Would you trust your life on a computer not being able to count from one to ten billion? From one to ten million? From one to a thousand?
Computers can, in fact, trivially do all of these things. Counting to large numbers quickly is what they do best. Accordingly, if "Guess my large number" is sufficient to remote control the machine, then that's a pretty critical finding.
And there is no work that the attacker can do which will make his life more difficult. Trivial inspection of any machine establishes the upper bound of how hard it will be to compromise. Any attack he can use to reduce entropy only makes that number shrink, potentially radically. We would worry if you could shrink a 2048 bit keys even by a bit, because it suggests a hidden systemic weakness. The second serial number examined is likely to shrink the keyspace - which will not be 2048 bits to begin with - by tens of bits.
There are classes of attackers for whom killing a single named individual is not a goal. "Oh drats, we were only able to kill fifteen people chosen at random from this hospital, Superdome, or session of Congress" would not br a failure condition for them or a victory condition for the public.
To be perfectly clear: a quick Google confirms (at least one type of) insulin pump has 8 digit serial numbers. It also appears the first digit is 1 or 0.
Serial numbers usually have a check digit, so it is likely we are down to only 6 digits.
Strictly speaking, isn't "guess my large number" sufficient to break most encryption protocols that don't rely on security by obscurity? It's just that the numbers are normally larger by dozens of orders of magnitude.
Yes, but you are ignoring the time factor. Assume I'm going to die of natural causes in 60 years. If it takes a minute to guess a 6 digit number, that is really bad. If it takes 1000 years to guess a number that is larger by dozens of orders of magnitude, odds are pretty good I'm going to die of natural causes before the attacker guesses the right number.
Computers can, in fact, trivially do all of these things. Counting to large numbers quickly is what they do best. Accordingly, if "Guess my large number" is sufficient to remote control the machine, then that's a pretty critical finding.
And there is no work that the attacker can do which will make his life more difficult. Trivial inspection of any machine establishes the upper bound of how hard it will be to compromise. Any attack he can use to reduce entropy only makes that number shrink, potentially radically. We would worry if you could shrink a 2048 bit keys even by a bit, because it suggests a hidden systemic weakness. The second serial number examined is likely to shrink the keyspace - which will not be 2048 bits to begin with - by tens of bits.
There are classes of attackers for whom killing a single named individual is not a goal. "Oh drats, we were only able to kill fifteen people chosen at random from this hospital, Superdome, or session of Congress" would not br a failure condition for them or a victory condition for the public.