Health

Black Hat demo shows vulnerability of insulin pumps to remote attack

Security analyst Jerome Radcliffe had good reason to research the vulnerability of insulin pumps and similar medical devices to remote attack -- he's a diabetic. What he found out is pretty scary.

It sounds more like a sensational storyline from the CSI franchise, but one presenter at Black Hat 2011 has demonstrated that it is quite possible for a remote attacker to access insulin pumps -- with potentially lethal results.

Security analyst Jerome Radcliffe has plenty enough incentive to pen-test these systems -- he's a diabetic himself. As reported by CBS News:

The nefarious hack he presented at the conference Thursday was a response to his condition. "I have two devices attached to me at all times; an insulin pump and a continuous glucose monitor," said Radcliffe. He said that the devices turned him into a supervisory control and data acquisition (SCADA) system. Out of fear for his own safety he wanted to see if he could hack into these wireless medical devices.

Radcliffe's research was presented in "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System." He tested the insulin pump he himself uses, but says that other pumps could be just as vulnerable:

He found that the pump can be reprogrammed to respond to a stranger's remote. All he needed was a USB device that can be easily obtained from eBay or medical supply companies. Radcliffe also applied his skill for eavesdropping on computer traffic. By looking at the data being transmitted from the computer with the USB device to the insulin pump, he could instruct the USB device to tell the pump what to do.

There's no evidence that anyone has attempted such an exploit, but knowing it could be done is troubling enough.

More from Black Hat 2011

TechRepublic

CNET

About

Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...

19 comments
thegeekdiddy
thegeekdiddy

wonder if they will just attach some poor excuse for a firewall for protection or do it right and root the devices themselves?? warfare has truly come to the cyberfront

Manitobamike
Manitobamike

Make sure you don't earn or have enough money the someone would find profitability in hacking your medical device. Contact your lawyer right away and start a class action suit against the medical device manufacturer for making if vulnerable. No wait then you might have money worth extorting. Better still contact the insurance companies and tell them they will have to pay out if someone dies, they have the money and will to force the device manufacturers to fix the loop hole. No wait they will just put a no pay for hacker clause in the policy. I guess there is no solutions unless we can change the human factor. As long as humans are basically greedy (and we all are to some degree) we will see the grass greener on the other side and will try to get there by whatever means possible. In the case of hackers that means at the expense of someone else, they see it easier to steal a buck than earn it. Perhaps the buck is the fundamental problem.

thatusernameistaken
thatusernameistaken

Consideration of Risk in the device design nowithstanding, someone could also bash him with a rock. You can get those anywhere.

boxfiddler
boxfiddler

Yet another layer of dependency.

HAL 9000
HAL 9000

Just think what would happen in a ICU or CCU Ward because these devices are not Significantly Hardened. Great to see Proof Finally that the Medical Suppliers are completely failing to follow the Laws here about the equipment that they supply. :^0 Col

jaskevold
jaskevold

why would you post such an article--now for sure all the unconscionable computer hackers will have a try at it??? the first time it happens we can point a finger at you.

ScienceMikey
ScienceMikey

I was just reading about Apple laptop batteries--they contain smart chips that can be reprogrammed to overcharge and catch fire, or serve as a reservoir for a virus. Apparently, the example code for this contains a default password that was never changed in the actual implementation. Something similar could be done with optical drives, for example--imagine a DVD drive that would automatically install a root kit when accessed a certain way.

GMonTechRep
GMonTechRep

Looks like there could be a vast market for 'watchdog' chips in the so called Internet of Things. I don't know if it's possible to embed a firewall in a pacemaker, but on less power savvy medical electronics it should be feasible. Electromedical safety standards should include penetration tests.

Sheldont
Sheldont

Being a person using a pump and CMD myself, it is an unsettling thought that someone would be stupid enough to hack it.

jayohem
jayohem

It's really scary not only that this can happen but that somebody reading this column might think it's an interesting challenge.

dstaehr
dstaehr

Pacemakers already have wireless features, so they can be hacked as well. If it has a computer chip, someone out there is trying to find or has found a way to get in!!

JCitizen
JCitizen

that can control people now too. I know one of the developers. They are worried that these things could surreptitiously be implanted on persons of interest during routine surgery for anything else. This apparently started as a D.A.R.P.A. project. Adjust your tin foil hat on that one. I'm not worried about anything like that as much as all the other devices, like my hybrid automobile that they could fully hack and probably do! Jimmy the traction controls and/or the break regeneration commands, and I could be dead meat!

tdrane
tdrane

If they've tested things like morphine pumps or spinal cord stimulators.

Superar1960
Superar1960

Has someone pumped him for information yet? :0)

jck
jck

of corporate america figuring out how to charge the maximum for their product with the least expenditure in R&D. I know! We can use signals to upgrade the firmware! I wonder if anyone brought up in a meeting that transmitters are not restricted technology. This is why I pray I don't ever need an implant :(

fadista13
fadista13

well jaskevold, do not be like the ostrich that buries its head in the sand. The ignorance can not protect you,

wizardjimmy
wizardjimmy

unfortunately these hacks can be used as extortion....for example, if I'm a hacker and I want to make some quick buck out of it, I can take control of the pump (or pacemaker) and tell you that pay me this amount or you'll be dead man...as a prove I make your device go irregular for a while....now that's not so bad...imagine if there is a potential remote IT assassin, paid for political or business rivalry....