1. "This is a key fob that looks like a car alarm beeper that some pump users use to discretely give themselves insulin doses. However, I feel the need to point out as a pump wearer myself that:
Not every Insulin Pump has a remote control feature. Not every remote-controllable insulin pump has that feature turned on. Mine does not, for example."
2. "all he requires to perpetrate the hack is the target pump's serial number. This is like saying "I can open your garage door with a 3rd party garage door opener. Just give me the numbers off the side of your unit..."
3. If you are a diabetic on a pump who is concerned about this kind of thing, my suggestion is to turn off your pump's remote control feature (which is likely off anyway) and turn off your sensor radio when you are not wearing your CGM. Most of all, don't panic. Call the manufacturer and express your concern. In my experience, pump manufacturers do not mess around with this stuff. I'm not overly concerned.
--
Also - someone asked how much entropy was in the serial ID's on these units ?
Even if entropy is low are - how are you going to randomly select a person, and know their serial ID ? Unless you know what units are distributed to what hospitals/doctors - at exact times - at exact shipments and then from the sample delivered know the exact unit given to any person at any particular time.
Sure, if you know a "set of id's" you could try each one sequentially until you finally get a hit - but even then, you must somehow ensure the person being targeted has remote connection turned on. I'm pretty sure walking up to them and saying "oh, hai 'dere! ... plz turn on ur remotz connetz'n 4 me?" [ said in this voice - http://www.youtube.com/watch?v=xh_9QhRzJEs ] - is going to make them pretty suspicious.
There's a lot of "ifs" in there and frankly - if your aim was kill them - it would be a lot faster to do it some other way because to actually get all these things to line up perfectly .... your chances are pretty slim.
I'm a bit of sceptic on this 'hacking' - not to say that it's great that it has been uncovered - but your dealing with minute hardware where every single ms of processing power counts. Simple encryption should be utilized [but then this might be easily hacked anyway ?] but for units placed inside the body [pacemakers and the like] - splitting the units resources between keeping the patient alive vs. encryption for wireless protocols seems to weigh more heavily on the former than the later given how unlikely - for the majority of the world - these 'attacks' are going to be.
Would you trust your life on a computer not being able to count from one to ten billion? From one to ten million? From one to a thousand?
Computers can, in fact, trivially do all of these things. Counting to large numbers quickly is what they do best. Accordingly, if "Guess my large number" is sufficient to remote control the machine, then that's a pretty critical finding.
And there is no work that the attacker can do which will make his life more difficult. Trivial inspection of any machine establishes the upper bound of how hard it will be to compromise. Any attack he can use to reduce entropy only makes that number shrink, potentially radically. We would worry if you could shrink a 2048 bit keys even by a bit, because it suggests a hidden systemic weakness. The second serial number examined is likely to shrink the keyspace - which will not be 2048 bits to begin with - by tens of bits.
There are classes of attackers for whom killing a single named individual is not a goal. "Oh drats, we were only able to kill fifteen people chosen at random from this hospital, Superdome, or session of Congress" would not br a failure condition for them or a victory condition for the public.
To be perfectly clear: a quick Google confirms (at least one type of) insulin pump has 8 digit serial numbers. It also appears the first digit is 1 or 0.
Serial numbers usually have a check digit, so it is likely we are down to only 6 digits.
Strictly speaking, isn't "guess my large number" sufficient to break most encryption protocols that don't rely on security by obscurity? It's just that the numbers are normally larger by dozens of orders of magnitude.
Yes, but you are ignoring the time factor. Assume I'm going to die of natural causes in 60 years. If it takes a minute to guess a 6 digit number, that is really bad. If it takes 1000 years to guess a number that is larger by dozens of orders of magnitude, odds are pretty good I'm going to die of natural causes before the attacker guesses the right number.
The "Just give me the numbers..." counter-argument isn't valid.
Right now, a hacker can kill a specific person, within 30 days, given the following assumptions:
- that person is wearing an insulin pump with the
remote control feature turned ON
- the serial number is 32-bits or less
- the attacker can test 5000 serial numbers per second
for at least 8 hours per day, every day
So, given those assumptions, here's a scary scenario: Let's say a hacker wants to kill you, and knows where you live. He builds a transmitter and plants it next to your house, for example behind your air conditioner. The device is configured to 1) detect when you're there, then 2) try to guess your serial number every second you're within range, then 3) kills you.
If the attacker then retrieves the device (so it doesn't fall into the hands of law enforcement), there would be absolutely no way to prove he killed you.
Obviously, this is an incredibly unlikely sequence of events. Nevertheless it IS possible, which is very irresponsible of the medical industry.
So, given those assumptions, here's a scary scenario: Let's say a hacker wants to kill you, and knows where you live.
Most premeditated murder is perpetrated by someone very familiar with the victims.
The device is configured to 1) detect when you're there, then 2) try to guess your serial number every second you're within range, then 3) kills you.
Better yet, just get the serial number.
If the attacker then retrieves the device (so it doesn't fall into the hands of law enforcement), there would be absolutely no way to prove he killed you.
Put yourselves in the shoes of the prosecutor. How are you going to explain all this to the jury? In how many ways will the defense be able to attack the delicate task of explaining the technical details?
Obviously, this is an incredibly unlikely sequence of events. Nevertheless it IS possible, which is very irresponsible of the medical industry.
The "alibi machine" aspect of this scenario actually makes it more likely.
I disagree. This doesn't give you the alibi, since you have to be there in the same room to drop it. With the wireless mechanism, you could never be in the same room as the victim that day. You might never be within 50 feet of the victim. You might not be spattered with blood, but you might leave physical evidence of your presence at the scene. Logs can be electronically erased, which you can't do with metabolites of poison in the bloodstream.
The police can also look for someone with a motive to kill you, and filter that by who might have the hacking expertise. Do a search of this guy's premises for such a transmitter or equipment to build it, and you have a prime suspect.
I've never encountered a community as poor at cost/benefits analysis as computer security. You see it every time when some new "irresponsible" loophole is gleefully broadcast by some smug cracker. There are far, FAR more economical and efficient ways of getting away with murder. I mean, several orders of magnitude easier.
Excuse me at being unrealistic, but I like to think that I should not be able to kill someone with a GNU Radio setup and a cheap laptop.
I am not actually afraid that people are going to start doing this, however such flaws and failures in security thinking are systemic. Bad security is not limited to insulin pumps, but insulin pumps are a great way of getting the publics attention and (hopefully) getting programmers to consider the impact their laziness could have on the world.
I like to think that I should not be able to kill someone with a GNU Radio setup and a cheap laptop.
If you want to kill someone, there are considerably cheaper options available at your local big-box store's home and garden center.
Seriously, though, I do agree with your concern for systemic problems in security thinking. Given the vastly more concentrated effort required, I don't think it's a problem that one could theoretically kill with GNU Radio and a laptop, versus any of the hundreds of tools more readily repurposed as a murder weapon, but such exploits are best addressed while they are unfeasable.
I've never encountered a community as poor at cost/benefits analysis as computer security.
As the potential cost of attempting murder involves the risk of getting caught, it's entirely reasonable to expect murderers to go to great lengths to conceal their actions, even if in involves highly technical means. If such highly technical means are actually inexpensive and widely available, then this raises the level of concern with regards to the cost/benefit analyses.
In short:
Cost factors "pro" murder through wireless control of medical equipment
- getting caught is very expensive, so obscure and
invisible methods are attractive.
- time and materials costs are low for a suitable expert
- the method enables an alibi
"Even if entropy is low are - how are you going to randomly select a person, and know their serial ID ? Unless you know what units are distributed to what hospitals/doctors - at exact times - at exact shipments and then from the sample delivered know the exact unit given to any person at any particular time."
A sufficiently low entropy serial number would mean you don't need to know those things. Because it is low entropy.
11) if the person consequentially is unable to reach medical assistance within such a period in order to receive more or less insulin resulting in their death
12) if you are able to remove any evidence of tampering with their device without being caught
yes, then this is a concern and low entropy is relevant. But pragmatically and realistically - if you can do all this - then you could execute a murder anyway :P
Point 5 is the only one that I am concerning myself with. If it is low, I consider it a security failure, if it is high, then I don't care. I don't give a shit about insulin machines and murder plots, I am concerned with technical implementation of security. I'm not sure what you are getting hung up on.....
"but your dealing with minute hardware where every single ms of processing power counts. Simple encryption should be utilized [but then this might be easily hacked anyway ?] but for units placed inside the body [pacemakers and the like] - splitting the units resources between keeping the patient alive vs. encryption for wireless protocols seems to weigh more heavily on the former than the later given how unlikely - for the majority of the world - these 'attacks' are going to be."
So your solution is to increase security such that it compromises the functionality of the device itself through it's utility ? High security, poor battery life ? High security, high replacement cost ?
"Point 5 is the only one that I am concerning myself with." - and delivering insulin isn't important ?
Get realistic - security loopholes are only as important as what you are trying to practically protect and at what cost with what risk. This is what I am trying to make evident.
The assumption that every single manufacturer in the medical industry hasn't considered security of remote devices seems a far stretch to me given the prominence of medical litigation and the fact your dealing with someones life. Is a high security cost, high device cost, low battery life and therefore low adoption for patients and community accessibility acceptable? No, it's not.
The world is not based on everyone wanting to kill each other because entropy of serial numbers [which you nor I have any idea about] are low so they can hack insulin devices and kill someone. That said - it needs to be fixed with a balance to risk and all these other factors.
"2. "all he requires to perpetrate the hack is the target pump's
serial number."
Do we know how much entropy is in those? They could very
well be sequential or date derived.
As you can clearly see, I am objecting to the apparent assertion that requiring the serial number should be considered a mitigating factor if we don't know anything about the entropy of these serial numbers. Without additional information, we should not be comforted by this.
Allow me to be perfectly blunt to get across my point once and for all: I don't give a shit about insulin. I don't give a shit about insulin pumps. I care misconceptions about security, and improper security implementation. This article serves as nothing to me other than a vehicle to discuss these things.
Most importantly: I am more concerned with your apparent suggestion that "a serial number is probably a sufficient shared secret" than I am with anything in the story. Serial numbers, as a general rule, make terrible shared secrets.
where have I made any such "apparent suggestion" in any of my comments. i haven't - i've stated that, and at least I believed I made quite clear, that the risk and practicality of using this hack is negligible. i haven't stated that it does not exist or that it should not be fixed. to the contrary - it should be fixed.
you're focusing on a singular aspect in a vacuum. "improper security implementation." - yes in this singular vacuum - you're correct and that's great - it's a concern. But what point is there focusing on security implementations in a vacuum when your dealing with real devices on real people and the practicality of using such improper implementations. The entire BlackHat conference is about exposing hacks in vendor-neutral software and devices that affect the real world. As I stated:
"Get realistic - security loopholes are only as important as what you are trying to practically protect and at what cost with what risk. This is what I am trying to make evident."
i'm focusing on the practicality in the real world as is the entire point of the BlackHat Security Conference. Arguably any device which opens itself to wireless communication could be hacked - and a device like this should have some cryptographic system requiring two separate keys - but at what practical cost is my point.
as hanslemen says in his article - the easiest way to resolve this is just to build in upper and lower limits of insulin delivery. at least you can't kill someone - but I acknowledge that even controlling it is a concern.
[peace, not trying to get all up and hot in here :)]
Even if entropy is low are - how are you going to randomly select a person, and know their serial ID?
The real concern isn't random killing. It's targeted killing. Most premeditated murder is targeted, is perpetrated by someone for a specific motivation, and is perpetrated by someone close to the victim.
The sort of medical emergency caused by an insulin pump malfunction doesn't raise the suspicion of today's typical police officer. Likewise, the likelihood that someone has the right medical and technical knowledge to investigate such a crime is much lower.
People covering murder by faking a random crime are operating in an area of their ignorance, versus the expert's knowledge and practice. A hacker killing someone through medical equipment would be operating as the expert while the officials and professionals whose job it would be to catch him may well be the newbies.
It would be easy to concoct an alibi with a murder technique like this. This is the most concerning thing about it.
tl;dr
Scott's most relevant points:
1. "This is a key fob that looks like a car alarm beeper that some pump users use to discretely give themselves insulin doses. However, I feel the need to point out as a pump wearer myself that:
Not every Insulin Pump has a remote control feature. Not every remote-controllable insulin pump has that feature turned on. Mine does not, for example."
2. "all he requires to perpetrate the hack is the target pump's serial number. This is like saying "I can open your garage door with a 3rd party garage door opener. Just give me the numbers off the side of your unit..."
3. If you are a diabetic on a pump who is concerned about this kind of thing, my suggestion is to turn off your pump's remote control feature (which is likely off anyway) and turn off your sensor radio when you are not wearing your CGM. Most of all, don't panic. Call the manufacturer and express your concern. In my experience, pump manufacturers do not mess around with this stuff. I'm not overly concerned.
--
Also - someone asked how much entropy was in the serial ID's on these units ?
Even if entropy is low are - how are you going to randomly select a person, and know their serial ID ? Unless you know what units are distributed to what hospitals/doctors - at exact times - at exact shipments and then from the sample delivered know the exact unit given to any person at any particular time.
Sure, if you know a "set of id's" you could try each one sequentially until you finally get a hit - but even then, you must somehow ensure the person being targeted has remote connection turned on. I'm pretty sure walking up to them and saying "oh, hai 'dere! ... plz turn on ur remotz connetz'n 4 me?" [ said in this voice - http://www.youtube.com/watch?v=xh_9QhRzJEs ] - is going to make them pretty suspicious.
There's a lot of "ifs" in there and frankly - if your aim was kill them - it would be a lot faster to do it some other way because to actually get all these things to line up perfectly .... your chances are pretty slim.
I'm a bit of sceptic on this 'hacking' - not to say that it's great that it has been uncovered - but your dealing with minute hardware where every single ms of processing power counts. Simple encryption should be utilized [but then this might be easily hacked anyway ?] but for units placed inside the body [pacemakers and the like] - splitting the units resources between keeping the patient alive vs. encryption for wireless protocols seems to weigh more heavily on the former than the later given how unlikely - for the majority of the world - these 'attacks' are going to be.