At some point the hackers will kill the person without touching him – Billy has been warning Rios for years. Now the American security researcher and his business partner Jonathan Butts have shown what it can look like.
For years, Rios has been engaged in hacking medical technology. Already in 2015. He discovered that several models of Hospira infusion pumps used in hospitals around the world can be reprogrammed externally to provide patients with extreme doses of medication.
In 2018, Rios and Butts warned against the vulnerabilities in Medtronic's Black Hat IT security conference in Las Vegas, and they were troubled by software support. This would allow the attacker to provide pacemakers with malware – which could potentially lead to life-threatening crashes.
The manufacturer does not want to update
In addition, Rios and Butts discovered at this time, but also the gaps in some insulin pumps for patients with diabetes, also from the manufacturer Medtronic. The MiniMed and MiniMed paradigms are the right product lines.
The Department of Homeland Security has even issued a warning. However, he said, among other things: "Medtronic will not develop a product update to address vulnerabilities." The company considered the attack scenario to be too far-reaching, the risk acceptable. Rios and Butts disagreed, as reported by the "wired".
Above all, they consider the remote control of insulin pumps as dangerous. They look like modern car keys and allow, for example, caregivers to control the delivery of insulin to their patients' pumps. However, communication between the pilot and the pump is done without encryption and can be read relatively easily, as security researchers have discovered.
They managed to program a transmitter that works with the right frequency and pretends to be a legal pilot of the insulin pump. In turn, scientists control this transmitter using a self-developed application.
If you give insulin or block delivery as you want – posing a threat to human life – you will not be able to do it. To deal with some insulin pumps, they would have to know their serial number. But at least the app can easily try out all possible numbers. In addition, the range of the transmitter is limited. Even with the amplifier probably only a few meters. In addition, by default pumps will emit a beep when turned on. Patients who did not turn it off will hear it if somebody miss a few doses.
But to show the concept of an attack at the FDA, the US Food and Drug Administration, everything was good or bad. One week after the demonstration, Medtronic announced a "voluntary exchange program" almost a year after the disclosure. According to the FDA, this is the result of a comprehensive risk analysis carried out by the agency and the manufacturer – including the findings of several researchers, including Rios and Butts.
According to the agency, "many world" insulin pumps are in use that would be susceptible to the method described by Rios and Butts. According to Medtronic, there are about 4,000 devices in the US. In "some countries", the company now offers the replacement of the old model with a new one.