Diabetes is a disease in which the body has a shortage of insulin, a decreased capacity to use insulin, or both. People with this disease have to administer a synthetic insulin replacement into the body to regulate and stabilize their blood-sugar level. The traditional insulin delivery method is through injection by a needle and syringe. Deciding when to introduce insulin into the body requires frequent blood tests (poking the finger). An alternative to this method uses a Continuous Glucose Monitor (CGM) with a wireless sensor attached to a wire inserted into body tissue to measure electrical elements of fluids.
As a diabetic, Jerome Radcliffe, Cyber Threat Intelligence Analyst at IBM, admits to joking around about a hacker breaking into his CGM. He imagined that he would give himself an unwarranted extra dose of insulin, forcing his blood-sugar level too low and render him unconscious, leaving him in a coma or even dead. After attending Defcon in 2009, he began to ponder the possibility of such a scenario. So, he hacked his own CGM to show how vulnerable wireless medical devices are to cyber threats. He demonstrated this hack at Black Hat USA 2011.
According to Radcliffe, he first collected publicly available data on his Medtronic CGM, focusing on the wireless communication frequency and modulation method. The user manual acted as a starting point, and opening the CGM provided him more information, like the RF chip model number. Next, Radcliffe recognized US regulations require all wireless devices sold receive approval by the Federal Communication Commission (FCC). On approval, wireless devices receive a unique ID, found in product manuals, and detailed FCC verification and analysis documents become public. Radcliffe also combed the US Patent Office for documents and found instructions on the CGM’s functionality and manufacturing specifications (Radcliffe).
From his research, Radcliffe discovered the CGM sensor operated at 402.142MHz under the MedRadio band, an unlicensed, mobile radio service designated by the FCC for transmissions associated with medical devices. Also, the CGM worked off a 1.5v battery for two years (Hanselman). Consequently, he inferred that his CGM lacked cryptography since it would need more processing power than offered by the current voltage. Moreover, the CGM used non-bidirectional communication, and the sensor did not have knowledge of what CGM received the data. Therefore, each packet must include a unique identifier unless it is initially programmed through Java-based software from an operating system of Windows XP or earlier. In addition, Medtronic CGM sales promoted lifespan of several years without having to update (or patch) (BD Diabetes Education Center).
Armed with technical specifications about the Medtronic CGM, Radcliffe found an Arduino model based on the Texas Instrument’s CC1101 wireless chip to work on this frequency. This microcontroller, and its 108-page manual, cost Radcliffe less than $10 (Hansel). Even with 20 years of ham radio experience, an overwhelmed Radcliffe commented on the manual’s complexity. “One of the challenges of crossing over from computer security research to hardware hacking research is the ease of use of the devices… none of it tells you how to program the device. [T]his was designed for the experienced electrical engineer to use, not the computer geek” (Radcliffe WP).
After failing to configure the CC1101 to the same frequency and modulation type as the Medtronic CGM, Radcliffe sought a different approach. By programming the CC1101 to capture the wireless data from the CGM using the “Direct Mode” or “Serial Mode,” Radcliffe could manually decode transmissions and decipher the data packets (Appendix A). After capturing several packets when his blood-sugar level was stable, Radcliffe identified patterns in the transmissions, including that all packets lacked a timestamp and that 80% of the packets had the same first 21 bits. These bits did not directly translate to the transmitter’s unique identifier (Radcliffe).
The breakthrough in his hack came from using the Java based application that Medtronic used to configure their CGMs. The application allowed Radcliffe to capture his CGM’s messages and responses. According to Radcliffe, this was easy: “In the properties file, the logging was set to NONE, which I changed to HIGH” (Radcliffe WP). He then inspected the lone Java library file (JAR file) to discover the encoding method. However, Medtronic did not obfuscate this file, allowing Radcliffe to reproduce the encoding, message formats, and command codes for the CGM (Radcliffe). With this knowledge, Radcliffe could spoof transmissions for his Medtronic CGM and perform replay attacks.
During his Black Hat presentation, Radcliffe addressed the limits of his hack. The hack relies on the unique identifier, which every transmission, every five minutes, carries encoded. This makes passive discovery easy if the attacker can gain physical access to the individual’s personal space because of the CGM’s limited 100 to 200 feet RF range. He also discussed that while an attacker might be able to manipulate the diabetic’s administration of insulin, it is common for a diabetic to introduce incorrect insulin amounts because of external variables. Successfully harming the diabetic would require hours of constant manipulation by an attacker (Radcliffe).
Diabetics still have significant control in the decision-making of delivering their medication. Radcliffe points out “some security risks in manipulating some of the data the person uses, but ultimately, an attacker cannot directly manipulate the amount of insulin given.” However, Radcliffe is quick to note, “The industry has plans to remove the human intervention from this equation though. The Juvenile Diabetes Research Foundation is pushing a campaign called the ‘Artificial Pancreas Project.’” According to Radcliffe, the unfortunate result would be less oversight. Combined with the lax wireless security on medical devices is something Radcliffe believes should be of concern to companies like Medtronic.
Before releasing his findings, Radcliffe had reached out to Medtronic through the US Department of Homeland Security, an ethical approach in his eyes (Smith). Furthermore, a Medtronic engineer who had attended Radcliffe’s presentation at Black Hat received a copy of the presentation and exhaustive technical details previously not disclosed. When Radcliffe followed up by email three days later, the engineer did not reply (Rashid). Finally, after three weeks of waiting for a response, Radcliffe released his discovery. Eventually, Medtronic released a PR statement, after denying receiving any contact from Homeland Security, stating, “Medtronic takes the issue of device information security very seriously. It is an integral part of the very fabric of our product design process” (Statement Regarding Insulin Pump Hacking). Nevertheless, there is no statement on plans to address such security flaws.
The Direct Mode from the CC101 connects using “two pins: one is a clock and the other is data. In this two pin setup, there is a continuous clock signal being generated by the RF module. This provides the timing for reading any signals that the RF module picks up, which would come in from the data pin. The best way to think of the clock signal is like a metronome when playing music. The metronome helps a musician keep time, so they can play a note for the proper amount of time. In case, it tells us how to read the 1s and 0s coming in on the data line. Visually it looks like this”