FDA Recalls Insulin Pumps Due to IoT Hack Vulnerability Drew Wilson | July 5, 2019 Who in their right mind would connect medical implant devices to the Internet? The FDA has recalled some insulin pumps due to a security vulnerability. In the last few years, there is a rush to connect anything and everything to the Internet. While it’s one thing to connect general purpose computers to the Internet, it’s quite another to connect things like fridges and home security to the Internet. All these minor devices being connected to the Internet is known as the Internet of Things (or IoT). Of course, there is a significant cost to all this connectivity. How does one go about securing such devices in the first place? Some adopt the attitude of just letting the companies take care of all of that. After all, if they make the devices in the first place, then they must know what they are doing, right? Naturally, since we monitor what all goes on in the world of security, such trust is definitely misplaced. According to a study back in January, 58% of UK businesses couldn’t even detect a security breach. That study primarily on IoT devices. It’s facts like this that have led some opinion bloggers to refer to IoT as “The Internet of Broken Things”. Now, there is a fresh reminder at just how insecure such devices really are. According to Digital Trends, the US Food and Drug Administration (FDA) is recalling insulin pumps. It’s not because there is a physical defect in them, but rather, because they are vulnerable to hacking: Medical device company Medtronic is recalling a number of insulin pumps after discovering they are vulnerable to hacks — and there’s no way to patch the security holes. The FDA announced the vulnerability in the MiniMed 508 and Paradigm pumps this week, and Medtronic has sent a letter to around 4,000 patients currently using the devices. “The FDA is warning patients and health care providers that certain Medtronic MiniMed insulin pumps have potential cybersecurity risks,” the FDA said in its advisory. “Patients with diabetes using these models should switch their insulin pump to models that are better equipped to protect against these potential risks.” While patients are waiting for a replacement pump, the FDA advises users to reduce the risk of cybersecurity attack by keeping their pump and connected devices on their person at all times, not sharing their pump serial numbers, and paying special attention to notifications from the pump and their glucose levels. Concerns about the security of medical IoT (Internet of Things) devices have been raised before. Earlier this year, a white hat hacker warned that medical device manufacturers were not paying enough attention to security issues. “Manufacturers of medical IoT devices should be prioritizing security, especially considering the potential detrimental consequences of a breach,” Catherine Norcom, a hardware hacker for IBM’s X-Force Red, told Security Intelligence. We find ourselves once again pointing out that there is something to be said about not connecting absolutely everything to the Internet. Does your toaster really need Internet access to tell you what the weather is going to be today? Why does your fridge need Internet access to manage a grocery list? Aren’t you concerned that potted plant could really be connected to a botnet? Of course, all of those examples pale in comparison to medical devices. That goes well beyond just trying to enjoy a tiny sliver of added convenience. At that point, you are putting your life on the line for what? A small amount of added convenience? Is it really worth it? Chances are, the answer is “no”. If anything, this story should be a fresh reminder that not everything needs to be connected to the Internet. Drew Wilson on Twitter: @icecube85 and Facebook.