As a diabetic (something few of the posters seem to be) I find this discussion quite interesting if a little wrong in some of its assumptions. The first is the idea that turning off the pump will cause the wearer to expire. In most cases, not true. If you want to (and lets wave our magic wand and enable the hack skipping the tech problems mentioned) kill your target, you are going about it the wrong way. Don't turn off the supply---turn it up, way up. You need to create an overdose based on the size of the individual and their tolerance to insulin. Now without knowing the details of the pump industry, I'd guess that there are built in limiters concerning overdoses. This makes the problem far more challenging, even if you know the individual in question. How often do you discuss with your diabetic friends just how many units it would take to kill them? At a guess, even if you know they are diabetic, this is probably not part of normal conversation. There is also the assumption that the wearer never checks his equipment. In the single photo in the article above, I notice a screen crowded with information. Again jumping over the problems listed both in the article and here, the hack would have to adjust the display so as not to warn the victim. Given the in-ability to decipher the signals transmitted, this seems a bit problematic at best. No, I think the best method of attack is the one with a hammer---'Wow you wear a pump huh? Can I see it (victim looks down to pull up shirt) villain applies Maxwell's hammer as solution.'
I helped watch a friend's kid last weekend who has a remote-controlled insulin pump. The remote control refuses to dose without a recent blood-sugar test. Kid wants to eat, no you need to wait, we need to do a finger-prick test first ON the the remote so it knows your glucose level.
That, and the remote needs to establish an insulin baseline every few hours.
It's unclear whether the dose limiting is also hard-coded into the pump or is on the remote side only.
It does seem like a "one in a billion" attack but, given time and repeated access to the pump radio, it seems possible to say the least.
I assume that an adult diabetic is very aware of how glucose levels affect their ability to function and would notice when they start to drop off unexpectedly.
Even if you could manipulate the pump control itself, you still aren't disabling the feature that shows the blood glucose level (which the person is certainly monitoring), or the alarms that most likely go off when the values are too far outside of center.
The most likely outcome of a hacker gaining control, is that the user sees the insulin pump is screwing up, then just takes it off and uses manual injections or sees their doctor.
