PerspectiveThese Hackers Made an App That Kills to Prove a Point

Two years ago, researchers Billy Rios and Jonathan Butts discovered disturbing vulnerabilities in Medtronic’s popular MiniMed and MiniMed Paradigm insulin pump lines. An attacker could remotely target these pumps to withhold insulin from patients, or to trigger a potentially lethal overdose. And yet months of negotiations with Medtronic and regulators to implement a fix proved fruitless. So the researchers resorted to drastic measures. They built an Android app that could use the flaws to kill people.

Lily Hay Newman writes in Wired that Rios and Butts, who work at the security firm QED Security Solutions, had first raised awareness about the issue in August 2018 with a widely publicized talk at the Black Hat security conference in Las Vegas. Alongside that presentation, the Food and Drug Administration and Department of Homeland Security warned affected customers about the vulnerabilities as did Medtronic itself. But no one presented a plan to fix or replace the devices. To spur a full replacement program, which ultimately went into effect at the end of June, Rios and Butts wanted to convey the true extent of the threat.

“We’ve essentially just created a universal remote for every one of these insulin pumps in the world,” Rios says. “I don’t know why Medtronic waits for researchers to create an app that could hurt or kill someone before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago.”