks, serving the victim a fake website or injecting malicious code into a legitimate site. These hacking attacks could cause considerable harm but in the case of a Medtronic MiniMed hack, the results could be fatal. The vulnerability is not exploitable remotely; the hacker has to be in the vicinity of the device and possess a high skill level. But because the MiniMed software has no built-in security design, the affected pumps can’t be adequately updated or patched and that’s the reason for the recall.

Situations like this are mitigated or avoided entirely with Ultra Electronics, 3eTI WiFiProtect products. WiFiProtect products are constantly updated with the latest CVE patches, and the Common Criteria (CC) and Federal Information Processing Standards (FIPS) 140-2 Level 2 certifications process gives high assurance of the implementation of security functions. The process for obtaining these certifications is sometimes lengthy and expensive, but while having a product with government certification may cost more upfront, how much will it cost your business without it? It’s true that there have been no reported cases of hacks into the Medtronic insulin pumps, but how much liability would the company have incurred had there been a fatality caused by its lack of concern for cybersecurity? The company is currently recalling the flawed units, but are they replacing them with units with military-grade cybersecurity? The FDA is right to issue a recall on the Medtronic MiniMed but they should ensure that the company adheres to a higher standard of cybersecurity like that supported by Ultra Electronics, 3eTI.