Breaking

ManiMed: Ypsomed AG – mylife YpsoPump System Vulnerabilities

Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Scope

This blog posts elucidates the security assessment of the mylife YpsoPump system from the Swiss manufacturer Ypsomed AG.

The mylife YpsoPump insulin pump is the central component of this therapy system. It can transmit delivery data to a mobile application called mylife App for the mobile operating systems Android and iOS via Bluetooth Low Energy (BLE) interface. The pump cannot be controlled via BLE. The mylife App can transfer data to the mylife Cloud. The system offering a web application aims to ease communication between diabetics and healthcare professionals with the mylife therapy management solution for therapy data.

The assessment focused on the communication protocol between mylife YpsoPump and mylife Android App as publicly available in the Google PlayStore and the communication between mylife App and mylife backend. The mylife backend and a respective web frontend were not the focus of the assessment. An ICS Medical Advisory (ICSMA-21-196-01) was published on July 15, 2021 [2].

One of the Ypsomed mylife YpsoPump insulin pumps tested in project ManiMed. [1, p. 45]
One of the Ypsomed mylife YpsoPump insulin pumps tested in project ManiMed. [1, p. 45]

Results

The communication between YpsoPump and mylife App is authenticated by credentials derived from publicly available information in addition to BLE pairing mechanisms. Further, the pump’s battery may be drained by unauthenticated Bluetooth GATT writes, resulting in the pump vibrating.

More vulnerabilities were identified in the communication between the mylife App and the mylife backend. The mobile application and backend of the test environment communicated via HTTP and transmitted data symmetrically encrypted. In production, the communication took place via HTTPS, but the HTTP endpoint without transport-layer encryption was available, too. The key and initialization vector of the symmetric encryption were hardcoded in the mobile application’s code.

Software and third-party components used are partially outdated and contain publicly known vulnerabilities. However, none of these vulnerabilities could be exploited during the test. Additionally, a password policy for the mobile application and the front end was missing. When submitting the registration form, a password hash is returned. Furthermore, a reflection of the user password during the login process while downgrading the connection from HTTPS to HTTP could be observed.

Impact

The abovementioned vulnerabilities have no impact on the main functions of the insulin pump. Furthermore, no compromise of the mobile application was possible. The communication between the mobile application and the backend was vulnerable to man-in-the-middle attackers. Many of the vulnerabilities were fixed with configuration changes. The manufacturer identified no patient harm and rolled out an update addressing the design and logic flaws in the backend, front-end, and mobile applications.

References

[1] Bundesamt für Sicherheit in der Informationstechnik (BSI). Veröffentlichungen. Online (accessed July 28, 2021): https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/DigitaleGesellschaft/ManiMed_Abschlussbericht_EN.html

[2] ICS Medical Advisory (ICSMA-21-196-01). Ypsomed mylife. July 15, 2021. Online (accessed July 28, 2021): https://us-cert.cisa.gov/ics/advisories/icsma-21-196-01

Leave a Reply

Your email address will not be published.