gms | German Medical Science

65th Annual Meeting of the German Association for Medical Informatics, Biometry and Epidemiology (GMDS), Meeting of the Central European Network (CEN: German Region, Austro-Swiss Region and Polish Region) of the International Biometric Society (IBS)

06.09. - 09.09.2020, Berlin (online conference)

Artikel

Artikel empfehlen

Hijacking an Insulin Pump: From Discovery to Disclosure

Meeting Abstract

Suche in Medline nach

  • Julian Suleder - ERNW Research GmbH, Heidelberg, Germany
  • Dina Truxius - German Federal Office for Information Security (BSI), Bonn, Germany

Deutsche Gesellschaft für Medizinische Informatik, Biometrie und Epidemiologie. 65th Annual Meeting of the German Association for Medical Informatics, Biometry and Epidemiology (GMDS), Meeting of the Central European Network (CEN: German Region, Austro-Swiss Region and Polish Region) of the International Biometric Society (IBS). Berlin, 06.-09.09.2020. Düsseldorf: German Medical Science GMS Publishing House; 2021. DocAbstr. 239

doi: 10.3205/20gmds161, urn:nbn:de:0183-20gmds1611

Veröffentlicht: 26. Februar 2021

© 2021 Suleder et al.
Dieser Artikel ist ein Open-Access-Artikel und steht unter den Lizenzbedingungen der Creative Commons Attribution 4.0 License (Namensnennung). Lizenz-Angaben siehe http://creativecommons.org/licenses/by/4.0/.

Gliederung

Text

Background: Hacking medical devices and cybersecurity in public health is the subject of recent discussions [1]. The Federal Office for Information Security (BSI) aims to improve transparent communication regarding cybersecurity risks of networked medical devices [2]. To this end, the BSI initiated the project ManiMed – Manipulation of Medical Devices to facilitate a trustful communication and cooperation between manufacturers, security researchers, and authorities. This study targets the current cybersecurity state of smart and connected medical devices [3], [4] and illustrates what kind of questions the medical device industry is facing by making their devices smart.

This article focuses on security vulnerabilities identified in the DANA Diabecare RS insulin pump to illustrate what kind of questions the medical device industry faces by making their devices smart. The exemplifying vulnerabilities affected the pump's proprietary, Bluetooth Low Energy (BLE)-based communication and affected patient safety.

Methods: The assessment of medical devices is highly specialized and individual in terms of the device's medical use case, present interfaces, used technologies and assumptions to its environment [5]. The device was assessed following a black-box approach. The proprietary communication protocol built on top of Bluetooth Low Energy (BLE) was reverse-engineered using the manufacturer's Android and iOS applications and captures of the communication between the pump and its mobile apps using elementary BLE prototyping hardware. In the scope of the assessment were applied cryptography, Man-in-the-Middle attacks, eavesdropping of the communication, as well as the authentication and pairing process.

A coordinated vulnerability disclosure process (CVD) was initiated to keep the smart medical device on the market while ensuring that it no longer poses a threat to patient safety. The disclosure deadline was set with the constraint that measures must not harm the therapeutic purpose of the medical device. The Federal Institute for Drugs and Medical Devices (BfArM), as the national authority for vigilance in Germany, was notified and involved.

Results: During the security assessment, client-side controls, weak generation of encryption keys, improper verification of the pump's identity, missing replay protection, the insecure transmission of cryptographic keys, and an overall weak authentication mechanism were identified. By hijacking the pump, an attacker can administer insulin boluses remotely, causing severe patient harm [6].

The coordinated vulnerability disclosure (CVD) process was extended and lasted several months until a patch was rolled out to patients with a new pump firmware and major mobile application upgrades. The manufacturer released security advisories in the forms of a Field Safety Notice (FSN) [7]. A Medical Advisory (ICSMA) as well as CVEs were published by the Cybersecurity and Infrastructure Security Agency (CISA) [8].

Conclusion: This example demonstrates that mature processes for handling cybersecurity vulnerabilities with safety impact on active medical devices are not yet common among all medical device manufacturers, even though recognized procedures [9], [10] based on pervasive community knowledge are in place.

The authors declare that they have no competing interests.

The authors declare that an ethics committee vote is not required.

Gliederung

References

1.
Newman L. These Hackers Made an App That Kills to Prove a Point. WIRED. 2019 [Accessed 15 July 2020]. Available from: https://www.wired.com/story/medtronic-insulin-pump-hack-app/ Externer Link
2.
Federal Office for Information Security (BSI). Report on the State of IT Security in Germany 2019. 2019 [Accessed 15 July 2020]. Available from: https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html Externer Link
3.
Federal Office for Information Security (BSI). Medizintechnik. 2019 [Accessed 15 July 2020]. Available from: https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eHealth/Medizintechnik/Projekte/Projekte_node.html Externer Link
4.
SPECTARIS Deutscher Industriebverband für Optik, Photonik, Analysen- und Medizintechnik e.V. Die deutsche Medizintechnik-Industrie: SPECTARIS Jahrbuch 2019/2020. 2019 [Accessed 15 July 2020]. Available from: https://www.spectaris.de/fileadmin/Content/Medizintechnik/Zahlen-Fakten-Publikationen/SPECTARIS_Jahrbuch_2019-2020.pdf Externer Link
5.
German Federal Office for Information Security (BSI). Cyber Security Requirements for Network-Connected Medical Devices. 2018 [Accessed 15 July 2020]. Available from: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/Medical_Devices_CS-E_132.pdf?__blob=publicationFile&v=2 Externer Link
6.
Suleder J, Kauer B, Emmerich N, Pavlidis R. ERNW Whitepaper 69: Safety Impact of Vulnerabilities in Insulin Pumps. Sep 2020. Available from: https://ernw.de/en/whitepapers/issue-69.html Externer Link
7.
Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM). Dringende Sicherheitsinformation zu Insulinpumpe DANA Diabecare RS;mobilen Anwendung AnyDANA von SOOIL Development Co. Ltd. 2020 [Accessed 15 July 2020]. Available from: https://www.bfarm.de/SharedDocs/Kundeninfos/DE/07/2020/17203-19_kundeninfo_de.pdf Externer Link
8.
Cybersecurity and Infrastructure Security Agency (CISA). ICS Medical Advisory (ICSMA-21-012-01) – SOOIL DANA Diabecare RS. Jan 2021. Available from: https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01 Externer Link
9.
Food and Drug Administration (FDA). Postmarket Management of Cybersecurity in Medical Devices. 2016 [Accessed 15 July 2020]. Available from: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/postmarket-management-cybersecurity-medical-devices Externer Link
10.
The European Commission. MDCG 2019-16 – Guidance on Cybersecurity for medical devices. 2019 [Accessed 15 July 2020]. Available from: https://ec.europa.eu/docsroom/documents/41863 Externer Link