Medtronic's MiniMed 600 insulin pumps potentially at risk of compromise

It&#x27;s very interesting to see an in-the-wild example of a security flaw in the wireless pairing of a class C medical device (i.e. a device that can severely injure or kill). Would love to see technical details about the specific flaw here.<p>Just spending a few minutes searching around I found this interesting reverse engineering work on the Contour Next Link 2.4 USB dongle: <a href="https:&#x2F;&#x2F;github.com&#x2F;szpaku80&#x2F;reverse-engineering-contour-next-link-24#what-we-currently-know" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;szpaku80&#x2F;reverse-engineering-contour-next...</a><p>It looks like it&#x27;s implementing 802.15.4 (the basis for ZigBee among other protocols).<p>The user manual for the Contour Next Link 2.4 device (<a href="https:&#x2F;&#x2F;www.medtronicdiabetes.com&#x2F;sites&#x2F;default&#x2F;files&#x2F;library&#x2F;download-library&#x2F;user-guides&#x2F;CONTOUR-Next-LINK-2.4-Meter-UserGuide.pdf" rel="nofollow">https:&#x2F;&#x2F;www.medtronicdiabetes.com&#x2F;sites&#x2F;default&#x2F;files&#x2F;librar...</a>) shows that pairing can be initiated by the USB dongle and succeeds if the user confirms the request on the device. A serial number is displayed but that appears to be under the control of the hypothetical attacker. So the user must know to reject an unexpected request even if it has the right serial number, or the attacker will gain control of their pump and can issue a remote bolus command.<p>This example doesn&#x27;t have to do with Bluetooth but there&#x27;s an interesting connection there because most BLE pairing methods have been shown to be insecure to sniffing attacks. That imposes constraints on how medical devices that need Bluetooth connectivity are designed, because it may force a device to have a screen for showing a pairing code when it otherwise would not need one.

This makes me mad as a minimed user. I can&#x27;t even get data out of my pump (a 754) because minimed does not sell the reader in my country. The 600 models are the top-off the line models that cost $$$.<p>Medtronic shouldn&#x27;t be able to get away with just saying, turn off remote bolusing to be secure. I hope they get a class-action suit.<p>Background: Medtronic is a money-hungry company. I&#x27;ve been using their insulin pumps for 15 years. Over the years the quality of their infusion sets dropped, they no longer provide a cap (the thing you put on to close the catheter before you shower) with each infusion set, rather than they put only one cap in a 10x bag. The infusion sets started to fail after 2 days (the default timespan is 3 days), whereas it used to last 4-5 days before.

&gt; ... CareLink™ USB device that communicate wirelessly. ...<p>&gt; ... For unauthorized access to occur, a nearby person other than you or your care partner would need to gain access to your pump at the same time that the pump is being paired with other system components. <i>This cannot be done over the internet.</i> ...<p>&gt;4. Disconnect the USB device from your computer when you’re not using it to download pump data. 5. DO NOT confirm remote connection requests or any other remote action on the pump screen unless it is initiated by you or your care partner. 6. DO NOT share your pump’s or devices’ serial numbers with anyone other than your healthcare provider, distributors, and Medtronic.<p>Hmm... You have a wireless dongle connected to a PC that appears to rely at least in part on the serial number as authZ&#x2F;N, and can provide fully remote communications over the Internet and manipulation of the terminal device. But... &quot;<i>This cannot be done over the internet</i>&quot;? Seems to be at the time of pairing, but can the pairing be initiated &amp; accepted remotely?

To be fair the earlier Medtronic pumps were also insecure, but it allowed for reverse engineers to get into them and create one of the first closed loop systems.

Hmm, MedTronic already had at least one recall on this series of pumps:<p><a href="https:&#x2F;&#x2F;diatribe.org&#x2F;medtronic-provides-update-recall-thousands-defective-insulin-pumps-and-remote-controls" rel="nofollow">https:&#x2F;&#x2F;diatribe.org&#x2F;medtronic-provides-update-recall-thousa...</a><p>Tandem recently released updated firmware and mobile app for their t:slim X2 pumps which includes a function to deliver insulin from the mobile app. To me, this seems like a dangerous idea, given that people can die from an insulin overdose. I&#x27;m perfectly happy keeping the function solely on the physical device. My wariness has not been shared by the majority (or even a small fraction) I&#x27;ve discussed this with online - pump users generally desire this convenience and are not at all concerned about potential security implications.

There was an entire data set released that had all the medical device injuries and malfunctions listed. Pretty interesting to dive into considering it wasn&#x27;t previously public.<p>Article mentioning the previously non-public database: <a href="https:&#x2F;&#x2F;khn.org&#x2F;news&#x2F;hidden-fda-database-medical-device-injuries-malfunctions&#x2F;" rel="nofollow">https:&#x2F;&#x2F;khn.org&#x2F;news&#x2F;hidden-fda-database-medical-device-inju...</a><p>FDA database that was eventually released: <a href="https:&#x2F;&#x2F;www.fda.gov&#x2F;medical-devices&#x2F;mandatory-reporting-requirements-manufacturers-importers-and-device-user-facilities&#x2F;about-manufacturer-and-user-facility-device-experience-maude" rel="nofollow">https:&#x2F;&#x2F;www.fda.gov&#x2F;medical-devices&#x2F;mandatory-reporting-requ...</a><p>As a Type 1 diabetic, insulin pumps are a game changer for the entire population that needs to use them. But I think it&#x27;s understated the risks that come with the devices. In my opinion the benefits outweigh the risks but that is still something you should be able to determine on your own as a user.<p>Side note: One of the things I see a lot of diabetics miss with insulin pumps is how changes in altitude and air pressure can cause unintended delivery of insulin if you have air bubbles in the cartridge. For those who travel with insulin pumps, make sure to disconnect during changes in altitude (take-off and landing).

From experience, Medtronic’s software is obviously low-quality. Obviously bad and unnecessarily bad.

Not surprised that QA is a problem with them. They don&#x27;t even realize that one of their contract manufacturers isn&#x27;t registered with the FDA.