It's very interesting to see an in-the-wild example of a security flaw in the wireless pairing of a class C medical device (i.e. a device that can severely injure or kill). Would love to see technical details about the specific flaw here.
It looks like it's implementing 802.15.4 (the basis for ZigBee among other protocols).
The user manual for the Contour Next Link 2.4 device (https://www.medtronicdiabetes.com/sites/default/files/librar...) shows that pairing can be initiated by the USB dongle and succeeds if the user confirms the request on the device. A serial number is displayed but that appears to be under the control of the hypothetical attacker. So the user must know to reject an unexpected request even if it has the right serial number, or the attacker will gain control of their pump and can issue a remote bolus command.
This example doesn't have to do with Bluetooth but there's an interesting connection there because most BLE pairing methods have been shown to be insecure to sniffing attacks. That imposes constraints on how medical devices that need Bluetooth connectivity are designed, because it may force a device to have a screen for showing a pairing code when it otherwise would not need one.
The FDA released a Draft of the new Cybersecurity Guidance document back in April and there was speculation that this draft was going to become active (an actual regulation) by the end of the year. I wonder if this news is going to speed that up in any way.
The new draft literally doesn't change anything. It just defines some of the things that FDA has been already asking for in the past 7 years for every device submission.
Just my opinion as someone who has worked on many infusion pumps; that FDA review division is the best at FDA. They probably ask more cybersecurity questions than any other group I've encountered.
> They probably ask more cybersecurity questions than any other group
And therein lies the problem. Ask lots of questions on paper, and you get something that is very secure on paper.
But if you want something actually secure, you need to do pentests, have a substantial bounty program, have the design+code inspected by security reviewers, etc.
That FDA review division does require that information and testing to be supplied with infusion pump testing. In fact, they are one of the few that routinely asks for substantial testing in repeated deficiency requests.
Just spending a few minutes searching around I found this interesting reverse engineering work on the Contour Next Link 2.4 USB dongle: https://github.com/szpaku80/reverse-engineering-contour-next...
It looks like it's implementing 802.15.4 (the basis for ZigBee among other protocols).
The user manual for the Contour Next Link 2.4 device (https://www.medtronicdiabetes.com/sites/default/files/librar...) shows that pairing can be initiated by the USB dongle and succeeds if the user confirms the request on the device. A serial number is displayed but that appears to be under the control of the hypothetical attacker. So the user must know to reject an unexpected request even if it has the right serial number, or the attacker will gain control of their pump and can issue a remote bolus command.
This example doesn't have to do with Bluetooth but there's an interesting connection there because most BLE pairing methods have been shown to be insecure to sniffing attacks. That imposes constraints on how medical devices that need Bluetooth connectivity are designed, because it may force a device to have a screen for showing a pairing code when it otherwise would not need one.