With this blog post I am pleased to announce the publication of a new ERNW White Paper [1]. The paper is about severe vulnerabilities in an insulin pump we assessed during project ManiMed and we are proud to publish this subset of the results today.
Manipulating Medical Devices
The German Federal Office for Information Security (BSI), in its role as the Federal Cyber Security Authority in Germany, aims to sensitize manufacturers and the public regarding security risks of networked medical devices. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments. In the context of this project, severe vulnerabilities were identified during the assessment of the DANA Diabecare RS system.
The Medical Device
An insulin pump is an active medical device used for the administration of insulin in the treatment of diabetes mellitus (type 1 diabetes) and presents a less invasive alternative to multiple daily injections of insulin. The DANA Diabecare RS insulin pump is the central component of the therapy system and can be controlled with an application for the mobile operating systems Android and iOS via a Bluetooth Low Energy (BLE) interface. The manufacturer intends neither the use of remote control nor the use of a Continuous Glucose Monitor (CGM) device to build a closed-loop system.
Vulnerabilities
The device’s manual recommends using a weak device keypad lock PIN to easily disable the device lock. Moreover, all pumps have a default PIN 1234. Additionally, the device PIN is disclosed without authentication via BLE. An attacker with physical access to the pump and being in possession of the PIN can unlock a locked pump, change the pump’s configuration, and administer an insulin bolus, which may lead to serious patient harm. Further, the physician PIN for gaining access to the pump’s physician menu is the same for all pumps and cannot be changed without contacting the support. An attacker with access to this PIN and physical access to a pump can change the pump’s configuration such as the maximum daily insulin dose.
Furthermore, multiple client-side controls were identified. The device keypad lock PIN is validated by mobile applications instead of being confirmed by the pump. An attacker can omit the check when communicating with the pump. All cryptographic keys and their key material used for the application layer encryption of BLE messages are generated deterministically, e.g., depending on the insulin pump’s hardware clock and transmitted via clear text BLE messages. Further, the authentication of the communicating party relies only on the possession of the pairing key. Additionally, the protocol implemented on top of BLE has no replay protection measures.
Impact
The combination of the identified vulnerabilities empowers an attacker hijack the DANA Diabecare RS insulin pump via Bluetooth Low Energy (BLE) using the sniffed pairing key which may lead to serious patient harm. To perform an attack, an attacker needs to be in proximity to the pump and sniff a single communication between a pump and a paired mobile application. Afterwards, the attacker can use all functionalities that are utilizable via BLE. This may lead to serious patient harm.
The manufacturer prepared an update for the insulin pump, thereby fixing all identified vulnerabilities. The firmware update can be applied to a Dana Diabecare RS insulin pump with the help of the respective local distributor. To temporarily reduce the risk of potential patient harm, it is recommended to disable the insulin pump’s BLE functionality by putting it in airplane mode. Being in airplane mode , the insulin pump’s therapeutic purpose can be preserved as it is optional to control the device via mobile applications. Furthermore, it must be noted that the device implements safety features such as a maximum daily dose or bolus block. These settings can only be configured on the pump and, therefore, not be circumvented by an attacker nearby. [2]
Disclosure
- August 30, 2019: The BSI contacts SOOIL to inform about the vulnerabilities
- September 2019: Vendor acknowledges the vulnerabilities
- March 3, 2020: The manufacturer’s Field Safety Notice (FSN) is published by BfArM
- April 2020: The firmware update is rolled out to first patients in Europe
- September 2020: Public Disclosure of the vulnerabilities
CVEs are to be assigned. This blog post will be updated accordingly.
References
[1] Julian Suleder. ERNW White Paper 69 – Safety Impact of Vulnerabilities in Insulin Pumps. Online: https://ernw-research.de/en/whitepapers/issue-69.html.
[2] German Federal Institute for Drugs and Medical Devices. Field Safety Notice. Dringende Sicherheitsinformation zu Insulinpumpe DANA Diabecare RS;mobilen Anwendung AnyDANA von SOOIL Development Co. Ltd. May 08, 2020. Accessed: September 09, 2020. Online: https://www.bfarm.de/SharedDocs/Kundeninfos/DE/07/2020/17203-19_kundeninfo_de.html.