August 5, 2011

Pump Hacking and What Really Matters.


In todays news: Insulin Pumps can be hacked. 
I don’t find it at all surprising that pumps and meter communications can be hacked. Nor do I have a big issue with the idea of publishing it, particularly at a hacker convention in Vegas. 
There is an appropriate flow of information. I don't think legitimate hacking is an oxymoron. People find vulnerabilities. They make them know. The folks who make the products fix the issues. I am good with that. 
I know that I ‘hacked’ the very first pump my we had - kinda. The organization of the food database was a mess. The first few categories of foods presented were not things my 5th grade son was interested in eating (Baby Food & Beans.) I wrote the manufacture about what I saw as a usability short coming - nothing came of it.
That food database was a mark up language. I found I could manually manipulate that markup language in a text editor to put foods into the more accessible beans and baby food categories that they didn’t belong in. Well unless Lucky Charms are baby food. I guess some would make the argument that they are intended to be kids'  food and go all food police on who eats what.  But the food police are not the point here, devices are. 
Even with my hack the food database was not a great set up. I would love to see a convenient food database, one that built meals like an iPod makes song lists from a library of foods but that ain’t happening. I think the kind of advancements in user interface, like that, are for the most part, prohibited by the process of getting the FDA to sign off on changes. It simply costs too much to be worth while. 
So I hacked the food database. I am not surprised to hear that someone else hacked pump communications. I don’t think the rest of you should be too worried - both of us are fairly harmless geeks. 

Short of an elaborate Colombo episode, I don’t see much incentive to maliciously hack a pump or meter. It apparently takes skill, equipment and being reasonably close to the device in question. In day to day life how often is your pump close enough to a highly skilled geek who wants to hack your pump and has a bag full of gear handy?
I think there is a risk of unintended ‘hacking’ in households with multiple people on similar devices. Say little Jane and big brother Johnny both use brand X pumps with remotes. Those remotes are basically indistinguishable. Their baby brother craws over and pulls the remotes off the table and onto the floor. There, baby pulls them out of their cases and make a general mess. (Babies do this kinda stuff for fun and they are WAY good at it.) At dinner Jane and Johnny bolus. It seems to me that in picking them up and putting them back in their pink and black cases the remotes could easily be switched. Johnny picks up Jane’s remote thinking it is his, knows he needs 12 units and fires away, shooting his little sister a bigger bolus than she needs or can reasonably eat to cover.  
I think that is a far more real risk than malicious wireless hacking. I worry that the news of the wireless vulnerability reported above will distract development and regulatory efforts from making diabetes devices more useful. Useful like say different color remotes, usable food databases, smartphone data exchange or the holy grail - data standardization. 
The real risk in my mind is a paralysis based on fear of the phenomenally unlikely that prevents the eminently useful from coming to market. Now you may think I am nuts. Many will agree with that. I don’t have much I can put up to defend myself from claims of craziness. I will however offer this:
Fear of adverse reactions, including raising A1Cs some undefined but magical amount, and a feeling that studying those fears is critical, is keeping advance diabetes management tools from people living with diabetes in the USA. Consider the auto suspend pump based on CGM data - it is available in a lot of countries other than these United States. The FDA doesn’t even have rules in place to consider approving it. 
They are afraid of the wrong thing. 
This is a year where a number of young people have passed away from overnight hypos. It seems to me that the fears around incremental changes in A1C from low glucose suspend systems are preventing tools, that may have saved lives, from getting into the homes that need them. I fear that kind of mistaken priority. I fear this hacking news could make such priority errors more common. 
There are real risks involved with living with diabetes. We know that. We manage the fear associated with that and diabetes together. We need to focus on the real issues, not unlikely ones. The risk of insulin pumps being hacked is not anywhere near as news worthy as the fact that US access to technology is behind the rest of the world's. That devices that are designed and manufactured here, are only sold overseas, is a real issues.  
I submit that the cost and delays involved with the FDA regulatory process are more harmful than a hacker in Vegas. What happens in Vegas stays in stories that don't stay in Vegas.  What doesn’t happen in Washington costs lives across America. 



Please read my good friend Kerri's post on this same subject at:
http://sixuntilme.com/blog2/2011/08/hacked_jay_radcliffe_insulin_p.html

Or Scott Hanselman's (Of Scott's Airplane Analogy in my side bar) at:
http://www.hanselman.com/blog/HackersCanKillDiabeticsWithInsulinPumpsFromAHalfMileAwayUmNoFactsVsJournalisticFearMongering.aspx
Kelly Booth: 

4 comments:

Michael Hoskins said...

Thanks for this, Bennet. Hopefully this doesn't create needless worry and concern at the FDA and medical device manufacturers, slowing the process down even more than it already is.

Kerri. said...

I hate, hate, hate the sensationalist journalism going on in mainstream media with this Jay Radcliffe thing. I talked with him today and told him that while I agree that identifying security holes is important, I'll still sleep fine. And that I don't agree w/how he presented his case at Black Hat. :(

http://sixuntilme.com/blog2/2011/08/hacked_jay_radcliffe_insulin_p.html

Angela said...

Thank you for being a calm voice of reason in the sensationalism associated with this story, Bennet. As a family with a 6 year old and 3 year old on Animas Pings, I am also far more concerned about the "Johnny and Jane" remote mixup situation.

I guess I'm a little annoyed that anyone thought the pumps couldn't be hacked in the first place. (Or did they really?) After all, they are electronic devices communicating wirelessly, so I feel like this sudden panic years down the road is foolish.

Bennet said...

Angela

If you are not aware, there is away to get the kids names into the remotes rather than just cryptic serial numbers. See this post for details:
http://www.ydmv.net/2010/11/remote-reply.html