Reverse Engineering An Insulin Pump With An SDR And Decapping

Insulin pumps are a medical device used by people with diabetes to automatically deliver a measured dose of insulin into their bloodstream. Traditionally they have involved a canula and separate connected pump, but more recent models have taken the form of a patch with a pump mounted directly upon it. When [Pete Schwamb]’s daughter received¬† one of these pumps, an Omnipod, he responded to a bounty offer for reverse engineering its RF protocol. As one of the people who helped create Loop, an app framework for controlling insulin delivery systems, he was in a particularly good position to do the work.

The reverse engineering itself started with the familiar tale of using an SDR to eavesdrop on the device’s 433MHz communication between pump and control device. Interrogating the raw data was straightforward enough, but making sense of it was not. There was a problem with the CRC algorithm used by the device which had a bug involving a bitwise shift in the wrong direction, then they hit a brick wall in the encryption of the data. Hardware investigation revealed a custom chip in the device, and there they might have stalled.

But the international reverse engineering community is not without resources and expertise, and through the incredible work of a university researcher in the UK (whose paper incidentally includes a pump teardown) they were able with an arduous process supported by many people to have the firmware recovered through decapping the chip. Even once they had thus extracted the encryption code and produced their own software their problems were not over, because communication issues necessitated a much better antenna on the RileyLink Bluetooth bridge boards that translated Bluetooth from a mobile phone to 433 MHz for the device.

This precis doesn’t fully encapsulate the immense amount of work over several years by a large group of people with some very specialist skills that reverse engineering the Omnipod represents. To succeed in this task is an incredible feat, and makes for a fascinating write-up.

Thanks [Alex] for the tip.

Homebrew Pancreas Gets 30 Minutes Of Fame

It is pretty unusual to be reading Bloomberg Businessweek and see an article with the main picture featuring a purple PCB (the picture above, in fact). But that’s just what we saw this morning. The story is about an open source modification to an insulin pump known as the RileyLink. This takes advantage of older Medtronic brand insulin pumps and allows you to control the BLE device from a smartphone remotely and use more sophisticated software to control blood sugar levels.

Of course, the FDA isn’t involved. If they were, the electronics would cost $7,000 instead of $250 — although, in fairness, that $250 doesn’t cover the cost of the used pump. Why it has to be a used pump is a rather interesting story.¬†The only reason the RileyLink is possible is due to a security flaw and an active hacker community.

Continue reading “Homebrew Pancreas Gets 30 Minutes Of Fame”