Vulnerability Management, Risk Assessments/Management

Report: Insulin pump management vulnerability could enable device takeover

A woman hands an insulin pen to Sen. Bill Cassidy, R-La., during a town hall meeting on Feb. 23, 2017, in Thibodaux, La. (Photo by Jonathan Bachman/Getty Images)

Recent research from Lyrebirds shows that a design protocol vulnerability in the Insulet OmniPod Insulin Management System, also known as OmniPod Eros, could allow an attacker to take control of the device and send programming commands, including the immediate injection of insulin. Lyrebirds is a Denmark-based cybersecurity consultancy firm.

The vulnerability itself is found in the communication protocol, which makes it possible for an attacker to potentially interrupt the signal through jamming or by sending messages after the nonce is transmitted, all without the device invalidating the nonce.

The nonce itself isn’t tied to the command, which means it can be used for any command the intruder would like to use and allow both devices to return to the expected, immediate program flow — while continuing to send or schedule the malicious behavior.

The pump and its controller communicate over 433MHz radio with three packaging layers that exist on top of the radio communication, including command and response, message and packet. The controller sends a command to the pump and it responds.

“All Programming Commands require a 4-byte nonce as the first parameter. Upon setup of a pump, the controller and pump exchange the LOT and the serial number of the pump which is used to seed a pseudo-random generator within both the controller and pump,” according to the report. “After pairing, these generators should stay in sync for the lifetime of the pump.”

“In case they get out of sync a process of re-syncing is initiated but the new seed will still depend on the serial number transmitted during pump setup. So unless one has intercepted the initial setup phase one cannot know nonce ahead of time,” it added.

The device requires a message and sequence number to send any packet, but does not employ encryption in the system communication. As noted by the researchers, any information sent between the device and controller is not encrypted. 

“It is important to point out that any data transfer is very localized, temporary, and less personalized than one could fear. However, being able to snoop on how much insulin people around you are taking and persistently identifying the same user over several days is an obvious problem,” according to the report. 

“It is hard to speculate on why this decision was taken, maybe encryption is not viable with the hardware given, either for storage reasons or due to lack of processing power/battery life,” it added. “However, this could also indicate that temporary (3 days) pumps that are thrown away after use, with no option for refilling/recharging is not a good solution for an insulin pump.”

As a result, the information in the message and packet headers can be exposed. For example, the report shows a passive observer could parse the needed information from the pump status before a scheduled time. An attacker could also extract the data directly from the headers they’re trying to exploit from the programming command.

Notably, nothing can be sent to the programming commands without a valid nonce. An attacker with access to the device would need to await any communication that requires a nonce to obtain the key. But once the nonce is acquired, the actor could jam the signal and invalidate the CRC8 check of the packet. 

The received nonce will remain valid for the attacker to be used for desired commands.

The primary concern for the researchers is that the primary command used between the controller and the device is to immediately deliver insulin. In the wrong hands, the actor could change the amount of insulin delivered to the device. The command also enables configuration of the extended insulin schedule, which could allow a bad actor to interfere with the dosing.

“Naturally, the same strategy can be employed, even easier, if intercepting a user scheduling future insulin injections,” the report authors wrote. “It is important to point out that no requests have been documented where the POD sends information about scheduled insulin.” 

“We, therefore, assume that if any device displays this information, it is under the assumption that this device is the only one communicating with the POD and would therefore not display the changes maliciously injected,” they added. As such, if a user sets a new schedule before the malicious one executes, the changes would be overwritten.

A similar vulnerability disclosure was issued in March 2020 and caused by the insulin pump’s communication via the wireless RF to the control. The device does not properly implement authentication or authorization. An attacker with access to the impacted insulin pump could modify and or intercept data, change pump settings, and control insulin delivery.

However, the researchers noted that for the previously disclosed flaw, the system can be exploited by parties that gain access to the setup process, “getting the seed, enabling them to generate the nonce themselves.” 

To take advantage of the exploit outlined in the Lyrebirds report, the process is not needed to exploit the flaw and the previous mitigation recommendations would not be effective to secure the newly disclosed vulnerability.

The current research focuses on proof-of-concept to increase awareness around the problem, rather than to weaponize the exploit. As such, their tests are performed within 6 meters of the device and will not increase the range. However, they hypothesize that the attack range could easily be increased with professional equipment, or by fine-tuning the modulation scheme, among other methods.

Further, the custom hardware attached to smartphones that enable communication with the pump, known as the “loop” system, is also vulnerable. And “loops could be vulnerable over much larger distances even without any” modifications.

Lyrebirds based its research on previous reports into the impacted protocol, particularly around the communication protocol used between the insulin pump and the controller. All information was confirmed in the report by testing real equipment purchased from Insulet.

The vulnerability was first discovered one year ago and disclosed to Insulet, with the researchers later contacting the Danish Medicines Agency, the media, and relevant outlets on Nov. 25. Insulet is currently attempting to switch users to the newer OmniPod DASH platform. However, the Eros system is still in active production and is the most active model.

Once the industry has applied the mitigation strategies, Lyrebirds intends to release the source code for the exploit.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.