Insulin overdose by remote control

Forums › Health and fitness › Insulin overdose by remote control

Rikkitic

Lock him up!
10667 posts

Uber Geek

Lifetime subscriber

# 204574 7-Oct-2016 14:10

2 people support this post

Forget car hacking. According to an article on The Register, American insulin pumps have no security at all and can be activated by unencrypted radio signals. The manufacturers insist no-one has ever been overdosed this way and the risk is minimal, but my question to any diabetics out there is would you feel comfortable depending on a device like this? I certainly wouldn't and while I am not diabetic, my dad was. Isn't this being just a leetle bit non-chalant with people's health and safety? (Apparently it costs more to make secure pumps.)

I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney

MikeAqua

5385 posts

Uber Geek

# 1647343 7-Oct-2016 15:03

I know someone who has a pace-maker and defibrillator with a WiFi interface.

Mike

wellygary

4083 posts

Uber Geek

# 1647348 7-Oct-2016 15:13

MikeAqua:

I know someone who has a pace-maker and defibrillator with a WiFi interface.

That plot device was used in Homeland in 2012...

Aredwood

3885 posts

Uber Geek

Subscriber

# 1660749 30-Oct-2016 01:29

It's not only the risk of overdose. You could potentially also cause a denial of service attack. With the denial of service being no insulin injected even when the patient needs insulin. Could be easy as simply sending loads of random data over the radio interface. And either crashing the inbuilt software. Does the device have a watchdog timer? So if it crashes it will reset and boot up again by itself. Or by causing so many interrupt calls that the main code that manages insulin levels doesn't get to run. And then there are race conditions - Where if something happens at just the right time or order the software does unexpected things.

This is also ridiculous in that virtually every IC datasheet I have read says that the IC manufacturer doesn't warrant their devices for use in life support equipment. Or other applications where a failure would be expected to cause loss of life. (such as aerospace) And to contact the IC manufacturer if you are intending to use their products in a life support device. And often the ICs concerned would be simple logic or analogue ICs. So no software involved. So component manufacturers are taking life support systems reliability seriously.

I wonder if the approvals process for medical devices that use software. Have any kind of testing of the software beyond seeing if it produces the expected output? It should be a requirement that as part of testing and device certification. The testing body should be provided with copies of the source code. So if failures happen later they can be fully investigated. And as an incentive for better software testing.

kiwigeek1

622 posts

Ultimate Geek

# 1660754 30-Oct-2016 02:30

thats odd news.. was a kiwi hacker.. pacemaker insulin pump and atms spitting out cash

https://www.rt.com/usa/hacker-pacemaker-barnaby-jack-639/

kiwigeek1

622 posts

Ultimate Geek

# 1660755 30-Oct-2016 02:34

plus his death was suspicious at the time.. some claim he was over dosed not by his own hand

https://en.wikipedia.org/wiki/Barnaby_Jack

Batman

Mad Scientist
20903 posts

Uber Geek

Trusted

Lifetime subscriber

# 1660758 30-Oct-2016 07:06

Aredwood:

It's not only the risk of overdose. You could potentially also cause a denial of service attack. With the denial of service being no insulin injected even when the patient needs insulin. Could be easy as simply sending loads of random data over the radio interface. And either crashing the inbuilt software. Does the device have a watchdog timer? So if it crashes it will reset and boot up again by itself. Or by causing so many interrupt calls that the main code that manages insulin levels doesn't get to run. And then there are race conditions - Where if something happens at just the right time or order the software does unexpected things.

This is also ridiculous in that virtually every IC datasheet I have read says that the IC manufacturer doesn't warrant their devices for use in life support equipment. Or other applications where a failure would be expected to cause loss of life. (such as aerospace) And to contact the IC manufacturer if you are intending to use their products in a life support device. And often the ICs concerned would be simple logic or analogue ICs. So no software involved. So component manufacturers are taking life support systems reliability seriously.

I wonder if the approvals process for medical devices that use software. Have any kind of testing of the software beyond seeing if it produces the expected output? It should be a requirement that as part of testing and device certification. The testing body should be provided with copies of the source code. So if failures happen later they can be fully investigated. And as an incentive for better software testing.

No insulin delivered is very safe. You have days-weeks to years if not decades to live (depending on specifics of condition - although those who can do years-decades are likely not to have a pump at this stage).

Too much insulin = instant d (minutes, but less than hour depending on how much OD).

Involuntary autocorrect in operation on mobile device. Apologies in advance.

pctek

809 posts

Ultimate Geek
Inactive user

# 1666555 9-Nov-2016 14:27

joker97:

No insulin delivered is very safe. You have days-weeks to years if not decades to live (depending on specifics of condition - although those who can do years-decades are likely not to have a pump at this stage).

Too much insulin = instant d (minutes, but less than hour depending on how much OD).

Hardly.

If you are on insulin, not taking any is likely to kill you in a lot less than years, probably a lot less than months too.

My partner has low sugar issues (type 1 on insulin). It's not instant death either.

First you act a bit off, then like you're drunk, talking rubbish, staggering about.

Then you hit the floor.....you're still not unconscious at this point but will be so soon if you have taken enough long acting (not the short acting stuff).

Once unconscious it's a matter of hours...but quite a few. I found him once when I came home from work. I got in around 6:30pm and as far as I could tell he lost it at about 11am.

He was a mess but once revived back to his normal self.

Doing this a lot for years, however, can lead to brain damage.