TL;DR
A Reddit user who relies on the Insulet OmniPod Dash says the device used to control their insulin pump runs Android with Linux kernel 3.18.19 and that Insulet and the device ODM refused to provide GPL-licensed kernel source. The poster and commenters raised security and compliance concerns, including lack of boot verification and the device running end-of-life software.
What happened
A Reddit poster who identifies as a type 1 diabetic reported investigating a spare Insulet OmniPod Dash PDM and discovering it runs Android, reporting uname -r showed Linux kernel 3.18.19. Because the kernel is licensed under GPLv2, the user contacted Insulet and the PDM's original manufacturer, Nuu (the device is reported as a rebranded Nuu A1+), seeking the corresponding kernel source. According to the post, multiple requests over about two years produced either no reply or refusals. The poster also said the PDM runs an old Android version, lacks Android Verified Boot or partition verification, and can be reflashed using tools such as mtkclient over USB. In discussion threads, commenters including a person who says they previously worked at Insulet corroborated that the PDM was developed with third-party ODMs and suggested Insulet made kernel/bootloader modifications during a hardware revision around 2022. The original poster called for wider awareness and enforcement of GPL obligations and highlighted patient safety and security worries.
Why it matters
- GPL compliance affects users' legal right to access and inspect source code for GPL-licensed software embedded in devices.
- Running an end-of-life kernel and Android release can leave devices without security patches, increasing potential attack surface.
- Medical controller security flaws could have direct implications for patient safety if devices are compromised or misconfigured.
- Lack of boot verification or easy reflashability can enable unauthorized firmware changes, raising integrity and safety concerns.
- Regulatory oversight (commenters referenced FDA audits) intersects with software maintenance and supply-chain decisions for medical devices.
Key facts
- The Reddit poster said they use the Insulet OmniPod Dash PDM and inspected a spare unit.
- The PDM reportedly runs Android and the Linux kernel version 3.18.19, as shown by uname -r.
- The poster says they contacted Insulet and Nuu to request the GPL-licensed kernel source but received no useful responses and were ultimately refused by Nuu.
- The device is described by the poster as a rebranded Nuu A1+ phone in its hardware origins.
- The poster asserted the PDM lacks Android Verified Boot or other partition verification mechanisms.
- According to the poster, the PDM can be reflashed via MicroUSB using tools such as mtkclient.
- The poster said the kernel and Android versions are end-of-life (kernel 3.18 and Android Marshmallow) and therefore lack recent security patches.
- A commenter claiming to be a former Insulet employee said the PDM work involved third-party OEMs (Blu, Nuu) and that Insulet made bootloader/kernel changes during development.
- Commenters referenced management decisions, cost pressures, and that Insulet is subject to FDA audits; these comments are from the discussion and not official statements.
What to watch next
- Whether Insulet or Nuu will publish the requested GPL kernel source code (not confirmed in the source).
- Any formal response or investigation from regulators such as the FDA addressing software maintenance or device security (not confirmed in the source).
- Independent security research or proof-of-concept demonstrations that validate exploitability of the PDM under the conditions described (not confirmed in the source).
Quick glossary
- Linux kernel: The core component of the Linux operating system that manages hardware, processes, memory and drivers.
- GPLv2: The GNU General Public License version 2, a copyleft license that requires distributors of GPL-covered binaries to provide corresponding source code.
- Android Verified Boot (AVB): A mechanism to cryptographically verify boot and system partitions to ensure the integrity of firmware and prevent unauthorized code from running.
- Bootloader: A low-level program that initializes hardware and loads the operating system kernel at device startup; modifications can affect what software can run.
- mtkclient: A community-developed tool often used to communicate with and flash MediaTek-based devices over USB.
Reader FAQ
Is the PDM actually running Linux kernel 3.18.19?
The Reddit poster reported seeing that kernel version via uname -r on a spare PDM.
Did Insulet or Nuu provide the GPL kernel source when asked?
The poster says they repeatedly requested the source and either received no reply or were refused; independent confirmation is not provided in the source.
Does the device lack boot verification and allow reflashing?
The poster asserted there is no Android Verified Boot or partition verification and that the unit can be reflashed with tools like mtkclient; this claim comes from the Reddit thread.
Has any regulator or company official publicly addressed this?
Not confirmed in the source.
Welcome to Reddit. Where a community about your favorite things is waiting for you. BECOME A REDDITOR and subscribe to one of thousands of communities. × 3150 FluffThe device that…
Sources
- My insulin pump controller uses the Linux kernel. It also violates the GPL
- Insulin Pump Involved in Data Breach
- Omnipod DASH Insulin Pump Users Affected By Data Breach
- Insulet alerts 29000 Omnipod Dash insulin pump users to …
Related posts
- US Trade Dominance Is Poised to Erode as Tariff Battles Intensify
- ‘We Ain’t Seen Nothing Yet’ — Trump’s Mass Deportations Will Grow From Here
- IT team forced to camp in office after boss’s side-project Y2K screensaver fails