My wife is a type 1 diabetic, and for the past year or so she’s been using an Omnipod to deliver the insulin she needs. She likes the Omnipod a lot better than the old-fashioned Medtronic insulin pumps she used to use, but one problem with the pods is that they can come off before their useful life is over. The pods cost around $20 and our insurance doesn’t cover any extras, so it’s important to be able to revive or restore the Omnipod adhesive if a pod comes unstuck.
The pods are supposed to last three days, but sometimes the adhesive only lasts a day or so. Humidity, sweating from activity, swimming and bathing can all make the adhesive fail prematurely. It seems the pods themselves are a lot more waterproof than the adhesive is. Then again, she says sometimes just the force of changing clothes can be enough to knock a pod off.
Yesterday morning, as I completed the long journey from my parking spot to my office, another more likely use of the security vulnerability in Medtronic insulin pumps occurred to me. Yes, the risks involving insulin are very real. And yes, a determined attacker could use this vulnerability to take a Medtronic owner’s life. But those chances are slim.
But nothing says this vulnerability has to be used to do mortal harm. An attacker could use it just for exploitation. And there’s enough difference that some people wouldn’t have a problem with crossing that line.
Insulin pumps marketed by Minneapolis-based Medtronic have a serious, life-threatening security flaw, and the company couldn’t care less.
For these two reasons, this isn’t your typical security flaw, and Medtronic’s response–in 30 years, we’ve ever seen a problem that we know of–is beyond deplorable. Ford’s infamous decision to pay lawsuits rather than fix a deadly flaw in the Pinto comes to mind.