Artikel
Hijacking an Insulin Pump: From Discovery to Disclosure
Suche in Medline nach
Autoren
Veröffentlicht: | 26. Februar 2021 |
---|
Gliederung
Text
Background: Hacking medical devices and cybersecurity in public health is the subject of recent discussions [1]. The Federal Office for Information Security (BSI) aims to improve transparent communication regarding cybersecurity risks of networked medical devices [2]. To this end, the BSI initiated the project ManiMed – Manipulation of Medical Devices to facilitate a trustful communication and cooperation between manufacturers, security researchers, and authorities. This study targets the current cybersecurity state of smart and connected medical devices [3], [4] and illustrates what kind of questions the medical device industry is facing by making their devices smart.
This article focuses on security vulnerabilities identified in the DANA Diabecare RS insulin pump to illustrate what kind of questions the medical device industry faces by making their devices smart. The exemplifying vulnerabilities affected the pump's proprietary, Bluetooth Low Energy (BLE)-based communication and affected patient safety.
Methods: The assessment of medical devices is highly specialized and individual in terms of the device's medical use case, present interfaces, used technologies and assumptions to its environment [5]. The device was assessed following a black-box approach. The proprietary communication protocol built on top of Bluetooth Low Energy (BLE) was reverse-engineered using the manufacturer's Android and iOS applications and captures of the communication between the pump and its mobile apps using elementary BLE prototyping hardware. In the scope of the assessment were applied cryptography, Man-in-the-Middle attacks, eavesdropping of the communication, as well as the authentication and pairing process.
A coordinated vulnerability disclosure process (CVD) was initiated to keep the smart medical device on the market while ensuring that it no longer poses a threat to patient safety. The disclosure deadline was set with the constraint that measures must not harm the therapeutic purpose of the medical device. The Federal Institute for Drugs and Medical Devices (BfArM), as the national authority for vigilance in Germany, was notified and involved.
Results: During the security assessment, client-side controls, weak generation of encryption keys, improper verification of the pump's identity, missing replay protection, the insecure transmission of cryptographic keys, and an overall weak authentication mechanism were identified. By hijacking the pump, an attacker can administer insulin boluses remotely, causing severe patient harm [6].
The coordinated vulnerability disclosure (CVD) process was extended and lasted several months until a patch was rolled out to patients with a new pump firmware and major mobile application upgrades. The manufacturer released security advisories in the forms of a Field Safety Notice (FSN) [7]. A Medical Advisory (ICSMA) as well as CVEs were published by the Cybersecurity and Infrastructure Security Agency (CISA) [8].
Conclusion: This example demonstrates that mature processes for handling cybersecurity vulnerabilities with safety impact on active medical devices are not yet common among all medical device manufacturers, even though recognized procedures [9], [10] based on pervasive community knowledge are in place.
The authors declare that they have no competing interests.
The authors declare that an ethics committee vote is not required.
References
- 1.
- Newman L. These Hackers Made an App That Kills to Prove a Point. WIRED. 2019 [Accessed 15 July 2020]. Available from: https://www.wired.com/story/medtronic-insulin-pump-hack-app/
- 2.
- Federal Office for Information Security (BSI). Report on the State of IT Security in Germany 2019. 2019 [Accessed 15 July 2020]. Available from: https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html
- 3.
- Federal Office for Information Security (BSI). Medizintechnik. 2019 [Accessed 15 July 2020]. Available from: https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eHealth/Medizintechnik/Projekte/Projekte_node.html
- 4.
- SPECTARIS Deutscher Industriebverband für Optik, Photonik, Analysen- und Medizintechnik e.V. Die deutsche Medizintechnik-Industrie: SPECTARIS Jahrbuch 2019/2020. 2019 [Accessed 15 July 2020]. Available from: https://www.spectaris.de/fileadmin/Content/Medizintechnik/Zahlen-Fakten-Publikationen/SPECTARIS_Jahrbuch_2019-2020.pdf
- 5.
- German Federal Office for Information Security (BSI). Cyber Security Requirements for Network-Connected Medical Devices. 2018 [Accessed 15 July 2020]. Available from: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/Medical_Devices_CS-E_132.pdf?__blob=publicationFile&v=2
- 6.
- Suleder J, Kauer B, Emmerich N, Pavlidis R. ERNW Whitepaper 69: Safety Impact of Vulnerabilities in Insulin Pumps. Sep 2020. Available from: https://ernw.de/en/whitepapers/issue-69.html
- 7.
- Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM). Dringende Sicherheitsinformation zu Insulinpumpe DANA Diabecare RS;mobilen Anwendung AnyDANA von SOOIL Development Co. Ltd. 2020 [Accessed 15 July 2020]. Available from: https://www.bfarm.de/SharedDocs/Kundeninfos/DE/07/2020/17203-19_kundeninfo_de.pdf
- 8.
- Cybersecurity and Infrastructure Security Agency (CISA). ICS Medical Advisory (ICSMA-21-012-01) – SOOIL DANA Diabecare RS. Jan 2021. Available from: https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01
- 9.
- Food and Drug Administration (FDA). Postmarket Management of Cybersecurity in Medical Devices. 2016 [Accessed 15 July 2020]. Available from: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/postmarket-management-cybersecurity-medical-devices
- 10.
- The European Commission. MDCG 2019-16 – Guidance on Cybersecurity for medical devices. 2019 [Accessed 15 July 2020]. Available from: https://ec.europa.eu/docsroom/documents/41863