Death's Messengers

A hacking-based performative artwork created to raise awareness about the poor security regulation of personal health technologies.

Death's Messengers calls into question the current state of IT security systems within the medical industry as a provocative piece that confronts audiences, with the very real ramifications of such insufficient IT security, as it forces them to reflect on where we as a society place our priorities as new medical technologies continue to emerge and integrate themselves into our everyday lives.

Today, diabetes is one of the leading causes of death around the globe. For individuals living with Type 1 diabetes, it is vital that they receive insulin, injected into their bodies, on a regular basis in order to survive. Omnipod is a highly recommended, highly trusted, single-use product, designed to help with this process, by regulating a person's insulin intake over the course of 3 days. It is used by over 150,000 people, the number one prescribed insulin management system for children, and has been called the best Insulin Pump of 2020 on a budget.

The insulin pump is a personal medical device that is a closed system which up until this point in time, was thought to be completely secure from external influence. However, this fallacy has been shattered with the identification and exploitation of various vulnerabilities found within the Omnipod insulin pump’s systems by Alexander Krog and Jens Hegner Stærmose of Lyrebirds.

Death’s Messengers is a performative artwork based of this real life hack of the Ominpod insulin pump, whereby through the performance, audiences are able to experience, first hand, as the insulin pump is hacked and taken over. An error within a hypocritical system designed to help save lives, that suddenly places one person's life unknowingly in the hands of a hidden stranger.

Through the work, audiences experience both the fear that hacks like these bring to people who have relied upon these insulin pumps, that at any moment they could be killed; along with a different perspective of the role of hackers in our society, hacking flawed systems such as these in order to raise awareness, and warn people of their dangers, as a form of Death’s Messengers in their own right.

The mere fact that these highly trusted insulin pumps can be remotely hacked and controlled, is a rude awakening to the imbalance of regulation between our technological innovations. The work makes tangible the implications of failures in the IT security of medical corporations and the lives they put in jeopardy, calling into question the safety of the medical technologies that we entrust our lives with on a daily basis, and the standards to which they are produced.

The tech development of the art performance is done by Alexander Krog and Jens Hegner Stærmose (Lyrebirds), who also did the real hack of the Omnipod insulin pump.

Art-Tech Performance:
Death’s Messengers

Artist:
Cecilie Waagner Falkenstrøm

Omnipod insulin pump hack:
Alexander Krog and Jens Hegner Stærmose (Lyrebirds)

Paper about the Insulet OmniPod insulin pump vulnerability exploit:
Whitepaper: https://omnipod.lyrebirds.dk/

ARTificial Mind:
Cecilie Waagner Falkenstrøm, Artist
Jens Hegner Strærmose, Software Engineer
Alexander Krog, Software Engineer
Cody Lukas, Assistant Artist
Asbjørn Olling, Software Engineer

Year:
2021

Performances:
Death’s messengers, Digital Tech Summit, Technical University Denmark, 30. November 2021

Commissioned by:
Technical University of Denmark

Grants:

OmniPod Insulin Pump Exploit

Name: Insulet OmniPod Insulin Management System vulnerability
Whitepaper: https://omnipod.lyrebirds.dk/

Abbreviated Summary:
The Insulet OmniPod Insulin Management System, also commonly known as OmniPod Eros, suffers from a protocol design vulnerability. During normal use of the insulin pump, a potential attacker can utilize replay-like techniques to obtain a nonce-word. With this, it is possible to send several Programming Commands of their choice to the OmniPod, and as such inject vital doses of insulin, which can result in death.

After obtaining control over the insulin pump, the attacker can send any of these commands without the consent of the user and without any alerts displaying on the user’s devices:

- Immediately inject insulin in doses that might cause death
- Schedule insulin injections for later injection
- Cancel insulin injections
- Reconfigure and (silently) confirm alerts
- Kill the pump completely