A memory storage flaw within an insulin pump had skewed the amount of insulin one security researcher recieved that it almost killed him
Jay Radcliffe, a senior security analyst at InGuardians and Type 1 diabetic, revealed at Black Hat 2013 that the device critical to managing his blood glucose levels had malfunctioned when he replaced its battery in March.
He found the device would wipe important data stored in it after the battery change, leading him to mistakenly infuse himself with eight units of extra insulin to correct his glucose levels.
Unstable diabetics who received such a dose could be sent into a hypoglycemic state which without proper attention could result in death.
Radcliffe, who has brought to light insulin pump vulnerabilities before, ran into difficulties when pursuing manufacturer Animas to rectify the problem.
In June, the US Food and Drug Administration warned users about the growing risk of security issues in medical devices remaining unaddressed by manufacturers.
Radcliffe demonstrated at Black Hat 2011 how an attacker could remotely change his insulin pump to levels that could kill him via social engineering or by running a simple computer scan.
He said in past years he had run into many critics who accused him of exaggerating the hacking threat to diabetics when conveying his findings.
He defended his disclosures, saying that even if the chance of hackers taking advantage of security concerns in devices was low, it didn't denote that the threat was insignificant.
In fact, he said, his research has revealed quite the opposite.
“I've had a lot of people talk about the idea of sensationalising the issue of medical device risks,” Radcliffe said, later adding that “just because the risk is low, doesn't mean it can't happen” or that researchers or users should ignore it.
Researchers have continued to examine the threat presented by medical devices, including the late Barnaby Jack, who recently died just days prior to his scheduled Black Hat presentation on a major security vulnerability in wireless pacemakers and defibrillators.
In 2011, at the Hacker Halted show in Miami, Jack demonstrated how implantable insulin pumps made by vendor Medtronic could be compromised to deliver a fatal dose of the hormone to diabetics.