Medical Device Penetration Testing for Diabetes & CGM
Penetration testing for CGMs, insulin pumps, and AID systems. BLE pairing, dose-command integrity, mobile-app trust, and cloud follow-up tested end-to-end.
Last reviewed March 2026 · Reviewed against the FDA Feb 3, 2026 final premarket cybersecurity guidance.
Diabetes devices - CGMs, insulin pumps, automated insulin delivery (AID) systems, smart pens - are the highest-volume connected medical devices in the world, and uniquely combine consumer-grade BLE pairing with a dose-delivery actuator. A spoofed glucose value or a forged bolus command is a direct patient-harm event. Our pen testing for this segment focuses on three loops: sensor-to-mobile, mobile-to-pump (in AID systems), and device-to-cloud follow-up.
On BLE we test pairing mode (Just Works vs. passkey vs. OOB), session-key derivation, MAC randomization actually being enforced, and whether the device trusts a previously-bonded peer too aggressively. We test the dose-command channel for replay (can we re-send last bolus?), reorder, and out-of-range bolus rejection at the device - not just at the app. We deliberately compromise the mobile app (rooted/jailbroken, instrumented) to verify the device does not collapse to trusting whatever the app says; this is where AID systems most often fail. Finally, we evaluate the cloud follow-up stack: Tidepool-style data sharing, caregiver follow-mode, and any clinician portal - looking for IDOR, cross-tenant data leak, and weak account recovery flows that have been the published incident pattern in this space. Our reports are written so your dose-safety reviewer can accept them as risk-control evidence under ISO 14971 and IEC 62304 Class C software.
Layers we exercise in this engagement
The diabetes / cgm system, from the outermost cloud and clinician surfaces down to the device itself. Highlighted layers are exercised by this medical device penetration testing.
- 01Clinician dashboard
- 02Cloud APIs Tested
- 03Mobile companion app Tested
- 04BLE pairing Tested
- 05Sensor / transmitter Tested
- 06Insulin pump (closed-loop) Tested
Layers shown outermost (top) to innermost (bottom). Dashed rows are part of the surrounding system but out of scope for this view.
Medical Device Penetration Testing engagement, end to end
Four phases, fixed fee, scoped to diabetes / cgm architecture from kickoff onward.
-
01
Scope + kickoff
Architecture review, attack-surface walkthrough, and threat-model alignment with your team. Written scope in 24 hours.
-
02
Threat-model alignment
Every STRIDE entry in your threat model is matched to a planned test case so reviewers see one-to-one coverage.
-
03
Test execution
Device, cloud, mobile, BLE/RF, and OTA channels exercised in parallel by senior engineers - not a single web-app scan.
-
04
Reviewer-ready report + retest
eSTAR-format report with findings, CVSS, remediation, and unlimited retests until every finding is closed.
What we see in Diabetes / CGM medical device penetration testing
The patterns we hit in this segment, this service, again and again.
-
Bonded-peer trust extends past device pairing UX
Pump remains bonded to a previously paired phone after the user 'forgets' the device on the app side. A second app instance with the bond key can still issue commands.
-
Bolus command replay accepted within session window
Pump rejects replayed packets across sessions but not within a single connection. Captured-and-resent bolus during the same connection succeeds - full delivery.
-
Mobile app is the only enforcer of max-bolus
Maximum-bolus and stacked-bolus rules computed in app, sent as 'approved' to pump. Instrumented app bypasses checks; pump delivers without re-validation.
-
CGM sensor authentication tied to predictable serial
Companion-app session bound to sensor serial with weak entropy. Sniffed serial allows a second app to subscribe to the same sensor stream without re-pairing.
-
Caregiver follow-mode exposes glucose history cross-account
/follow/{userId}/history endpoint returns full CGM history when called by an authenticated caregiver who was never granted that user. Classic IDOR.
Public diabetes / cgm cybersecurity history
Recalls, CISA ICS-MA advisories, and disclosed research that shape what reviewers ask about in this segment - and what our scope is built to cover.
-
CISA + FDA·2019
Medtronic MiniMed insulin pump remote-control vulnerability
Wireless communication design allowed a nearby attacker to alter pump settings or insulin delivery. Drove an FDA recall and industry attention on pump-CGM radio security.
Advisory -
Independent research·2020-2022
Dexcom G6 mobile-app and cloud-share research disclosures
Multiple coordinated disclosures around mobile companion behavior, share-app authorization, and cloud-side rate limiting. Pattern reinforces that the phone + cloud + sensor must be tested as a system.
"Blue Goat Cyber helped us navigate our first end-to-end cybersecurity testing for our wearable medical device. Their communication was excellent, their timeline exceeded expectations, and their report helped us achieve FDA clearance without any additional questions. It was a truly seamless experience."
Standard Medical Device Penetration Testing deliverables
The same deliverables the parent Medical Device Penetration Testing service ships with - tuned to your diabetes / cgm architecture.
- Device, firmware, and embedded testing - hardware teardown, JTAG/UART/SPI bus access, firmware extraction and reverse engineering, and exploitation of the secure boot, debug, and update paths. Done by operators who have tested infusion pumps, monitors, surgical robots, and implantables.
- Companion app and cloud API coverage - iOS/Android binary analysis, BLE pairing/GATT attacks, REST/MQTT/gRPC fuzzing, authentication and authorization testing, and tenant-isolation checks. We test the device as patients and clinicians actually use it, not in isolation.
- FDA-ready penetration test reports - executive summary, methodology, CVSS-scored findings tied to your threat model, reproduction steps, and a Letter of Attestation formatted to the FDA's 2026 premarket guidance. Reviewer-ready, not a generic IT security PDF.
- Remediation guidance and re-test included - written fix recommendations per finding, engineer-to-engineer support during remediation, and unlimited re-tests of fixed issues inside the fixed fee. You leave with a clean report, not a list of open items.
What lands in your eSTAR submission
Reviewer-format documents ready to drop straight into the cybersecurity attachments of your submission - no reformatting on your side.
- Device, firmware, and embedded testing - hardware teardown, JTAG/UART/SPI bus access, firmware extraction and reverse engineering, and exploitation of the secure boot, debug, and update paths. Done by operators who have tested infusion pumps, monitors, surgical robots, and implantables.
- Companion app and cloud API coverage - iOS/Android binary analysis, BLE pairing/GATT attacks, REST/MQTT/gRPC fuzzing, authentication and authorization testing, and tenant-isolation checks. We test the device as patients and clinicians actually use it, not in isolation.
- FDA-ready penetration test reports - executive summary, methodology, CVSS-scored findings tied to your threat model, reproduction steps, and a Letter of Attestation formatted to the FDA's 2026 premarket guidance. Reviewer-ready, not a generic IT security PDF.
- Remediation guidance and re-test included - written fix recommendations per finding, engineer-to-engineer support during remediation, and unlimited re-tests of fixed issues inside the fixed fee. You leave with a clean report, not a list of open items.
Standards that apply
The Diabetes / CGM baseline, plus the call-outs that matter for medical device penetration testing in this segment.
Segment-specific call-outs
IEC 62304 Class C + ISO 14971 dose-safety risk controls
Every cyber finding that touches the dose pathway is a Class C software risk control. The pen test evidence must be cross-referenced from the risk file, not just attached.
Bluetooth SIG Medical Device Profile / GATT pairing
Reviewers will ask which pairing method is used and why. We document the choice and its threat-model justification, not just the test result.
What's not in scope
We scope tightly on purpose. These items are either out-of-scope by design or belong in a separate engagement - we'll tell you up front, not after kickoff.
- Hospital enterprise IT network penetration testing
- Clinical efficacy or human-factors validation
- Physical security of manufacturing sites
- Source-code review (unless explicitly added as a separate engagement)
Medical Device Penetration Testing for Diabetes / CGM - FAQs
The questions buyers in this segment actually ask before scoping a medical device penetration testing engagement.
Go deeper on Diabetes / CGM and premarket
A practical, ungated buyer's guide for medical device manufacturers evaluating cybersecurity partners, what goes wrong, why it costs you, and what to demand from your next engagement. Aligned to the FDA February 2026 premarket guidance.
The most common high- and critical-severity findings we surface in medical device penetration tests, what each one looks like in the field, and how to fix it before your FDA submission.
A practical, ungated guide to the threat modeling gaps that trigger FDA cybersecurity questions in 510(k), De Novo, and PMA submissions - and exactly how to close them before reviewers find them.
What happens if you fail an FDA cybersecurity inspection: the 483-to-consent-decree enforcement ladder and the commercial fallout for device makers.
FDA Section 524B applies to any new premarket submission for a cyber device, including legacy platforms. What attaches, what postmarket rules cover the rest.
SPDF vs SSDLC for medical devices. Why the FDA's Secure Product Development Framework demands more than a standard Secure SDLC, and what to add.
Other engagements for Diabetes / CGM
Teams in this segment commonly bundle these alongside medical device penetration testing.
Keep going
Scope a Medical Device Penetration Testing engagement for your diabetes / cgm program.
A 30-minute call with a senior engineer who has done this in diabetes / cgm before - not a sales rep.