By: Clay Wirestone
Here’s the scenario: You’re a famed prosecutor who happens to be on an insulin pump. One of the criminals you put away years ago has been released from prison, and he’s eager for revenge. This is a particularly cunning criminal, so he hatches a subtle plan. He hacks into your insulin pump, giving you a massive dose of insulin without warning. As you drive to work one day, you begin to feel woozy. That’s odd, you think, looking down to where the pump attaches to your stomach. I just ate….
Does the story sound impossible? Too crazy to be true? The work of a thriller writer or garden variety fear-monger?
Hardly. According to security researcher Jerome Radcliffe, it’s disturbingly possible. Radcliffe, who has diabetes himself and uses both an insulin pump and a continuous glucose monitor, wondered if it would be possible to hack the devices. He gave a presentation on his findings, “Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System,” at the annual Black Hat security conference in early August.
“It would only take one person to do this to kill someone, and then you have a catastrophe,” he said in a CBS News piece on the presentation.
Jamming the Signal
Radcliffe’s methods were a bit technical, especially for those of us to whom insulin pumps seem magical to begin with. The source links at the end of this article offer some technical details.
Suffice it to say, Radcliffe managed to disrupt the wireless communications between his pump and its controller. He did the same with his continuous glucose monitor. In doing so, he figured out how to send fake information to the pump and the glucose monitor. This means that someone with ill intent could change a pumper’s insulin dosage. He could also make the CGM show old data so that the person would be none the wiser.
Radcliffe declined to give specific information on his pump’s maker, saying that he wanted to work with the manufacturer to enhance its security. He didn’t disclose every single detail of his hacking, either. According to the tech website VentureBeat, Radcliffe said, “I won’t give out details on how to kill me in the middle of a hacker conference. Lives are at stake here.”
The good news? There’s no evidence that anyone has actually tried to hack into diabetic medical devices this way. At least not yet.
Other Devices at Risk
But other people with medical devices should be concerned too, because insulin pumps aren’t the only such gizmos with security concerns. According to a 2008 presentation, internally implanted pacemakers are also vulnerable to electronic attack. Remember the story at the beginning of this article? Imagine if that federal prosecutor had a pacemaker instead. Everything sounds a bit more plausible, doesn’t it?
This earlier study involved medical professionals. Associate professor Kevin Fu of the University of Massachusetts worked with University of Washington researchers to reverse engineer pacemakers. After two years of work, they invented a $1,000 device that could issue instructions to a pacemaker and drain its battery.
“This is something that academics can do now. We have to do something before the ability to mount attacks becomes easier,” said University of Washington grad student Daniel Halperin, who worked on the project, in VentureBeat.
What’s the solution? If they’re not doing it already, medical device manufacturers should take note of these findings. Just because they produce products that are covered by insurance and available through doctors doesn’t necessarily mean that they’ll be treated any differently by hackers than your average consumer electronics company. One of those companies, Sony, is out nearly $172 million after hackers took down its PlayStation network.
These bands of hackers, sailing under names like Lulz Security and Anonymous, have released names and passwords from thousands of online accounts. They have probed the websites of government agencies. Why? They thought it was funny. They wanted to dramatize the sad state of Internet security.
What’s the evidence that hackers will treat medical device companies – and their customers — any differently?