Yesterday morning, as I completed the long journey from my parking spot to my office, another more likely use of the security vulnerability in Medtronic insulin pumps occurred to me. Yes, the risks involving insulin are very real. And yes, a determined attacker could use this vulnerability to take a Medtronic owner’s life. But those chances are slim.
But nothing says this vulnerability has to be used to do mortal harm. An attacker could use it just for exploitation. And there’s enough difference that some people wouldn’t have a problem with crossing that line.
Imagine a device that beacons out to Medtronic insulin pumps at some interval, perhaps 30-45 minutes, and signals to them to give one unit of insulin. This won’t cause death; at mealtimes, a diabetic would likely use 5 or more units of insulin. What it will do is cause blood sugar to go down, and make the person hungry.
Who would possibly be interested in such a device?
A business that benefits from hungry people. Restaurants.
I am in no way condoning such a device. The closest moral equivalent I can think of is gas stations possessing a device that remotely starts the cars in the parking lot in order to cause them to burn fuel while the owners are inside. It’s theft, at the very least. There would be an uproar if gas stations started doing that. And if you thought gas was expensive, you should see the cost of insulin. I can buy 15-20 gallons of gas for the cost of a little vial of insulin the size of a thimble. And everyone reacts to low blood sugar differently. Some people detect it and correct it pretty quickly, and others don’t.
But aside from cost, there’s another difference between using someone’s gas without permission–stealing gas–and using someone’s insulin without permission. You’re forcing that other person to eat. Diabetics need to watch their diets more closely than non-diabetics do. And if that exploited diabetic becomes a regular customer, and gets exploited many times over a period of years, all those exploits can have an effect on the diabetic’s overall health.
To me, there’s no issue here. It’s morally repugnant.
The problem is, there are people who would see no issue with it whatsoever. They would see it solely as a way to increase desert sales and pad the bottom line. And it would be difficult to detect. And since there are 21 million diabetics in the United States, versus 229 million (or so) non-diabetics, I don’t think the uproar would be anywhere near as great. It’s someone else’s problem, after all. So it would be easier to just write off as capitalism.
There are valid reasons for remotely controlling an insulin pump. For example, it allows a blood sugar meter to communicate with the pump and correct insulin levels based on blood sugar readings. But there needs to be a way to turn that feature off if you don’t use it, in order to avoid the possibility of exploitation. That’s what Medtronic doesn’t see.
I can think of a handful of people who would be able to design and build such a device. One in particular could probably do it in a couple of weekends. Fortunately, they all have jobs, and no interest in that sort of exploitation. But I don’t know about all of the people capable of that kind of design. There’s no guarantee they all have work. And if someone gets turned down for enough jobs and gets hungry enough, you never know. Especially in this economy.
The chances of somebody using this vulnerability for murder are low. Not zero. But low. The chances of somebody using it for exploitation are higher. Considerably higher. I really think it’s only a matter of time, unless Medtronic removes the vulnerability. Yet Medtronic doesn’t want to talk to the guy who discovered the flaw. If the flaw is only used for exploitation, and not to kill, Medtronic only has something to gain from this. The faster people use insulin, the faster they use up supplies, and the more money Medtronic makes. From a dollars and cents perspective, this flaw is good for them.
And that’s why I’m upset with Medtronic.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
One thought on “A more likely use of the Medtronic exploit”
My first threat thought was of holding these poor people hostage, even spamming them with the threat of doing the damage. This removes the need for technical skills. The bad guys just threaten to do harm, and without ever knowing where their victims are. “And don’t tell the cops, or else! “
Comments are closed.