*2.5. Security*

One of the main concerns about using DIY systems [6,7] with outdated Medtronic pumps, apart from glycemic safety, is the lack of security in the communications channel between the controller and the insulin pump. Communications are not encrypted in any way and, while this fact makes the insulin pump easily accessible to the controller, it also makes it vulnerable to attackers who could try to remote control the pump and, therefore, be a potential risk for the user's safety.

The controller will query the pump every 5 min and, by doing so, the pump ID is broadcasted several times with every data exchange. Every message will contain the pump ID so that it can be identified by the receiver and any other system waiting for those messages. These periods of time are critical since the pump ID is exposed and any attacker could potentially listen to it and use it later to send dangerous commands to the pump.

Medtronic has created a new communications protocol to address this problem encrypting the payload of the messages but, as this system makes use of the old model ones, an intrusion detection and jamming procedure was added to the controller.

The controller is always listening, looking for messages from/to the pump. If a message is received and it is not an answer to a command sent by the controller, an intrusion alarm will be sent to the smartphone to alert the user. At the same time, the jamming procedure is started: the controller will continuously send "Suspend" messages to the pump in an attempt to cancel any command sent to the pump while giving time to the user to take any action needed to protect himself from this situation. This continuous transmission will corrupt any message sent by the attacker, blocking the communications channel for some minutes.

This protection can be disabled to allow data download from the pump when the user needs it (for instance during a medical appointment).
