Insulin pumps can be hacked

By on
Insulin pumps can be hacked

Like "getting root on the body".

A Type 1 diabetic said Thursday that hackers can remotely change his insulin pump to levels that could kill him.

Jay Radcliffe, a security researcher, demonstrated to the crowd at the Black Hat conference in Las Vegas how he is able to send commands to and wirelessly disable (within about 150 feet) the insulin pump he has been wearing since he was 22, when he was diagnosed with the autoimmune disease after dealing with extreme weight loss and an unquenchable thirst.

Radcliffe, now 33, explained that all he requires to perpetrate the hack is the target pump's serial number. Then using hardware and a program he wrote to talk to the device, he can issue instructions. These commands can order the device to turn off, but more dangerously, they can significantly raise or lower the levels of insulin Radcliffe's body absorbs at any given moment.

"It's basically like having root on the device, which is like having root on the chemistry of your body," said Radcliffe, who wears his US$6000 pump around the clock to maintain normal blood sugar levels.

Radcliffe did not name the affected vendor because the threat requires a complete overhaul of the product and would result in panicked customers.

"I don't think it's relevant to the purpose of my talk," he said at a press conference afterward. "If I name the vendor, then any bad guy or evil hacker...can start exploit code on it right away."

Radcliffe said he isn't sure how many other vendors make insulin pumps that suffer from similar vulnerabilities. To remedy the problem, he suggested manufacturers implement a verification process, in which users have to approve changes to their devices.

In addition, the pumps should contain a password-protected serial number.

The vulnerability is more indicative, he said, of the chronic insecurity of embedded systems.

"Everything has an embedded processor and computer in it," he said. "Every time you hide behind [security by] obscurity, it is going to fail."

Brad Smith, a researcher and Black Hat conference staffer who also is a registered nurse, said the medical field largely looks the other way when it comes to securing patient devices.

"I lecture at all the medical conferences," he said during the press conference. "They just hide it. Pay attention to what [Radcliffe] is saying. His life is in this pump."

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

New Windows 10 users, are you upgrading from...
Windows 8
Windows 7
Windows XP
Another operating system
Windows Vista
How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?