Skip to content
Naked Security Naked Security

Diabetics are hunting down obsolete insulin pumps with a security flaw

The flaw makes it possible to overwrite the devices' programming and insert an algorithm that turns them into artificial pancreases.

Eight years ago, thanks to 10-year-old code that failed to use encryption to conceal the content of its wireless transmissions, security researcher Barnaby Jack successfully hacked a Medtronic insulin pump and proved it’s feasible to poison a diabetic wearer with a potentially lethal overdose.

If diabetic equipment hackers cared about money, that security flaw would now be worth more than gold. But they don’t.

What the community of people devoted to hacking their way to better diabetes management through homemade, closed-loop systems care about is helping themselves, loved ones and each other to climb over the lag in Federal Drug Administration (FDA) approval of such systems.

Medtronic hasn’t sold those flawed pumps for years. You can still get them, though, and an army of people dedicated to hacking insulin pumps has arisen to source them wherever they can find them, including on an underground market for medical devices that exists in places like eBay, Craigslist, or Facebook.

This is nothing new. Hackers first realized they could exploit the security flaw for a DIY diabetes revolution back in 2014. And on Monday, The Atlantic published a comprehensive look at how they’re hunting down the obsolete, security flaw-ridden devices, which can be used to create artificial pancreases because they’re so conveniently hackable.

DIY pancreas

The pancreas of a Type 1 diabetic doesn’t produce insulin, or doesn’t produce enough, to keep blood sugar levels under control. That lack of control will eventually lead to death if the hormone isn’t administered manually, whether it be through multiple daily injections or via insulin pumps that do it automatically and continuously, feeding a steady drip of insulin through thin, disposable tubing that’s inserted under the skin.

Another crucial part of diabetes care is a continuous sensor that measures blood sugar levels, which also slips just under the skin.

Tie together insulin delivery with CGM data, throw in some algorithms that can dynamically respond to rising and falling blood sugar by adjusting insulin delivery, and you’ve got an artificial pancreas. The idea is like the promised land to Type 1 diabetics: without the need to continuously monitor blood sugar levels, they can actually sleep through the night.

Many now can’t, given how CGM alerts jolt them awake, calling them to action, be it through eating something to fend off low blood sugar (potentially lethal) or to administer more insulin to fend off high blood sugar (also dangerous and potentially lethal).

It’s not that we don’t have all the hardware components now. We had the components to create an artificial pancreas back in 2014, as well. The problem was, and still is, that the pumps couldn’t talk to the sensors. That’s where the Medtronic pump’s security flaw came in.

The hackers realized they could exploit that flaw to override the programming in the old Medtronic pumps, substituting their own algorithm that automatically calculates insulin doses based on real-time glucose data. As the Atlantic puts it, it closed the feedback loop.

Multiple looping systems now available

The hackers made the code available online as OpenAPS – the Open Artificial Pancreas System project – and homemade “looping” was born. Besides OpenAPS, there’s also now another system called Loop. There are communities that have grown up around the technologies to help what the Atlantic says are now thousands of people who are experimenting with DIY artificial pancreas systems.

The FDA hasn’t officially approved any of them. That isn’t stopping diabetics and their helpers, though, whose war cry is #WeAreNotWaiting.

As word has spread, the old, compatible Medtronic pumps have gotten ever tougher to hunt down. The Atlantic spoke to one diabetic who got lucky enough to win one in a periodic raffle held by an online group for diabetics – that’s how coveted they are.

Aren’t these diabetics frightened of malicious Wi-Fi hacks?

When Jack first hacked the Medtronic back in 2011, the news was met with alarm, as are any security flaws that could lead to somebody dying. It was yet another example of how the FDA wasn’t taking the issue of medical device hacking seriously, critics said.

But the remote possibility that somebody’s going to scan for their pumps’ serial numbers and get physically close enough to remotely take it over don’t come close to offsetting the relief that loopers get from being able to simply relax when it comes to the constant vigilance that is the lot of diabetics. The Atlantic quotes one looper, Doug Boss, who said that the everyday risks of high and low blood sugar are a lot more real than the possibility of a malicious hacker lurking around a corner:

If I drink coffee in the morning and forget to enter it into my phone, my blood sugar is going to be higher than normal.

Thank you, Barnaby Jack

It’s not often that we get the chance to write about the upside of a security flaw… if ever. This is the most positive one I’ve ever run across, at any rate. And it’s a welcome opportunity to thank the ingenious Barnaby Jack for calling the world’s attention to a security flaw that could have caused harm but did the opposite.

Barnaby Jack passed away in 2013. We lost you too soon, Mr. Jack, but as time goes on, we grow ever more grateful for your contributions.

7 Comments

Open source community exploiting the security flaw to the benefit of the patient is wonderful but then it leaves the patient’s health dependent on the batteries that power the loopback insulin delivery system. Yeah still better than the alarms – I know people that live that miserable life.

Well, our lives (I’m on a pump and have been Type 1 for 54 years) are still dependent on battery life, even without looping, given that all the components– the pump, the receiver– are already battery run. So while i don’t think looping really alters that scenario, I do hear that, as you say, it’s a huge relief to be able to sleep through the night. It’s a tempting prospect, but a daunting task to somebody who isn’t much of a DIYer and isn’t a fan of Medtronic for various reasons.

We are going to try Loop since the RileyLoop will work with OmniPod devices.

Update: I’m on the same path myself. I switched to an OmniPod about a week ago, and I have my RileyLInk. I was inspired by that article from the Atlantic and decided to put my “I’m not much of a DIYer” to the test. I’ve built the Loop app and am just trying to get my sugars stable; Omnipod has weirded them out for whatever reason. Or sitting on my butt reading too many posts about looping instead of, say,
exercising. ;-) Good luck to you, Mike, and to all of us.

Thanks for a neat story, and nice to hear something so positive happening by a group of dedicated people.

You’re welcome. Yea, we’ve always known open-source was cool, but this? This is a whole ‘nuther low-carb muffin.

Barnaby Jack only made it harder for people wanting to loop since the technology is made more scarce. The recent firmware updates made to once compatible and older insulin pumps has turned them into paper weights collecting dust. His actions were well-meaning, but unfortunately made the situation for diabetics worse.

We need work-arounds to these security updates and it’s a shame Barnaby isn’t still with us, else he could help hack the “improvements” implemented to “save” lives. Instead, I agree with the article. By taking vulnerable pumps that were eligible for looping off the market, it’s resulted in people living in misery trying to manage diabetes themselves. This is a job meant for computers, not people, and this reaction by the Medtronic company has set us back a good 10-20 years. And I understand the 670g system was their answer to looping, but frankly, the system sucks and doesn’t work very well.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?