It's reassuring to know that when I'm old and on insulin, or have pacemaker, or some other implanted device, that I'll have to worry about viruses both biological and technological. And by reassuring I mean not reassuring at all.
posted by quadog at 10:12 PM on October 28, 2011 [4 favorites]

Well that is an episode of CSI and/or House waiting to happen.
posted by empath at 10:18 PM on October 28, 2011 [6 favorites]

Allow me to clarify,

Unscrupulous hacker: someone who changes your facebook picture to a picture of a cat and messages your ex-girlfriend when you leave your facebook logged in at the mac store.

FUCKING COLD BLOODED PSYCHOPATH: someone who murders people with diabetes for the lolz.

You may continue.
posted by JimmyJames at 10:29 PM on October 28, 2011 [30 favorites]

Vulnerabilities like this are strong arguments for redefining the term 'Responsible Disclosure.' It's one thing to allow Cisco a month or two to write up some switch patches; it's quite another to replace embedded device code. So how is it responsible to even mention a vulnerability such as this?

Granted it's an extremely disturbed individual who'd even think of exploiting this, but it's a fucked up world with a large enough population to make this nightmare scenario a possibility. This shouldn't have gone beyond back channels.
posted by Hardcore Poser at 10:31 PM on October 28, 2011 [14 favorites]

I'd heard about this last month on Twit.TV's "Security Now" podcast, and they were reporting that the hacker had to be within 20 or 30 feet of the insulin pump, and that while the pump emits a bunch of beeps when it's being programmed, the pump emits a bunch of beeps at other times, too, to the point that the user tends to ignore them. So, yeah, this is pretty bad news if you happen to have this insulin pump.
posted by crunchland at 10:32 PM on October 28, 2011 [2 favorites]

A wireless interface would make sense in the case of a pacemaker or some other implanted prosthetic or artifical organ, which is not easily plug-in-able. But I can't see how wireless is necessary or advisable in other circumstances. Seems like it's just asking for trouble.
posted by Western Infidels at 10:32 PM on October 28, 2011

Granted it's an extremely disturbed individual who'd even think of exploiting this

Or a very savvy intelligence officer.
posted by empath at 10:33 PM on October 28, 2011 [6 favorites]

Holy shit. Not only does Medtronic's device technology control their insulin pumps, similar code controls their spinal cord stimulators. So does this mean that in theory, a hacker could ramp up a stimulator's voltage to cause unbearable electrical pain??
posted by oceanmorning at 10:34 PM on October 28, 2011

a pacemaker or some other implanted prosthetic or artifical organ

Pacemaker hacking was the first thing I thought of after being relived none of my diabetic loved ones have insulin pumps.
posted by immlass at 10:35 PM on October 28, 2011

This is my surpri.....nope, still can't do it.

One of the things that used to make me grind my teeth the hardest in the land of big pharma was the idea of computer validation. That you could somehow test a piece of software and show that it did what it wanted to do and didn't do what you didn't want it to do, whatever that was.

The people who got this gig were all over the idea of quality as it pertained to keeping ones desk tidy and making things look all shiny for management. But in terms of understanding computers, or data storage, or side chain attacks, or that random substitution was insufficient encryption for your user database, or that Microsoft isn't going to hand you the source code to windows just because you asked nicely (or that you were unlikely to find vulnerabilities on a quick read through if they did), or that Word, Excel and Adobe reader are the major virus vectors or.... You get the idea.

I'd be pleasantly surprised if McAfee could find a medical device with really good security.
posted by Kid Charlemagne at 10:36 PM on October 28, 2011 [8 favorites]

Hardcore Poser: This shouldn't have gone beyond back channels.

The back channels didn't1 work.
posted by Western Infidels at 10:38 PM on October 28, 2011 [2 favorites]

The strange thing is, nobody remembers hiring the McAfee researcher, he just showed up one day. First he set off the smoke alarm for no good reason, and later he misidentified a pager as an insulin pump. Finally, disgusted with his ineptitude, management fired him, only to find he had to be forcibly removed from the premises. Even weeks later, other employees would be tripping over bits of garbage the McAfee researcher left behind.
posted by xedrik at 10:43 PM on October 28, 2011 [15 favorites]

Interesting. Mediatronic's website apparently used to have a statement about the hacking in their press releases section, but now there's no mention of it. Google's cache to the rescue.
posted by crunchland at 10:46 PM on October 28, 2011 [1 favorite]

That you could somehow test a piece of software and show that it did what it wanted to do and didn't do what you didn't want it to do, whatever that was.

Um, well, you can do that, if you write the software in the right way. Almost nobody does it in practice, because it's really expensive and time-consuming, but in theory it's possible to write formally "provable" software. Anecdotally, I've heard of the software for some aerospace embedded systems being written this way.

Of course, even if you wrote and formally proved the software to meet a particular specification, that wouldn't tell you anything about whether that specification met the functional/business requirements, or the behavior of the overall hardware and software system that will exist in the real world; those things require a lot of empirical reasoning and testing.
posted by Kadin2048 at 10:48 PM on October 28, 2011 [7 favorites]

FUCKING COLD BLOODED PSYCHOPATH: someone who murders people with diabetes for the lolz.

To stay with the season, I file this alongside poisoned halloween candies. ie. it has never fucking happened. Which isn't to say it's a concern, but there aren't that many psychopaths out there, and there are even fewer who would have the capabilities to pull this off. Disclosure all the way.
posted by Jimbob at 10:50 PM on October 28, 2011

This happened on an episode of Law and Order...in 1993.
posted by FireballForever at 10:53 PM on October 28, 2011 [9 favorites]

With medical implant devices I have been very concerned about their manufacture. Both plastic and metal. I know that if I were in whatever situation they would probably be my only way to survive and live, but man, I would still be very suspect. I have seen and tested many of them from any number of manufacturers, and it does not make me feel optimistic.

But they work for millions of people, so there's that.

I of course thought of the computer component in some models like pacemakers or insulin modules, and I of course thought of the ways to exploit them, but I never figured the press would catch on.

And who the fuck is engineering these things that just broadcast radio signals all around? I can't think of a single competent engineer who would think something like that is a good thing.

This is the sort of thing that a regular person looks at and says WTF, and the company says "go ahead, no one will even bother figure it out anyway." Those PE's should lose their licenses.

Isn't that how Woz got his start? Busting in on available frequencies?
posted by sanka at 10:56 PM on October 28, 2011

A wireless interface would make sense in the case of a pacemaker or some other implanted prosthetic or artifical organ, which is not easily plug-in-able. But I can't see how wireless is necessary or advisable in other circumstances.

There are valid use cases:

1) The pump wirelessly communicates with a blood glucose meter/control unit, so a user can just test BG and then click OK to deliver an appropriate correction bolus of insulin, without recoding the BG into the pump (which is subject to manual retyping error).

2) The wireless control keychain dongles allow shy users to avoid futzing with a "pager" sized device and out themselves as a type 1 diabetic (say, during a job interview lunch, in one of those backwards countries that doesn't have universal healthcare).

3) The best use case for wireless pump control is for parents of small children with type 1 diabetes. A 4 year old child can't be trusted to deliver insulin for themselves, so you can lock the physical pump controls and only allow the wireless dongle to program delivery. Parents can then dose kids as appropriate while they watch the kids chow down across the table at a birthday party.

Wireless control is useful. This does not excuse poor security implementations of wireless control systems. (Medtronic must have been too busy switching over all their pump tubing systems from luer locks to proprietary connectors.)
posted by benzenedream at 11:05 PM on October 28, 2011 [5 favorites]

Isn't that how Woz got his start? Busting in on available frequencies?

Woz and Jobs found a copy of Ma Bell diagnostic frequencies from a local library, which were recorded on cassette tape.
posted by Blazecock Pileon at 11:15 PM on October 28, 2011

You can, but to the best of my knowledge, the seL4 microkernel is pretty much it, and I'm not sure how much real world use it is able to support. And as Bruce Schneier points out, they validated code at a rate of about 250 lines per man-year.

When I pointed out that the user databases in one of our validated systems was encrypted with a random substitution cypher (no, really) it wasn't like they did much about it. So empiricism kind of came up short.
posted by Kid Charlemagne at 11:17 PM on October 28, 2011

To stay with the season, I file this alongside poisoned halloween candies.

True, and anyone who's close enough and psychopathic enough to kill you by messing with your insulin pump could equally well just shoot you, or stab you with a ricin-poisoned umbrella, or whatever. Haxx0ring someone's insulin pump seems like a bit of a movie-plot threat.

I was going to write that, nevertheless, this is obviously something the manufacturer should fix— but then I'm not so sure. Any time you add a bunch of complexity to implement access control, there's the chance you'll deny access to an authorized user, or cause some subtler failure.


Kadin2048, there are formal methods that take the world outside the code into account, but they're hugely time-consuming and difficult; I've mostly heard of them being applied in cases where a failure means hundreds or thousands of deaths (eg airliners, nuclear plants). (You could probably even make a utilitarian argument that beyond a certain level of effort, more people will die because they couldn't afford the resulting insulin pump than would die because of the failures the verification might discover.)
posted by hattifattener at 11:21 PM on October 28, 2011 [1 favorite]

I would submit that this is no more Medtronic's failture than the FDA's. It takes for goddamned ever to get a device approved and to market in the US of A and yet they apparently don't have protocols to test for secure communications between two interconnected devices.

I've been waiting for 3 years for the manufacturer of my current insulin pump, Animas, to release a pump with an integrated continuous glucose monitor. Minimed got theirs to market (with this security flaw, apparently) four years ago! So long ago that they have a second generation system on the market now. Animas started shipping their integrated system, the Vibe, earlier this year. But FDA approval is still ongoing for whatever reason. Meanwhile my diabetes is killing me slowly.

And now it will take even longer. I guess I can't rightly be angry about that, but I'm trying very hard.
posted by pkingdesign at 11:29 PM on October 28, 2011 [4 favorites]

I've always wondered why they don't just use one time use pads for things like this. 4 GB of random numbers stored on two flash chips in the respective devices gives you a theoretically unbreakable way to encrypt the control channel, as long as you're not sending massive commands, it'll last for the life of the device.
posted by Grimgrin at 11:31 PM on October 28, 2011 [2 favorites]

Meant to add that "Animas started shipping their integrated system, the Vibe, earlier this year" in the UK. England's approval is done and the pump is in the market improving lives, but the FDA dawdles on.
posted by pkingdesign at 11:31 PM on October 28, 2011

Hacking with a computer seems like a really roundabout way of murdering someone.

Hacking with an axe, on the other hand...

Having a hackable insulin pump is just one of the kajillion ways a person can be vulnerable to murder. Obviously, if the hacker-hole can be bunged up, by all means bung it up, but, like, murderers gonna murder, y'know? I'm pretty sure updating some software won't make a person impervious to rat poison or whatever.
posted by Sys Rq at 11:32 PM on October 28, 2011 [1 favorite]

This is why we need mechanical failsafes. Always. We have already learned this lesson the hard way.
posted by spiderskull at 11:41 PM on October 28, 2011 [2 favorites]

True, and anyone who's close enough and psychopathic enough to kill you by messing with your insulin pump could equally well just shoot you, or stab you

Only ninjas can stab people silently and invisibly from across the room and escape undetected.
posted by justsomebodythatyouusedtoknow at 11:52 PM on October 28, 2011 [2 favorites]

Woz and Jobs found a copy of Ma Bell diagnostic frequencies from a local library, which were recorded on cassette tape.

There was a tape? Any source for that? It was my understanding that the frequencies were documented in several articles published in the Bell Systems Technical journal. The first of which was "In-Band Single-Frequency Signaling" published in 1954 and several others published in the early sixties.

I went and found these articles at the NYPL research library in the early 90s to verify they existed. They are all available on the net in PDF form now.

If there was a tape that is pretty nuts.

I was kinda toying with doing a FPP since I tracked down all the articles and also the ITU system 5 signaling specs from 1988. It might be too technical for here though.
posted by Ad hominem at 11:53 PM on October 28, 2011 [2 favorites]

I also found the monograph on TASI which outlined the infamous "TASI locking frequency" I always suspected that was bullshit, but it is real I guess.
posted by Ad hominem at 11:55 PM on October 28, 2011

How likely is it that a hacker would be motivated to exploit this vulnerability? For example, Mac computers have security vulnerabilities, but are considered "safe" against most common viruses and malware because few people are out there trying to viruses and malware for Macs in the first place.
posted by KokuRyu at 12:01 AM on October 29, 2011

As a user of a medtronic insulin pump vulnerable to this sort of thing I can only say that I'm way more worried about accidental button presses than remote hacking. As for those who ask why not plug it in to your computer rather than go wireless, it's pretty hard to have a waterproof insulin pump without wireless communication. Also, some parents of very young children like to have a remote control to adjust their children's insulin.
posted by BrotherCaine at 12:04 AM on October 29, 2011 [1 favorite]

Vulnerabilities like this are strong arguments for redefining the term 'Responsible Disclosure.' It's one thing to allow Cisco a month or two to write up some switch patches; it's quite another to replace embedded device code. So how is it responsible to even mention a vulnerability such as this?

That depends how how responsible the vendor is about plugging the hole. If a McAfee researcher has found the hole, I guarantee others have - large, well funded spooks like the NSA and their Russian and Chinese equivalents, for starters. And, hell, if the Columbian cartels build subs to deliver drugs and spent the 90s using AS/400s and copies of the Colombian telco's phone records to datamine calls between their members and the police to look for informants, I can only imagine which non-Government outfits are doing the same.

Vendors have a long track record of doing nothing about problems reported to them.

How likely is it that a hacker would be motivated to exploit this vulnerability? For example, Mac computers have security vulnerabilities, but are considered "safe" against most common viruses and malware because few people are out there trying to viruses and malware for Macs in the first place.

Which hacker? Well, the Putin government have been implicated in extra-territorial poisonings in Ukraine and England. China are supposed to have attacked numerous US firms (Google, obviously, but we hear about more every few months). Stuxnet is probably a US/Israeli collaboration. How long do you think opponents of any of the aforementioned countries would live before having a terrible, untracable accident with their insulin dose?
posted by rodgerd at 12:13 AM on October 29, 2011 [1 favorite]

How likely is it that a hacker would be motivated to exploit this vulnerability

There are two types of hackers. Hackers that are motivated by "cool", they want to be in on the secret nobody else knows, they want to be known as the best. Would they kill someone ? No probably not, they are more likely to do a presentation on it at black hat. There are hackers that are motivated by money, they run the spam botnets, steal credit cards, sell compromised website roots. Would those hackers kill someone? Maybe if you paid them enough.
posted by Ad hominem at 12:15 AM on October 29, 2011

True, and anyone who's close enough and psychopathic enough to kill you by messing with your insulin pump could equally well just shoot you, or stab you with a ricin-poisoned umbrella, or whatever. Haxx0ring someone's insulin pump seems like a bit of a movie-plot threat.

They could, but wouldn't they be much more likely to get caught? I mean, with the insulin pump thing you could kill someone simply by walking by them, and having a device send the signal in your pocket. Those other method would be much more, obvious. And much more traceable.

I mean let's say someone dies and cops even know to check for this rather then simply assuming the user died of a pump failure or just naturally? Can you even tell when people die due to an insulin overdose?

But lets say the cops have an uber-hacker on staff who can reverse engineer the insulin pump in order to even see what data is in ram. They do and see that there are tell-tale signs of hacking. Well, how would they even begin to investigate? Unless they had a prime suspect and they'd done something super-stupid like leave a hacked apart duplicate of the pump sitting on their desk, with a USB connection to their machine and unencrypted sourcecode sitting on their desk how would they get caught? If they didn't have a prime suspect, how would they know?

How likely is it that a hacker would be motivated to exploit this vulnerability? For example, Mac computers have security vulnerabilities, but are considered "safe" against most common viruses and malware because few people are out there trying to viruses and malware for Macs in the first place.

Sure, it's considered safer, but there isn't really any reason to do so at all. It might have been true back when viruses were raging on windows XP, but macs are more popular now and malware is becoming more of a problem
posted by delmoi at 12:47 AM on October 29, 2011

Speaking from experience, getting a "full load" of insulin would not necessarily kill you as the OP write. My water resistant (but not water proof) Disetronic pump went in the Pacific with me for about a half hour back in 2002. When I got back to my hotel room I had a large, hard lump of insulin under my skin and the motor in my pump was just grinding away. I spend the next 36 hours drinking a lot of OJ and testing my blood sugar a lot. How's that for vulnerability? Instead of just switching off when it got wet, it fucking switched on and couldn't be turned off.

A hack like this would be both discoverable and survivable.
posted by pkingdesign at 12:49 AM on October 29, 2011 [6 favorites]

Vaguely related : Mitsubishi hack stole nuclear and defense data
posted by jeffburdges at 1:08 AM on October 29, 2011

This kills the diabetic.
posted by colinshark at 2:05 AM on October 29, 2011

I wear a Medtronic pump that is hackable. The wireless connection to my meter is super convenient, but it being insecure is unforgiveable.

This is the kind of shit that happens when medicine is a business. My previous pump was made by a small company named Deltec. I think they were in Minnesota. The pump was a tank; well-built, small, waterproof. It worked like a charm for 5 years. The company reps were absolutely great to deal with, too. They were knowledgeable and semmed extremely intent on making the best product they could.

When I needed a replacement I went to get another Deltec, and, lo and behold, they no longer existed. In fact, the market has shrunk to just three manufacturers. So now I own a Medtronic that, by comparison, feels very shoddily built and cost 2500 dollars more. And dealing with Medtronic has been like dealing with a used car dealer. Combine that with this news and it seems obvious that Medtronic doesn't care much about anything but the money.
posted by Benny Andajetz at 4:46 AM on October 29, 2011 [4 favorites]

An unscrupulous hacker could, for instance, command the pump to release its full load of insulin --- I bet they could prevent this with a minor firmware update, because there'd never ever be any practical reason for an insulin pump to release all its insulin at once. In fact, I'd be surprised if they didn't already have a hard-coded limit to the maximum amount of insulin the pump could release in a certain time period. And if the hacker did set his program on a loop to bump up against the limit, by then, the diabetic would probably feel the effects of low blood sugar and take remedial action.
posted by crunchland at 5:48 AM on October 29, 2011

I'm glad there weren't any "reverse engineering is illegal" laws on the books so the McAAfee guy could release this information without worrying about being put in jail.
posted by benito.strauss at 5:55 AM on October 29, 2011 [1 favorite]

Remember that Night Court episode where Dan had to pretend to be Roz's father because she accidentally takes an overdose of insulin and wanders around the courthouse in a delirious episode.

That has nothing to do with this post, but I think of it every time someone says the word insulin. That is all.
posted by Fizz at 6:43 AM on October 29, 2011

I don't have any computer-controlled implants, or know of anyone in my circle of friends who does, but I don't dismiss the problem lightly as a "movie plot" attack. Thing is, there have been movie-plot attacks: consider Alexandre Litvinenko and Viktor Yushchenko. Admittedly, these are prominent people against whom movie-plot attacks are more likely to be launched…but so what? They do happen. The Stuxnet worm shows that for an important-enough target, people will go to a hell of a lot of trouble to develop a subtle technological attack. Just because nobody here on Metafilter is important enough to warrant a remotely triggered insulin-pump overload doesn't mean that nobody in the world is.
posted by adamrice at 6:50 AM on October 29, 2011

Hacking of pacemakers/defibrillators/other medical devices has been a topic in the medical community for a while now.
One solution proposed was that the devices would be password sensitive. The patient would have a UV tattoo somewhere on the body for emergency personnel to access it if necessary. I imagine info would be available on the the little ID card as well.
I have a defibrillator. I think the chances of remote hacking are unlikely, but it boggles the hell out of my mind that I even have to think about the possibility of that happening.
One of my favorite little time wasting fantasies is Ben Franklin magically appearing and living with me for a week or so. I try to explain to him what my life and our lives as Americans is like. He's always stunned when I get to this part.....
posted by pentagoet at 6:58 AM on October 29, 2011

To stay with the season, I file this alongside poisoned halloween candies.

Ahem, I bring you the Candy Man. Not exactly the same but close enough that it really messed up a lot of trick or treating when I was a kid. The likelihood of someone choosing to murder, or attempt to murder, a random diabetic is also minimal, but if I had a pump, I'd be unhappy about this news even if I thought the likelihood someone would use it on me was extremely low.
posted by immlass at 7:42 AM on October 29, 2011

A 2008 FDA inquiry documented both manufacturing/quality control and design problems with Medtronic's insulin pumps.

FDA Warning Letter

Seattle Times: Woman's Coma Leads to Secrecy, Silence (2007)

Since 2009, a number of related lawsuits have been filed. (I'm not clear on whether medical device manufacturers are subject to strict liability as with general product liability in the US, or whether its handled as medical malpractice.) Some of these led to a recall of at least one model of Medtronic pump.

FDA's Medtronic Paradigm QuickSet Recall Notice (problems with venting can cause overdoses).

Press release that I'm assuming comes from a plaintiff firm:
Insulin Pump Litigation Group to Discuss the Defective Minimed Insulin Pump Litigation Moves to Formal Discovery Phase

While Medtronic really does seem to exemplify the worst of market-driven medicine, it is perhaps worth abstracting the situation a little (imagining a more responsible company) to ask how the classic security v. functionality trade-off should be made in the world of medical devices and software. (A different issue than simply broken designs or code, such as in THERAC-25, or the existing Medtronic complaints.)

For instance, do we really want an embedded medical device that will only talk to a pre-paired controller holding its unique private key when that device or its controller is malfunctioning?

Ultimately, it seems like a lot of the products NEED a back-door. But a properly engineered, secured, and documented one. Not this mess.
posted by snuffleupagus at 8:01 AM on October 29, 2011 [1 favorite]

The patient would have a UV tattoo somewhere on the body for emergency personnel to access it if necessary.

Well, that's an interesting idea. We'll have to add a femme fatale with roofies, smartphone and a handheld blacklight to our spy movie plot.
posted by snuffleupagus at 8:04 AM on October 29, 2011

Vulnerabilities like this are strong arguments for redefining the term 'Responsible Disclosure.'

Nope. We've seen this time and time again. The only motivation that we have for companies to fix security holes is to publicly expose those holes. Smart companies will have a trusted back channel, and then will get the fix out before the flaw is exposed publicly, but we are never going back to non-disclosure, because non-disclosuer simply did not work.

The assumption that secrecy means the bad guys don't know about the flaw is simply wrong. It's the oldest argument in the book -- and it was wrong when locksmiths in the 1800s were making it. By and large, the bad guys already know about the flaws. Keeping them quiet lets them know, but keeps the public in the dark about how insecure they really are.

Now, people with this device can take action -- even if it's only turning it off and going back to injections. They know the risk, they can evaluate what to do.

You're proposal says "leave them in the dark and hope nobody dislikes them." To hell with that. If this company doesn't want to deal with the problem, perhaps they should make secure devices. But I will fight you tooth and nail if you intend to hide from the people who are at risk that the device they believe is secure is fundamentally not.
posted by eriko at 8:28 AM on October 29, 2011 [5 favorites]

For instance, do we really want an embedded medical device that will only talk to a pre-paired controller holding its unique private key when that device or its controller is malfunctioning?

These insulin pumps are external, they're not embedded.
posted by delmoi at 8:32 AM on October 29, 2011

These insulin pumps are external, they're not embedded.
Yes. I should have been more clear--I didn't mean that question to refer to these pumps specifically.
posted by snuffleupagus at 8:45 AM on October 29, 2011

To stay with the season, I file this alongside poisoned halloween candies. ie. it has never fucking happened.

Yeah, this would be like someone putting poison in over the counter pain relievers to just off people at random. This isn't going to happen in a million.... Hey, wait a minute!

Whether or not anyone is actually likely to exploit the the security hole, the real problem is sloppy security is usually just the tip of sloppy fail safe planning iceberg. It's not just that someone can enter commands without proper authorization. It's that they can enter commands without proper authorization AND enter commands which are pretty much guaranteed to kill anyone using the product. Chances are there are other issues where a doctor thinks he's telling the pump to do its thing in an appropriate manner and the pump is getting the message Kill All Humans!

Eriko, I think this might be the reference you're looking for.
posted by Kid Charlemagne at 8:46 AM on October 29, 2011 [1 favorite]

Surely this is less of a dangerous risk than installing McAfee on your insulin pump would be.
posted by straight at 8:56 AM on October 29, 2011 [3 favorites]

Seriously? The people who wrote the embedded software for this medical device have never read either McConnell or Dijkstra? Jesus wept.
posted by ob1quixote at 9:43 AM on October 29, 2011

Oh, and saying We're talking about code that was developed approximately 10 years ago, so there really wasn't security on the forefront of these embedded devices, does not get you off the hook. Code Complete was published in 1993. Dijkstra was writing about formal methods for decades before that. A Discipline of Programming came out in 1976.

Tell that there really wasn't security on the forefront story walkin'.
posted by ob1quixote at 9:50 AM on October 29, 2011

For whatever it's worth, I once worked for a company that made skin electrodes for EKG. Medtronic bought the company. All their people that I had interactions with were assholes.

When I started having atrial fibrillation, my cardiologist annoyed me by repeatedly saying I'd probably need a pacemaker. I eventually went online and discovered that for some people, there is a cure for AFib. After having the procedure, it appears that I am one of those people. The cardiologist never even mentioned the possibility until I asked about it. If the AFib returns, I'll go for that procedure again. If it's a choice of getting a pacemaker or risking death, I'm not at all sure I'd go with the device.
posted by Kirth Gerson at 9:59 AM on October 29, 2011

We'll have to add a femme fatale

... or homme fatal.

Note: when considering broadening "femme fatale" by the inclusion of "homme fatal," do not do a non-image Google search on the term to verify it is grammatically correct French unless you like nude beefcake pics. That is all.
posted by zippy at 10:08 AM on October 29, 2011

The reason I care about this is not because the risks are that large now (it's large enough for the one person that is ever killed this way, but I'm taking a wider view here) but because there's a huge business/engineering culture that has very long lead-times to implementing the correct practices necessary in a world where more and more and more devices are wirelessly interconnected and some of them are mission-critical in the "lives are at stake" sense.

Think about how long it's taken business computing to take security even partly as seriously as it needs to take it. Right now people are designing and implementing hardware and software solutions that are not remotely secure or robust enough for their context.

Having insecurities like these pointed out now and publicly embarassing both the manufacturer and the regulatory agencies is crucial for beginning the shift in practices that is necessary for the quickly coming time when almost everyone will have exposure to these sorts of vulnerabilities.
posted by Ivan Fyodorovich at 10:13 AM on October 29, 2011 [2 favorites]

This sounds like a job for Chev Chelios.
posted by hermitosis at 10:35 AM on October 29, 2011

Oh, and saying "We're talking about code that was developed approximately 10 years ago, so there really wasn't security on the forefront of these embedded devices," does not get you off the hook. Code Complete was published in 1993. Dijkstra was writing about formal methods for decades before that. A Discipline of Programming came out in 1976.

And Ada was developed in the late 70s for exactly this kind of problem set. It's absolutely not a new concern.
posted by rodgerd at 11:14 AM on October 29, 2011

I am getting a Medtronic pump in tr next month or so. My boyfriend is an acomplished computer programmer. We have a life insurance policy.

Can I please have a preemptive moment of silence?

.
posted by munchingzombie at 11:32 AM on October 29, 2011 [2 favorites]

You can have my insulin pump when you pry it from my cold, hands.

Wait.
posted by chinston at 11:35 AM on October 29, 2011 [1 favorite]

So I guess now we have to worry about terrorists targeting us when we're at our most vulnerable: as we stave off diseases of our own making.
posted by Slackermagee at 11:55 AM on October 29, 2011

Spending money on features like encryption or security would cut into the bottom line, therefore they're the first out the door. People will naturally choose the model that won't kill them once a few dozen people die from random teens being bored and seeing if they can make their neighbor make a funny face over the wireless network.

(That's the part that I would be worried about--not some faceless psychopath but people playing pranks with these devices or unforeseen complications. I once had a garage door opener that would activate when a plane flew overhead, something about the radio signals from the plane. I'd hate to have a pump that would start injecting insulin the moment it runs past the scanner at the grocery store or what have you.)
posted by fifteen schnitzengruben is my limit at 12:28 PM on October 29, 2011

I'm not sure what is expected here. Dick Cheney had (has?) a Medtronic implantable defibrillator and it's been known for years that those things can be hacked. Just because something is possible doesn't mean it has a remote chance of happening.

One intractable problem is that every programmer has to be able to access every individual device of the model series it is designed for. Obtaining a programmer takes a lot less technical skill than designing a hacking device. So it's not possible to make devices totally secure without physically securing the programmers and the code they run.

I used to work for Medtronic in the Cardiac Rhythm Disease Management area, but have no economic interest in them any more. When I was there, way more concern was expressed about device malfunction and the harm it caused than about someone taking the time and trouble to hack into a device to do harm either intentionally or unintentionally. The engineers were conscious of and worked hard to prevent accidental reprogramming due to electromagnetic interference. I think there are just too many ways to hurt someone with going to all this trouble to make it a viable risk.

Call me when someone is actually harmed. Meanwhile I hope they spend their resources on making their devices reliable and bug free.
posted by Mental Wimp at 12:41 PM on October 29, 2011 [1 favorite]

Call me when someone is actually harmed

I can't help but think that the board members on the companies who made the Ford Pinto, the drugs Redux, phen-phen, and several children's cribs must have uttered very similar words.
posted by Poet_Lariat at 1:54 PM on October 29, 2011 [3 favorites]

Tech support is starting to turn into a much more interesting job.
posted by krinklyfig at 2:39 PM on October 29, 2011

The "eh, so it's not perfect" argument comes across as so much horseshit to me, for some very basic reasons.

First, this is a critical, life-sustaining piece of machinery for those of us unlucky to need them.

Second, Medtronic is an evil medical-conglomo-buy-the-competition-run-them-into-the-ground-or-just-make-it-impossible-for-them-to-get-insurance-contracts-profiteer. My new Medtronic pump cost 2500 dollars more than my previous, better-made device. The little electronic pump on my belt cost over 7000 dollars and requires $300/month above and beyond my copays in supplies to use it.( Supplies that are proprietary, of course.)

Since they are allowed to run the competition away and charge whatever they please, their products should be pretty fucking perfect.
posted by Benny Andajetz at 2:48 PM on October 29, 2011 [1 favorite]

Slackermagee, a child who develops type 1 diabetes is not at fault for her condition. It's an autoimmune disease.
posted by chinston at 2:49 PM on October 29, 2011 [1 favorite]

I have participated in pump trials and feedback for design of new pumps. The more pressing issue is that you are giving a somewhat complicated dosing device to the general public, loaded with a hormone that can kill them if they get confused on the interface. Anyone who has worked tech support knows that there are many members of the general population with the brains of an artichoke. Making an interface that will protect these users from themselves seems to be priority number one at the moment - maximum dosage boluses within 24 hours, maximum dosage limits, alarms that go off if no doses have been delivered within X units of time, etc.

Of course, these same users could handily kill themselves by misdosing with an insulin syringe, but if they die, nobody will launch a recall of syringes.

One question for those of you who have done medical device engineering - why not just use Bluetooth? It has problems but at least they are pretty well thrashed out by this point.
posted by benzenedream at 2:57 PM on October 29, 2011

Anyone who has worked tech support knows that there are many members of the general population with the brains of an artichoke.

My experience doing IT work for a medical clinic demonstrated clearly to me the issues surrounding specialization. Surgeons in particular have highly specialized skills relevant to their job, but if they own a clinic for instance, they often make decisions regarding their computer network far outside their realm and as a result are dependent on the ability of IT to solve problems as well as communicate/advocate for the best solution involving billable hours and purchase decisions. IT does this for most clients and comes with the territory, but medical IT ends up being much more of a political job dealing with these extraordinarily driven and often overworked people. And joining them in these decisions are accountants (bean counters) and board members. And their billing/income is dependent on insurance companies and Medicare, which at the surgical clinic level often requires one full time billing staff member for each provider (doctor), aside from other admin, techs and records staff. I am sure that Mental Wimp's experience is far more relevant as to Medtronic's devices in particular, but the medical industry is driven by cost and rent-seeking to an alarming degree, and by numerous competing interests.
posted by krinklyfig at 3:20 PM on October 29, 2011

as we stave off diseases of our own making.

Oh, did I give myself diabetes? Because when I got it at age 20 I was physically fit, had a healthy diet, and hardly ever touched sugar. In fact, most type-1 diabetics that I know fit a similar description.

Not all cancer is caused by smoking. Not all diabetes is caused by our own poor habits.
posted by munchingzombie at 5:04 PM on October 29, 2011 [3 favorites]

Spending money on features like encryption or security would cut into the bottom line...

If by "cut into the bottom line" you mean you could download something "free from the government" and paste it in, yeah, it would cut into the bottom line. There's even a stick figure guide for the folks in accounting.

But even if they were going to the trouble of coding their own (which they did anyway, just really really badly) their real problem is that there are a whole lot of big corporations who spent a shit ton of money so that they would be (or so they believed) in compliance with the law. As the security on their electronic signatures is only a little better that Psst. Don't tell anyone the secret knock is "Shave and a haircut!" they're electronic records could be eviscerated and their edit trails revised by every little old lady who works the daily cryptogram after she finishes the crossword puzzle.

When that comes out (I notified the people in charge of validation and I'd like to believe that they contacted the vendor, but in my heart, I know damn good and well that they didn't) and the FDA gets all "Hurf Durf! You said you validated this system!" to all these companies, and then they have to jump through all kinds of hoops and explain how this came to pass before the FDA will let their NDA move forward or some such, guess whose instrument they probably won't be buying next time around.
posted by Kid Charlemagne at 8:27 PM on October 29, 2011 [1 favorite]

BrotherCaine writes "As for those who ask why not plug it in to your computer rather than go wireless, it's pretty hard to have a waterproof insulin pump without wireless communication."

You can make a water proof case and still have it require physical access to the device. Two simple methods would be inductive coupling and IR transmitters. HP figured out the latter on their scientific calculators at least 20 years ago (the 48sx used IR LEDs to communicate device to device).
posted by Mitheral at 9:00 PM on October 29, 2011 [1 favorite]

Or you could have something as simple as a physical switch to enable wireless access, leaving it off otherwise.
posted by delmoi at 10:42 PM on October 29, 2011 [1 favorite]

Mitheral and delmoi - you're well intentioned comments re: water proofing are pretty useless. Neither of you have diabetes nor do you have an insulin pump in your pocket. The entire point of wireless communication with your pump is *so that you don't have to have line of sight (IR) or fumble with switches in your pocket*. Wireless communication with an insulin pump was a huge advance in pumping tech... that's saying something considering how little innovation there's been in the past dozen years. The specifics of the remote (also a blood meter with secondary alarms) mean that having regular communication between the two devices is quite desireable. Given my previous comment about water-proofness, having a waterproof case is also essential. Given that this device is attached to me literally 23 1/2 hours a day, adding a waterproof case only adds to what is already a bulky and unattractive device. Think about that. Pick out the least attractive pair of glasses you can find, then attach them to your head with a short cord. Keep in mind that if you take these heavy, bulky, and unattractive glasses off for more than a couple hours in a day you may go into a coma.

It's not as simple as slapping on a case or a switch.

Why don't Minimed or Animas (the dominant players) use bluetooth with better security? I dunno. I'm not into hardware, but I've only been able to guess its because of power consumption issues. I sure wish I could draw data via bluetooth onto my iphone or laptop, thus giving me a much easier way to get at my data.
posted by pkingdesign at 12:24 AM on October 30, 2011

Not all cancer is caused by smoking. Not all diabetes is caused by our own poor habits.

Relevant to the discussion:

Type I diabetes: autoimmune attack against insulin producing cells resulting in total lack of insulin production, requiring exogenous insulin to live. Cause unknown, can occur at any age.

Type II diabetes: insulin resistance which causes existing insulin production to not be sufficient to reduce blood glucose levels to normal. Caused by inactivity and overweight, associated with increasing age.

The vast majority of people on insulin pumps are Type I diabetics.

Note that due to the vast overprevalence of Type II diabetics, every Type I diabetic continually deals with people looking perplexed when a fit 20 year old says they take insulin. A good way to get punched out is to advise Type I diabetics to cut back sugar in their coffee, or take herbal remedies.
posted by benzenedream at 12:26 AM on October 30, 2011 [6 favorites]

pkingdesign writes "Neither of you have diabetes nor do you have an insulin pump in your pocket."

You have absolutely no way of knowing whether either of those things is true, at least in my case (I don't know delmoi's status or whether he's made public declarations of the same).

Discussion of my medical status aside my comment wasn't whether wireless would be more convenient than than a physical connection; obviously it will be if the wireless system works well. Just that a 100% waterproof case does not require wireless communication.
posted by Mitheral at 11:27 AM on October 30, 2011

For the record, software can't actually be proven to be safe. You're always proving a model, and the model never captures all the behaviors of the codebase (up to and including the analog reality underlying the digital logic).

That being said, provers are fantastic at finding bugs. Given a model, they're amazingly good at finding places where the model fails.
posted by effugas at 2:44 PM on October 30, 2011

OK, for more detail, the medtronic/minimed insulin pump has wireless communication for three purposes, 2 of which would be difficult to replace with IR or induction (which is really just a shorter range wireless if you think about it). Firstly, there are remote controls available for the pump so that a parent can control their child's insulin dosing easily without fishing the pump out of a pocket, etc... Secondly, if one has the integrated glucose monitoring system, a reading goes from the sensor to the pump every 5 minutes. Thirdly, the carelink wireless USB stick lets you upload your pump readings and medical data to the carelink website to share with your medical provider or spit out reports (this is the part that wouldn't have to be wireless).

In theory, the remote control part of the functionality requires the user to set it up from their pump before it's operational. The fact that the remote control functionality can be turned on without physically touching the pump is the real security issue for me.

As for maximum delivery, the pump has user settable limits for max bolus (one time delivery) and max per day. This would be extremely difficult to hard code or have a mechanical interlock, as I've met a diabetic who needed 300 units in a single day (really needed a diaport, internal pump, or maybe psychiatric help), and others who've needed about 3-10 units. And we're not even talking about the off-label uses of insulin pumps to deliver things other than insulin. Most diabetics limit their total available insulin to what they use in three days.

There are plenty of other issues with the insulin pump that I'd like fixed or improved more than the remote control hacking vulnerability. I suspect that there will be no fix for existing pumps, but rather the next model or the one after will get a fix and it will have to be approved by the FDA.
posted by BrotherCaine at 7:52 PM on October 30, 2011

BrotherCaine,

If they're not even paranoid enough to throw a password on the pump, then it's likely fairly trivial memory corruption attacks will bypass any user settable controls. That being said, a per user hard-maximum that's physically set in case of complete system corruption wouldn't be the worst idea ever, given the stakes.
posted by effugas at 4:56 AM on October 31, 2011