Insulin pumps are a medical device used by people with diabetes to automatically deliver a measured dose of insulin into their bloodstream. Traditionally they have involved a canula and separate connected pump, but more recent models have taken the form of a patch with a pump mounted directly upon it. When [Pete Schwamb]’s daughter received one of these pumps, an Omnipod, he responded to a bounty offer for reverse engineering its RF protocol. As one of the people who helped create Loop, an app framework for controlling insulin delivery systems, he was in a particularly good position to do the work.

The reverse engineering itself started with the familiar tale of using an SDR to eavesdrop on the device’s 433MHz communication between pump and control device. Interrogating the raw data was straightforward enough, but making sense of it was not. There was a problem with the CRC algorithm used by the device which had a bug involving a bitwise shift in the wrong direction, then they hit a brick wall in the encryption of the data. Hardware investigation revealed a custom chip in the device, and there they might have stalled.

But the international reverse engineering community is not without resources and expertise, and through the incredible work of a university researcher in the UK (whose paper incidentally includes a pump teardown) they were able with an arduous process supported by many people to have the firmware recovered through decapping the chip. Even once they had thus extracted the encryption code and produced their own software their problems were not over, because communication issues necessitated a much better antenna on the RileyLink Bluetooth bridge boards that translated Bluetooth from a mobile phone to 433 MHz for the device.

This precis doesn’t fully encapsulate the immense amount of work over several years by a large group of people with some very specialist skills that reverse engineering the Omnipod represents. To succeed in this task is an incredible feat, and makes for a fascinating write-up.

Thanks [Alex] for the tip.