Black hat hacker can remotely attack insulin pumps and kill people

iStockphoto

(CBS/AP) - As if we didn't already have enough to be neurotic about, a man at the Black Hat Technical Security Conference gave a presentation detailing how he could take control of insulin pumps from miles away and kill his victims.

Take a minute to panic. Now keep reading.

Jerome Radcliffe is a diabetic. The nefarious hack he presented at the conference Thursday was a response to his condition. "I have two devices attached to me at all times; an insulin pump and a continuous glucose monitor," said Radcliffe. He said that the devices turned him into a supervisory control and data acquisition (SCADA) system.

Out of fear for his own safety he wanted to see if he could hack into these wireless medical devices. As a senior threat intelligence analyst for a major computer security organization, it only made sense that he would test his own defense against hackers.

His presentation, "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System," details his journey to reverse engineer the life-saving and potential life-threatening devices.

Although there's no evidence that anyone has used Radcliffe's techniques, his findings raise fears about the safety of medical devices as they're brought into the Internet age. Serious attacks have already been demonstrated against pacemakers and defibrillators.

Radcliffe wears an insulin pump that can be used with a special remote control to administer insulin. He found that the pump can be reprogrammed to respond to a stranger's remote. All he needed was a USB device that can be easily obtained from eBay or medical supply companies. Radcliffe also applied his skill for eavesdropping on computer traffic. By looking at the data being transmitted from the computer with the USB device to the insulin pump, he could instruct the USB device to tell the pump what to do.

Radcliffe, who is 33 and lives in Meridian, Idaho, tested only one brand of insulin pump - his own - but said others could be vulnerable as well.

Although an attacker would need to be within a couple hundred feet of the patient to pull this off, a stranger wandering a hospital or sitting behind a target on an airplane would be close enough.

Radcliffe also found that it was possible to tamper with a second device he wears. He said he could intercept signals sent wirelessly from a sensor to a machine that displays blood-sugar levels. By broadcasting a signal that is stronger than the real-time, authentic readings, the monitor would be tricked into displaying old information over and over. As a result, a patient who didn't notice wouldn't adjust insulin dosage properly.

With a powerful enough antenna, Radcliffe said, an attacker could be up to a half a mile away. This attack worked on two different blood-sugar monitors.

"The threat hasn't manifested yet, so what they and we are trying to do is see what the risk could be in the future," said Yoshi Kohno, a University of Washington professor who wasn't a part of Radcliffe's research.

Radcliffe said the point of his research is not to alarm people. He said the issues he's discovered are important to address publicly as the medical industry moves aggressively toward more networked devices.

"It would only take one person to do this to kill someone and then you have a catastrophe," he said.

[bennetdunlap]

I am the parent of two type 1 diabetic teens, a diabetes blogger and advocate. I worry that the current news stories about pump hacking are a distraction for more immediately life threatening diabetes health issues. This hack required knowing the pump serial number.

There have been no reported cases of insulin pump hacking having an impact on patients' health. Sadly the past year has seen a number of adolescent diabetics passing away from severe low blood sugars.

Currently insulin pumps that can work with glucose sensors are available in the parts of the European Union and many other countries around the world. These devices are design and made by a US firm. Yet the FDA does not even have guidelines for the consideration of their approval here. In fact the FDA is only in the stage of soliciting comments on proposed guidelines.

While the hacking story has a certain movie like plot appeal, the far more significant issue is there are a number of devices designed and made in the US to better manage type 1 diabetes waiting FDA action. Hacking makes for great headlines, hopefully this publication will devote the same attention to the loss of young lives that may have been prevented by a more proactive FDA.

For more views see the twitter tag #pumphack

[RogerInHawaii]

The proper thing for this fellow to have done would be for him to have quietly informed the manufacturers of the problem and have them make corrections to the devices so that they are no longer subject to this kind of misuse. Instead, he alerts the entire world to it so that now there will be people who will actually try to do this. What an absolute idiot!

[John782011]

PS at the cost per unit these things cost, the added security will be well below any threshhold that increases the cost, except for maybe the FDA's cost to review the new software safeguards.

[John782011]

As a wearer of one of the devices, I can appreciate the issues he is bringing up. The devices are critical and therefore the manufacturers need to start considering active "defenses" against relatively easy targets. (Even though I think someone actively spoofing the devices is almost non-existant)

[botomLine]

All this hi tech stuff is amazing and wonderful, depending on which side of the fence you're on. But the high reliance on these ingenious tech devices bothers me - think of the consequences if there were such an event as a space tsunami, man made or otherwise, which blew all those satellites out of position. Mad men do exists.

[pwgrant]

Dude. A space tsunami?! Take a break from Star Trek movies (I am a Trekki)

[erasmus111]

"The threat hasn't manifested yet..."


No, but I'm sure it will now.

[dantedressage]

Something unknown - is now very well known - thank you cbsnews.com.

[Bouillabaisse]

Time to stick your head back in the sand.

[karek40]

I think most of the dead wood in Washington D.C. and we have continue to elect them. There should be a requirement that no individual can run for political office until he has held a job for at least 10 years. The problem with this is most are not qualified for a job, they are lawyers. The McCain' and Obama's of this world are ruining our country.

[hephu211]

Do not leave out the bushie's, rumsfeld's, cheney's, kissinger's and reaguns of this world. They have left a legend of doom to our reputation, economy, and quality of life.

[bobnjersey]

[The problem with this is most are not qualified for a job, they are lawyers. The McCain' and Obama's of this world are ruining our country.]
-------------------------------------------
so ... those who don't have a 'job' as you define it are incapable of leading ... and are therefore ruinous to everthing they are part of?

to take your simple world view to the extreme ... a truck driver who has worked for ten years would be more suited to a leadership position than a graduate from a high level graduate school?

[document7]

Hoo-boy, this person lives among us!