TL;DR
- Important Medtech advances in Diabetes management continue.
- Smart continuous blood glucose monitors (CGMs) communicate with a smartphone app.
- Blood sugar levels can be tracked and users can be dosed appropriately.
- An open AWS S3 bucket containing fully editable user information was found.
- …this meant that data could be tampered with to report incorrect information, causing a closed loop automated system to overdose the user.
- Thankfully, the CISO responded on LinkedIn (on a Sunday!) and the data was quickly secured.
Closing the Loop
Just before COVID struck the world, I was travelling through Colorado on a Sunday on a ski trip with some friends. My work phone pinged with a message from a colleague (the awesome @evstykas who has now moved on to do even more cool things with APIs). That’s not particularly common as we’re pretty good at leaving each other alone at the weekend. Family and friends time is important. I therefore paid attention, despite 9 hours of time zone difference.
He had found an open AWS S3 bucket. Nothing particularly alarming about that. Nothing worth a message at the weekend. But the data that the bucket contained was concerning.
The background
Several of my colleagues and friends are Type 1 diabetic, reliant on continuous blood glucose monitors (CGM) and insulin pumps with which they dose themselves. Having helped friends recover from both high and low blood sugar level incidents, I’ve witnessed the importance of careful blood sugar level management.
Advances have allowed for smart CGMs, which can communicate with a smartphone app. This allows for accurate tracking of blood sugar levels. The user can then dose themselves appropriately. This has started to remove the ‘spikes’ in blood sugar that can be so damaging to one’s health over many years.
The goal of much research is to deliver what is in effect an artificial pancreas. What’s called a ‘closed loop’ system where the CGM sends regular data to a control device, such as a smartphone, and an algorithm then commands the insulin pump to dose the required amount of insulin. This automatically manages users’ blood sugar levels to a certain extent. This will be a huge step forward for quality of life for Type 1 diabetics.
Several pharmaceutical companies are working hard to deliver – and have such a closed loop system approved by regulators. Previous advances from biotech firms have included smartphone-based dosing over Bluetooth, famously exploited by the late Barnaby Jack in 2011.
What was in that bucket?
The data in the bucket appeared to be real time blood glucose readings. A few thousand devices, likely a clinical trial. Researching more online and joining some dots, the readings looked to be for such a closed loop system: Auto dosing.
The data in the bucket was editable. Read and write.
With increasing horror, we realised that the readings could be changed to, say, increase the reported blood sugar level, resulting in a high, automatic dose of insulin that would likely put the user in a coma and maybe even result in death.
Holy smoke
My colleague had stumbled on to the data. How long until someone else less responsible or less aware found it?
What chance a kid or a bot could find the data and change some values without knowledge of the impact?
A Sunday in Colorado. Not the best place to start a vulnerability disclosure from. I jumped on LinkedIn. We had worked out the biotech vendor’s name, by some fluke I was linked to their CISO through some mutual contacts. I dropped them a line without any detail, but an urgent request to message privately. This was a long shot.
A few minutes later the connection request was accepted. A PM arrived. Wow. We had a quick interaction over private message and then switched to email, where I explained the problem. Very quickly I had a message back to say that it was being investigated as a top priority.
A few minutes later the bucket went private, followed by a very grateful message from the CISO.
How differently this could have ended. How fortunate that the CISO kept an eye on LinkedIn at the weekend. How lucky that he didn’t dismiss my message as beg bounty and took it in the spirit intended.
Lessons learned
Cloud configuration can be hard, given the fast pace of technology change.
Use the cloud providers security dashboards to manage the obvious stuff.
Get a security review from a specialist that truly understands cloud security.
Fast moving projects are some of the most exposed to security mistakes. Move fast but be secure too.
Think carefully about risk. Get a threat model done. Do your technology developers understand healthcare risk?
Embedded devices, particularly those in healthcare, have a different set of security risks. Talk to people who genuinely understand embedded cyber, early on in your development lifecycle.
But, most importantly, ensure that researchers can reach you. On a Sunday. In Colorado.
