Vulnerable smart devices aren’t just an inconvenience – they might potentially kill you. The US Food & Drug Administration (FDA) is warning that some insulin pump models are vulnerable to hacking via a “Man-in-the-middle” type attack – and that users should switch models as soon as possible.
Insulin pumps are small electronic devices that diabetics use to give themselves automatic doses of insulin through a catheter. They help automate the process of testing the blood sugar levels, determining the needed dose, and administering it. They also can communicate via wireless frequency to a nearby device to record dosages that have been metered out and to receive additional dosage directions. As an advanced technology, this helps diabetics live their lives without needed a doctor’s micromanagement. But, as the FDA is pointing out, there are some problems with some insulin pumps that could lead to a “Terminal Man” type situation.
Look out for medical hackers
“An unauthorized person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change settings and control insulin delivery.” stated the special notice from the device manufacturer Medtronics. The consequences from a hack could be fatal. A hacked device could potentially lead to hypoglycemia for the connected user (if additional insulin is delivered) or hyperglycemia and diabetic ketoacidosis (if not enough insulin is delivered) from the device.
Not only were some of the identified devices hackable, these vulnerabilities were built into several of the devices with no updates or corrective steps possible.
Welcome to the future
The FDA move is one of the first times a medical device has been essentially yanked from the market due to a serious cybersecurity issue. As more medical makers incorporate IoT features into their products, look for this type of situation to repeat.
It appears that the identified devices were built without a sufficiently in-depth security inspection – a common enough issue in the IoT. In the first wave of IoT devices, it was common that devices such as security cameras had set passwords and unencrypted communication with other devices or servers — a set of features which rendered the devices unfixable, perpetually vulnerable to hackers, and set the stage for the global Mirai botnet DDos attacks.
Overall, IoT devices still do not have much in the way of any security requirements. However, medical devices – whether or not they have smart technologies incorporated into them – are highly regulated. In addition, the security of patient data is also a big feature for medical apps in the United States thanks to Health Insurance Portability and Accountability Act (HIPAA) — even if general protection for consumer data privacy is near zero.
