Security analyst Jerome Radcliffe had good reason to research the vulnerability of insulin pumps and similar medical devices to remote attack — he's a diabetic. What he found out is pretty scary.
It sounds more like a sensational storyline from the CSI franchise, but one presenter at Black Hat 2011 has demonstrated that it is quite possible for a remote attacker to access insulin pumps — with potentially lethal results.
Security analyst Jerome Radcliffe has plenty enough incentive to pen-test these systems — he's a diabetic himself. As reported by CBS News:
The nefarious hack he presented at the conference Thursday was a response to his condition. "I have two devices attached to me at all times; an insulin pump and a continuous glucose monitor," said Radcliffe. He said that the devices turned him into a supervisory control and data acquisition (SCADA) system. Out of fear for his own safety he wanted to see if he could hack into these wireless medical devices.
Radcliffe's research was presented in "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System." He tested the insulin pump he himself uses, but says that other pumps could be just as vulnerable:
He found that the pump can be reprogrammed to respond to a stranger's remote. All he needed was a USB device that can be easily obtained from eBay or medical supply companies. Radcliffe also applied his skill for eavesdropping on computer traffic. By looking at the data being transmitted from the computer with the USB device to the insulin pump, he could instruct the USB device to tell the pump what to do.
There's no evidence that anyone has attempted such an exploit, but knowing it could be done is troubling enough.
More from Black Hat 2011
- Has Microsoft gotten better at security or just less relevant?
- Black Hat 2011 update: Macs in the crosshairs, Kaminsky on BitCoin
- Attention, world, you've been pwned! McAfee details global cyber-espionage campaign