Reverse Engineering An Insulin Pump With An SDR And Decapping

Insulin pumps are a medical device used by people with diabetes to automatically deliver a measured dose of insulin into their bloodstream. Traditionally they have involved a canula and separate connected pump, but more recent models have taken the form of a patch with a pump mounted directly upon it. When [Pete Schwamb]’s daughter received  one of these pumps, an Omnipod, he responded to a bounty offer for reverse engineering its RF protocol. As one of the people who helped create Loop, an app framework for controlling insulin delivery systems, he was in a particularly good position to do the work.

The reverse engineering itself started with the familiar tale of using an SDR to eavesdrop on the device’s 433MHz communication between pump and control device. Interrogating the raw data was straightforward enough, but making sense of it was not. There was a problem with the CRC algorithm used by the device which had a bug involving a bitwise shift in the wrong direction, then they hit a brick wall in the encryption of the data. Hardware investigation revealed a custom chip in the device, and there they might have stalled.

But the international reverse engineering community is not without resources and expertise, and through the incredible work of a university researcher in the UK (whose paper incidentally includes a pump teardown) they were able with an arduous process supported by many people to have the firmware recovered through decapping the chip. Even once they had thus extracted the encryption code and produced their own software their problems were not over, because communication issues necessitated a much better antenna on the RileyLink Bluetooth bridge boards that translated Bluetooth from a mobile phone to 433 MHz for the device.

This precis doesn’t fully encapsulate the immense amount of work over several years by a large group of people with some very specialist skills that reverse engineering the Omnipod represents. To succeed in this task is an incredible feat, and makes for a fascinating write-up.

Thanks [Alex] for the tip.

29 thoughts on “Reverse Engineering An Insulin Pump With An SDR And Decapping

  1. I’ve been threatening to make an automated drinking game out of these. Fill ’em up with ethanol and snag the captioning feed from, say, the State of the Union. When key words are mentioned, send a bolus packet to everyone. WHAT COULD POSSIBLY GO WRONG?

    (Oh yeah, I’ve been told by medical students that this will immediately kill the surrounding tissue. DO NOT TRY THIS EVER.)

      1. Pure ethanol delivered rectally is safer than injection into muscle tissue!? Really? If it would kill muscle tissue immediately what is it going to do to the delicate lining of the bowel do you suppose? Ever felt that burning feeling in your throat when swallowing strong alcohol?
        Please kids, don’t try this at home and ignore the rectal suggestion altogether.

    1. as someone who recently contracted on a (failed) insulin pump project. I lol’d when I read that. In my dept we had a term for our basal packets: bosals :) you never really knew if you’d get the basal or bolus amount. Needless to say I’m happy the product never reach the market.

    1. That’s the needle insertion mechanism. It has a tight wound spring that inserts the needle and cannula then retracts the needle. Its actually pretty amazing what they stuffed inside that pod. They also have 3 a76/lr44 size American made batteries in them. I have an endless supply of those from taking apart the pods!

    2. That’s the mechanism that actually inserts the cannula and then retracts the needle leaving the cannula under the skin. It looks sketchy but it only operates *once* per device (since the whole pod is disposable). So in practice it’s plenty reliable.

      There’s a nice teardown on YouTube that predates all this work and mostly covers the mechanical side of things. Search “omnipod teardown”.

    3. It does not mean, that medical devices are manufactured expensively only because they are sold at a premium. Especially disposable devices are for sure manufactured on the cheap.

    1. The OmniPods are designed extremely conservatively, such that they disable themselves and scream (literally: it’s extremely loud) if any device other than the paired controller issues a command and the pod and controller end up with different records of what they’ve done. I am actually less concerned about the cybersecurity aspects of the OmniPod looping solution than the unsecured pump comms that occur with the older Medtronic pumps we’ve all been looping with up until the OmniPod solution became available.

  2. “Reverse Engineering an Insulin Pump for DIY Closed Loop Therapy” Ive said it before, and Ill say it again. This is a terrible idea, and if he ends up killing his daughter or causing someone else to kill their loved one, the deaths are on his hands. At the very minimum, the FDA may come a knocking..

    1. Ok, I’m going to poke the hornet’s nest!

      You know you can actually manage diabetes manually, but it takes effort!
      I have for over 40 years.
      Companies and physicians however want the easy way for you to keep taking their highly over-priced medication, using a device(s) provided by them.
      Think of printers and ink…..

      The physicians actively push the tech on to you – they are paid to do it!!
      They have tried (and failed) with my well controlled diabetic son.
      It would appear that the excellent courses they used to run have been cut back.

      The pump and the automatic blood glucose measurement device in theory can make it easier, however I have issues with it.

      1. They use all your information – privacy – honest we won’t sell your data.
      2. You have less control – this is the scary bit.
      3. It is more expensive – excellent!
      4. It can require more time and effort to clean and maintain correctly.
      5. It just gets in the way – running, swimming etc.
      6. It makes it easier to overeat and support the sugar/food industry (lol, this may be controversial)
      7. You just cannot hack an insulin pen or syringe!

      Diabetes is a serious disease.
      However, with some training, thought and preparation – it can be made bearable and you can have a relatively normal life.

      Just my 2c :)

      Andy

    2. Don’t use it, if you don’t trust it. Nobody forces you, to use this knowledge for anything. Reverse engineering itself, gaining knowledge can never be a “terrible idea”.
      You know what security experts think of “security by obscurity”? – Not much.

      1. Except the point isnt to find security problems, its encouraging people to modify their therapy. Im all for exposing security issues, and its the fault of the company that made the system that its so hackable, but again, do not think for a second that people uneducated in the calculations that took R&D engineers years to develop, and get approved by the FDA can be duplicated by a guy in his garage. Curiosity might just kill the cat here.

  3. Im always glad to see people hacking these things, because this is something that should have commercially came out a very long time ago. However, most of the pharma companeys see diabetics as a cash cow ripe for marketing. Narcam is given out free for cases of heroin OD, but when it comes to insulin, they want a kings ransom per month for a life critical drug. I dont see any moral issues with hacking a life saving device, the resources for altering them should be given openly, as well insulin and other life saving drugs. The problem with the FDA, is that their in the pharma companies pocket. The only stipulation about these devices, is that they should be locked doen and only able to be “opened” by their end user.

    1. Hanlon’s razor would probably apply.

      At a previous employer, worked with the FDA on several projects. FDA scientists and counsel are not the most sharp tools in the shed. The last several FDA administrations have been headed by physician/scientists. They desperately need to appoint much more engineers to senior management and executive positions.

      Have nothing against scientists (my father was a scientist, and in-laws are scientists), but they are not ‘programmed’ to be practical. Conversely, the problem with engineers as managers is the promotion a la pure meritocracy and the unfounded worship of the most cost-effective and efficient solution; and I am guilty as charged…

      Many pharma companies tend to run by scientists that could not meaningfully science, or by technician MBAs, so they have no ability to understand the development of drugs that would actually cure vs a drug that treats symptoms or provides small statistical increases in survivability. While most medical hardware companies seem to be run by technician accountants or MBA engineers, where they spend most of their time measuring risk; that is, determining the maximum number of people that can be killed via cost controls while maximizing profit.

    2. If the guy was going to use it on himself and he is an adult, I would say have fun, and in advance, it has been nice knowing you. However it sounds like his daughter is the one this is for. I am pretty sure this passes over an adult experimenting on themselves and crosses over into criminal. Been nice knowing her, and we will see you in about 25 years when you get out of prison.

  4. This is absolutely huge for the DIY Diabetic community. Finally an insulin delivery system you can closed-loop with that is under warranty. No more scouring Craigslist or eBay for an old Minimed pump with the security flaw.

    Amazing work that will (and IS) changing lives of children and adults with this disease.

  5. I’ve told the Loop team that stickben on the Hack a Day blog says it’s a bad idea (more than once!) and they’ve shut it all down. They’ve also agreed to stop crossing the street and driving and hiking in the forest and doing any sports that require a helmet and sports that are done in or near water.

    Diabetes has also agreed not to afflict those that have trouble with basic math or have irresponsible tendencies.

    It’s a day to remember, thanks stickben.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.