Literature Review

Medtronic Minimed 530G

Previous research has been performed to determine the internal functions of insulin pumps. There have been several examples of independent testing, like Jerome Radcliffe's examination of an insulin pump and continuous glucose monitor's data transmissions [1]. This study contains the steps taken to perform reconnaissance on the devices, capture data transmissions, and determine the methods of encoding of these transmissions to be able to replicate them. This indicates that Arduino radio frequency modules are a viable option for working with insulin pump data transmissions, as well as demonstrates the useful information that can be found in data sheets for microchips within insulin pumps. However, this document does not state what type of insulin pump this is, which makes it less useful for MiniMed-specific testing.

There are other examples of MiniMed-specific testing being performed. A Youtube video from Antonis Karafotakis demonstrates how to disassemble the MiniMed 530G and labels the parts as the disassembly is performed [2]. This begins with identifying the external parts like the insulin reservoir, the battery compartment, and the end cap, before removing each to access the PCBs inside. The video then identifies a few of the internal elements, like the screen and a CMOS chip. However, several other internal elements remain unmarked. This video is extremely useful for learning how to disassemble the MiniMed 530G pump without any experimentation or potential unintended damage to the PCBs or chips inside. However, it does not cover all of the PCBs, nor does it discuss their purposes.

There is also a discovered vulnerability recorded in NIST's National Vulnerability Database for MiniMed pumps, including the MiniMed 530G [3]. This vulnerability requires a remote controller for the pump and the "easy bolus" and "remote bolus" options enabled. When these conditions are met, if an attacker can capture the transmissions between the controller for the pump and the pump itself, they can replay those transmissions to the same effect of the original. The CVE page does not provide further information, but a Wired article about the vulnerability goes into greater detail [4]. This article describes how two researchers exploited the vulnerability by creating an application that would replay signals captured using an open-source piece of software. This allowed for easy and accessible use of this exploit, and according to the researchers, was done to encourage Medtronic and regulatory institutions to create a fix for the vulnerability. However, there was no way to patch the devices. Medtronic did offer a voluntary recall. The CVE and the Wired article provide a basis for the kinds of results that research and testing on medical devices can provide, and demonstrate the real danger that overlooking medical device cybersecurity creates. However, this vulnerability focuses on data transmission, and requires a very specific set of conditions to be met. Our research and testing for the MiniMed 530G is focusing on hardware hacking and examination of the data stored in the pump, not the data being transmitted.

Citations

1. Radcliffe, Jerome. “Hacking Medical Devices for Fun and Insulin.” University of New Orleans, cs.uno.edu/~dbilar/BH-US-2011/materials/Radcliffe/BH_US_11_Radcliffe_Hacking_Medical_Devices_WP.pdf. Accessed 29 Sept. 2024.
2. Karafotakis, Antonis. “What’s inside an Insulin Pump - MiniMed530.” YouTube, YouTube, 19 Mar. 2019, www.youtube.com/watch?v=TqwQqCbmgoE.
3. “CVE-2018-14781.” NIST National Vulnerability Database, 13 Aug. 2018, nvd.nist.gov/vuln/detail/CVE-2018-14781.
4. Newman, Lily Hay. “Hackers Made an App That Kills to Prove a Point.” Wired, Conde Nast, 16 July 2019, www.wired.com/story/medtronic-insulin-pump-hack-app/.

Philips Intellivue MP5

Prior work on Philips Intellivue mp5 patient monitor:: There are known exploits on the operating system of the Intellivue mp5 unfortunately there is very little documentation on exploitation and nothing on active pentesting against the device so there is not a lot of prior work on the MP5 monitor specifically. Even though there are no tests for the Intellivue mp5, there have been tests done on other types of patient monitors which can be used as a point of reference for active exploitation. While these tests are helpful, just like with the MP5 there is very little to find in regards to past pentests against monitors. Having such little documentation/tests against patient monitors will make testing the Intellivue difficult but will also make this project more interesting as it is covering a mostly unexplored topic

In one test against an unnamed monitor, researchers exploited the health level 7 v2 (HL7v2) messaging system used on clinical data systems [1]. Patient data can be transferred between systems through a scannable barcode so they performed this exploit using a scannable barcode to deploy the payload onto the monitor. It should be noted that complete HL7v2 messages cannot be injected, however enough can be injected into to falsify patient data onto the device which can lead to misdiagnosis or not getting the proper treatment needed. While this manipulation of data can seem small, the consequences can be massive and potentially fatal.

Claroty’s Team82 did a talk/presentation on attacking a patient monitor through remote access. They describe the process of disassembling the monitor to analyze the hardware and PCBs of the device as well as how they remotely accessed the monitor. For accessing the monitor they made a backdoor in which they also made a custom phone app to use the backdoor with. Through the backdoor they were able to use code injection to alter the data for vitals on the monitor, which similar to the other example, can have devastating effects on a patient. The researchers were also able to inject malware into the system through the backdoor which they demonstrate in the video.

References:

[1]Suleder, J. (2020a, April 23). Medical device security: HL7V2 injections in patient monitors. Insinuator.net. https://insinuator.net/2020/04/hl7v2-injections-in-patient-monitors/ [2] Preminger, A., & Brizinov, S. (2023, January 10). Team82 Patient Monitoring System Hacking. YouTube. https://www.youtube.com/watch?v=lHZtDS7jPbo

Insulet OmniPod Dash

In 2011 Insulet created the first tubeless insulin pump that used low-level frequency Bluetooth rather than a tube to deliver insulin. The device allows you to plug in the carbs you are taking, your blood sugar, and how much insulin you want to take, the device then sends how much insulin to inject to your pump and it delivers you insulin. Since 2011, as the generations of OmniPod have continued, new features, and functions have been implemented. With these new releases of devices, other issues have arisen, and with dissatisfaction from some customers, some users decided even to hack their own devices making a move toward bionic pancreases themselves. This movement, called “We Are Not Waiting”[1] used open-source coding and information to allow individuals to customize their devices, and allow them to give insulin based on their projected blood sugar levels, similar to the Omnipod 6. This movement forced Insulet to add the feature to their next system, but because the items were so easy to change and adjust, it allowed a user to create an app on their phone in replacement of the dash itself [2].

A University of Cambridge student did a complete teardown of a previous OmniPod device, tearing down the PDM and the pump, exposing the engineering of the device and a complete analysis of all components, a firmware extraction, and security of the PDM itself [3]. This teardown and testing showcased and spoke on different aspects of not only the devices, but the security of medical devices as a whole, and how the security of these devices may have a direct impact on the user’s health, as the possibility of a bad actor weaponizing or hijacking someone's medical devices is a very real threat.

The mass amount of diabetics who use CGMs (continuous glucose monitoring devices), and devices such as the OmniPod Dash have risen over the years, because of their ease of use and accessibility. With these devices also come passive and active attacks, such as eavesdropping on wireless communication gaining control of devices, and using them to harm the person it is attached to [4]. These attacks showcased are anything from privacy attacks, integrity attacks, and availability attacks, all of which can be showcased and used for the purposes of this project.

Citations

[1] Jansky, Bianca, and Henriette Langstrup. “Device activism and material participation in healthcare: Retracing forms of engagement in the #wearenotwaiting movement for open-source closed-loop systems in type 1 diabetes self-care.” BioSocieties, vol. 18, no. 3, 22 Apr. 2022, pp. 498–522, https://doi.org/10.1057/s41292-022-00278-4.

[2] CNET. “I Used Loop to Hack My Insulin Pump.” YouTube, YouTube, 12 Apr. 2022, www.youtube.com/watch?v=vjQuy4VFbQ8&t=614s.

[3] Skorobogatov, Sergei. Deep Dip Teardown of Tubeless Insulin Pump. 2017, doi:10.17863/CAM.23096.

[4] C. Li, A. Raghunathan, N. K. Jha: Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In Proceedings of the 13th IEEE International Conference on e-Health Networking, Applications, and Services, June 2011, pp 150-156